Secure Your Ubuntu Server: SSH, Firewall & Fail2Ban

Summary:
Basic server security tips: securing SSH, enabling UFW, and installing Fail2Ban.

Securing your Ubuntu server is essential to protect your data and maintain system integrity. Whether you're running a small VPS or a mission-critical application, implementing a solid security baseline is the best first step. This guide walks you through three critical areas: SSH hardening, configuring a firewall with UFW, and installing Fail2Ban to prevent brute force attacks.

1. Securing SSH Access

SSH (Secure Shell) is the standard method of remotely managing Linux servers. By default, SSH can be vulnerable to brute force attacks if not properly secured. Below are essential steps to harden your SSH server.

Change the Default SSH Port

By default, SSH listens on port 22. Changing this port can help reduce automated attacks.

  1. Open the SSH configuration file: 
    sudo nano /etc/ssh/sshd_config
  2. Locate the line: 
    #Port 22
  3. Change it to a port number between 1024 and 65535, e.g.: 
    Port 2222
  4. Save and close the file.

Disable Root Login

Direct root login via SSH can be risky. Disable it as follows:

  1. In /etc/ssh/sshd_config, find: 
    PermitRootLogin yes
  2. Change to: 
    PermitRootLogin no

Use SSH Key Authentication

Password-based authentication is susceptible to brute force attempts. SSH keys provide stronger security.

  1. On your local machine, generate an SSH key pair (if you don't have one):

    ssh-keygen -t ed25519

  2. Copy your public key to the server:

    ssh-copy-id -p [PORT] username@your_server_ip

    Replace [PORT] with the actual SSH port.

  3. On the server, disable password authentication for SSH:

    • In /etc/ssh/sshd_config, set: 
      PasswordAuthentication no

Restart SSH

Apply the changes:

sudo systemctl restart ssh

Tip: Keep your session open to avoid locking yourself out while testing the new SSH settings in a second terminal.

2. Enabling and Configuring UFW Firewall

UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables. It allows you to easily control which services are accessible.

Install UFW

Most Ubuntu installations come with UFW, but install or ensure it's present:

sudo apt update
sudo apt install ufw

Allow SSH Connections

Before enabling the firewall, allow your chosen SSH port. For the standard or custom port:

sudo ufw allow 2222/tcp

(if your SSH port is still 22, use 22 instead of 2222).

Allow Other Necessary Ports

Example: Web server ports

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Enable UFW

Enable the firewall:

sudo ufw enable

Check status:

sudo ufw status verbose

3. Protect Against Brute Force with Fail2Ban

Fail2Ban monitors log files for repeated failed login attempts and automatically bans offending IP addresses.

Install Fail2Ban

sudo apt update
sudo apt install fail2ban

Basic Configuration

Edit the jail configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

The default settings are often sufficient for basic SSH protection. Check the [sshd] section:

[sshd]
enabled = true
port    = 2222
maxretry = 5

Set the port to your SSH port if it’s not 22.

Start and Enable Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

sudo fail2ban-client status sshd

Conclusion

By hardening your SSH configuration, enabling the UFW firewall, and deploying Fail2Ban, you dramatically improve your Ubuntu server's defenses against common threats. These steps offer a solid foundation for security, but remember—security is an ongoing process. Regularly update your system, monitor logs, and periodically review your configurations as part of your server management routine.

Stay secure and happy hosting!

Back to All Articles