Let’s be honest — you’ve just finished setting up your shiny new server, everything runs smoothly, and you think,
“Nice, time to chill.” ☕
Not so fast, my friend. Before you start bragging about your root@yourserver to your tech circle, let me ask you this:
Have you hardened your server?
Because if not, you basically just threw your front door wide open and put up a sign:
“Hack me please, I dare you.”
This article is your friendly slap on the wrist.
Let’s lock that door before someone walks in and eats all your cookies 🍪.
🛠️ What Is Server Hardening Anyway?
Server hardening is like baby-proofing your house — but instead of toddlers, you’re protecting against:
- Random bots scanning the internet
- Script kiddies trying out Kali Linux for the first time
- People who really want to mine crypto on your dime
In short: reduce attack surfaces, disable what you don’t need, and stay one step ahead.
Let’s go!
1. 🔒 Change the Default SSH Port
Everyone knows SSH runs on port 22. So does every bot.
Why Change It?
You don’t hide your server, you just make it less obvious — like putting your house key under the third flowerpot, not the first.
How:
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
Change this:
Port 22
To something like:
Port 2222
Then restart:
sudo systemctl restart ssh
⚠️ Don’t close your session until you test it from a new terminal. Or you’ll lock yourself out. And yes, that’s the voice of experience.
2. 🚫 Disable Root Login via SSH
Logging in as root is like giving yourself God Mode. Tempting? Yes. Safe? Nope.
How:
Still in /etc/ssh/sshd_config, find:
PermitRootLogin yes
Change to:
PermitRootLogin no
Restart SSH again:
sudo systemctl restart ssh
✅ From now on, you’ll log in with a normal user and use sudo like a responsible adult.
3. 🔐 Use SSH Key Authentication (Ditch Passwords!)
Passwords are cute. But keys are secure.
On your local machine:
ssh-keygen -t rsa -b 4096
Then:
ssh-copy-id username@yourserver
Now you can login without a password.
(And yes, revoke your bragging rights if you still allow password auth.)
4. 🧱 Set Up UFW Firewall (The Lazy Way)
Ubuntu comes with ufw. Use it. It’s like a polite bouncer at your door.
sudo ufw allow 2222/tcp # replace with your new SSH port
sudo ufw allow 80,443/tcp
sudo ufw enable
Check status:
sudo ufw status
Simple, clean, no drama.
5. 🚨 Install Fail2Ban (Because Brute Force is Real)
Some bots will try 100 passwords per minute. Fail2Ban politely kicks them out.
sudo apt install fail2ban -y
Then edit:
sudo nano /etc/fail2ban/jail.local
Sample config:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
Restart it:
sudo systemctl restart fail2ban
💡 You can check bans with:
sudo fail2ban-client status sshd
6. 🔄 Enable Unattended Security Updates
Because no one has time to install patches every week.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Done. Your system now patches itself while you sleep 😴.
7. 👀 Optional: Install Logwatch for Daily Reports
Want to know if someone tried (and failed) to log in while you were out for coffee?
sudo apt install logwatch
Edit cron:
sudo crontab -e
Add:
@daily /usr/sbin/logwatch --output mail --mailto you@yourdomain.com --detail high
Now your inbox is your new guard dog.
Final Checklist ✅
| Action | Status |
|---|---|
| SSH Port Changed | ☑️ |
| Root Login Disabled | ☑️ |
| SSH Keys Enabled | ☑️ |
| UFW Configured | ☑️ |
| Fail2Ban Active | ☑️ |
| Auto Updates | ☑️ |
| Log Monitoring | ☑️ |
🧠 Final Thoughts
Securing a server isn’t just for show — it’s your responsibility.
It’s like putting on a helmet before riding a motorcycle. You may never need it, but when you do… you’ll be glad it’s there.
Now your Ubuntu server isn’t just running — it’s protected.
You locked it. Before you lost it. Good job. 🔒🔥
Leave a Comment