Ubuntu Hardening Guidelines

Restricting Superuser Access

Adhering to these guidelines ensures robust security for your Ubuntu 20.04 server, protecting it from unauthorized access and potential vulnerabilities.
1. Log in with a Non-Root Account
  
  Always log into your Ubuntu 20.04 server using a non-root account to prevent accidental deletions. For instance, running the rm command incorrectly as a root user can wipe your en-tire server.
2. Using the su Command
  
  The su command allows Linux users to switch to a different user and gain that user's privileges. Create a new admin group with the following commands:
  Copy
```
sudo groupadd admin
sudo usermod -a -G admin jack
sudo dpkg-statoverride --update --add root admin 4750 /bin/su
```
  Logging in as the user jack and using the su command to switch users is allowed because jack is a member of the admin group. Other users are denied access to the su command.
Using Authentication Key Pair for Server Login

By default, SSH logins use a username and password. Using a private/public key pair is safer, as these keys are difficult to guess. Generate authentication keys with an application like PuTTY Key Generator, and upload the public key to your Ubuntu server in the file:
Copy
```
<username>/.ssh/authorized_keys
```
Secure Shared Memory
1. To prevent shared memory from being used in an attack against a running service, modify the /etc/fstab file. Add the following line:
  Copy
```
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
```
2. Save the file and reboot the system.
Implementing Ubuntu’s Default Firewall Using IPTables

Adopt a whitelisting approach for your firewall configuration, with the default policy set to deny/drop.
SSH Server Hardening

Before making changes to the SSH configuration, back up the current configuration file:
Copy
```
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
```
1. Disallow SSH Password Authentication
  
  Disable password authentication by editing the /etc/ssh/sshd_config file. Find the PasswordAuthentication entry and set its value to no.
  
  PasswordAuthentication no
2. Disable Remote Root Login
  
  To enhance security, disable root login over SSH. In the /etc/ssh/sshd_config file, find the PermitRootLogin entry and set its value to no.
  
  PermitRootLogin no
3. Restrict SSH Logins to Specific IP Addresses
  
  By default, SSH accepts connections from any external IP address. To restrict SSH to allow connections only from specific IP addresses, add ListenAddress lines in the /etc/ssh/sshd_config file.
  
  ListenAddress 192.168.1.100
4. Disable Host-Based Authentication
  
  Ensure that host-based authentication is disabled. In the /etc/ssh/sshd_config file, find the HostbasedAuthentication entry and set its value to no.
  
  HostbasedAuthentication no
5. Change HostKey Preferences
  
  Follow the advice of security experts like stribika, Mozilla, and the SSH audit report. Update the HostKey preferences in the /etc/ssh/sshd_config file by replacing the current entries with:
  
  HostKey /etc/ssh/ssh_host_ed25519_key
  
  HostKey /etc/ssh/ssh_host_rsa_key
6. Change Default Ciphers and Algorithms
  
  Update the key exchange algorithms, symmetric ciphers, and message authentication codes in the /etc/ssh/sshd_config file:
  
  KexAlgorithms curve25519-sha256@libssh.org
  
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
7. Regenerate Moduli
  
  The /etc/ssh/moduli file contains prime numbers and generators used by the SSH server for the Diffie-Hellman key exchange. Generating a new file can enhance server security. Use the following commands:
  Copy
```
ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates
cp moduli-2048 /etc/ssh/moduli
rm moduli-2048
```
8. Conduct an SSH Audit
  
  Perform a security audit using an SSH audit script available on GitHub:
  Copy
```
python ssh-audit.py example.com
```