Advanced Security best practices for Ubuntu Linux

 To enhance the security of an Ubuntu Linux system, it’s crucial to implement advanced security best practices beyond basic configurations. These practices help safeguard against potential attacks, unauthorized access, and data breaches.

Point 1) Install and configure Fail2Ban (IMP)

Fail2Ban is a security tool designed to prevent unauthorized access to a system by monitoring logs for suspicious activity and taking automated actions, such as blocking IP addresses. It's commonly used to protect services like SSH, HTTP, and FTP against brute force attacks, DDoS attempts, and other malicious behaviors.

##Installation and Configuration on Ubuntu: sudo apt update sudo apt install fail2ban sudo systemctl start fail2ban sudo systemctl enable fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local ##Edit /etc/fail2ban/jail.local and put following to enable SSH protection: [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600 # 1 hour ban sudo systemctl restart fail2ban sudo fail2ban-client status sudo fail2ban-client status sshd ##Advanced Features: To Debug the Server error : sudo fail2ban-server -d ##Whitelist Trusted IPs: Add trusted IPs to /etc/fail2ban/jail.local to avoid banning them: ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 ##Email Notifications: Configure Fail2Ban to send alerts for banned IPs by editing the action parameter in jail.local. #-----------------------------------------##-----------------------------------------# Block a user if they hit your website URL 100 times from a single public IP address. Create a Custom Fail2Ban Filter a) Create a new filter file and add following /etc/fail2ban/filter.d/apache-request-limit.conf. [Definition] failregex = ^<HOST> -.*"GET.* HTTP.*" [0-9]{3} [0-9]{1,}.*$ b) we'll add a new jail in /etc/fail2ban/jail.local [apache-request-limit] enabled = true port = http,https filter = apache-request-limit logpath = /var/log/apache2/access.log maxretry = 100 bantime = 3600 findtime = 60 sudo systemctl restart fail2ban sudo fail2ban-client status apache-request-limit #-----------------------------------------##-----------------------------------------#

Point 2) Use a non-default SSH port: 2222 /etc/ssh/sshd_config  (IMP)


Point 3) Disable root login via SSH

• sudo nano /etc/ssh/sshd_config
• PermitRootLogin no
• sudo systemctl restart sshd

 
Point 4) Use SSH key-based authentication instead of User passwords (IMP)
 

• sudo nano /etc/ssh/sshd_config
• PasswordAuthentication no
• PubkeyAuthentication yes
• sudo systemctl restart sshd

 
Point 5) Secure logging (IMP)
   

• Use tools like `logwatch` to monitor logs and review system events regularly.
• sudo apt install logwatch
• sudo logwatch --output stdout --detail High --range today
  

Point 6) File System Hardening: Enable immutable files for critical configurations.
     

• sudo chattr +i /etc/fstab
• sudo chattr +i /etc/ssh/sshd_config

Point 7) Enable Backup and Recovery For The Files and directory. (IMP)

Point 8) Enable Uncomplicated Firewall (UFW) is a simple way to manage a firewall on Ubuntu.
 

Point 9) Install and configure AIDE (Advanced Intrusion Detection Environment)
     

• sudo apt install aide
• sudo aideinit
• cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

 
Point 10) Configure AppArmor or SELinux

• Use AppArmor (which is enabled by default) or SELinux for mandatory access control (MAC).
• sudo apt install apparmor
• sudo systemctl enable apparmor
• sudo systemctl start apparmor

   
Point 11) Configure Disk Encryption with LUKS

• For sensitive data, enable full disk encryption with LUKS during installation or after the system is set up.

    

Point 12) Advanced Monitoring and Logging (IMP)

• Use centralized logging server (ELK Stack).
• Install tools like `auditd` for in-depth auditing.

   
Point 13) Advanced Networking: Implement VPN tunnels (e.g., OpenVPN, WireGuard) for remote access.
 

Point 14) ClamAV antivirus on Ubuntu for Malware Detection

• sudo apt install clamav clamav-daemon
• sudo freshclam
• clamscan -r --summary /