Ubuntu Hardening

Keep it simple: I’m using Ubuntu Desktop 22.04 LTS, in “minimal” installation mode (ie excluding office software etc.)

Auto Patching

Install and configure unattended-upgrades

$ sudo apt-get install unattended-upgrades

Configure to allow updates: $ sudo dpkg-reconfigure -plow unattended-upgrades

Ensure the service has been started after install: $ sudo systemctl status unattended-upgrades

Live Patching

Activate Ubuntu Livepatch to reduce the need for restarts when appling kernal patches:

$ sudo ua enable livepatch

$ sudo ua attach <token> (where token comes from https://ubuntu.com/advantage)

Disable root Account

Prefer to use a user account with sudo when needed.

$ sudo passwd -l root

_note: if you need to re-enable the account use the -u flag instead: $ sudo passwd -u root

Setup & Configure SSH Server

1) Install openssh-server

Ubuntu does not come with an ssh server by default, so it’ll need to be installed first:

$ sudo apt-get install openssh-server

To confirm the service auto started after install: $ sudo systemctl status ssh

And confirm that the service is configured to start during boot: $ sudo systemctl enable ssh

2) Generate a new keypair for your local machine

Make sure to use a good password on the private key:

$ ssh-keygen -t ed25519

Copy the pubkey to the node: $ ssh-copy-id -i ~/.ssh/keyname.pub -p 22 username@server

tip: if you’re managing multiple key pairs, you can select which to use during login with: $ ssh -i <private key>

3) Harden SSH Config

Open /etc/ssh/sshd_config and set the below configuration:

ChallengeResponseAuthentication no
PasswordAuthentication no
PermitRootLogin prohibit-password
PermitEmptyPasswords no

Restart SSH process to apply: $ sudo systemctl restart sshd

4) Setup fail2ban

fail2ban will automatically apply ip bans to repeated failed login attempts.

Install: $ sudo apt-get install fail2ban -y

Create and edit the file /etc/fail2ban/jail.local (this is a local override of config defaults in /etc/fail2ban/jail.conf). Enable the sshd mode:

[sshd]
enabled = true

Restart fail2ban to apply changes: $ sudo sytemctl restart fail2ban

Notes mentioning this note

Productivity Index
Linux [[Ubuntu Hardening]] [[Systemd]] [[Format and Mount Disks]]
Ethereum Validator Setup
Contents