Image by: Brett Sayles
Replacing passwords with SSH key authentication
Did you know 80% of breaches involve brute-forced credentials? SSH password authentication is like leaving your server’s front door unlocked. SSH keys provide cryptographic protection that’s virtually unbreakable. For both Ubuntu and RHEL servers, disable password logins entirely after configuring key-based access. First generate a key pair locally using ssh-keygen -t ed25519, then transfer the public key to your server’s ~/.ssh/authorized_keys file. Critical configuration in /etc/ssh/sshd_config:
- Set
PasswordAuthentication no - Use
PermitRootLogin prohibit-password(RHEL) orwithout-password(Ubuntu) - Enable
PubkeyAuthentication yes
Test connections before restarting SSH with systemctl reload sshd. According to OpenSSH documentation, ED25519 keys offer better security than RSA for modern systems.
Configuring UFW and Firewalld for defense
Firewalls filter malicious traffic before it reaches services. Ubuntu uses UFW (Uncomplicated Firewall) while RHEL uses Firewalld – both simplify iptables management. Default deny policies are crucial: block all incoming, allow specific services.
Ubuntu UFW essentials
Enable with ufw enable. Common rules:
ufw allow sshufw allow 443/tcpufw deny 22if changing SSH port
RHEL Firewalld fundamentals
Start with systemctl start firewalld. Use zones for granular control:
firewall-cmd --zone=public --add-service=ssh --permanentfirewall-cmd --zone=public --add-port=8080/tcp --permanent
| Action | UFW (Ubuntu) | Firewalld (RHEL) |
|---|---|---|
| Check status | ufw status verbose |
firewall-cmd --list-all |
| Allow service | ufw allow http |
firewall-cmd --add-service=http |
| Reload rules | ufw reload |
firewall-cmd --reload |
Always verify connectivity after changes. The Arch Linux firewall comparison provides excellent technical background.
Automating security patching for critical updates
Unpatched vulnerabilities caused 60% of breaches in 2023 according to IBM’s Threat Report. Configure automatic updates:
Ubuntu automation
Install unattended-upgrades:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
Configure in /etc/apt/apt.conf.d/50unattended-upgrades:
- Uncomment
"${distro_id}:${distro_codename}-security"; - Set
Automatic-Reboot "true";for kernel updates
RHEL automation
Enable dnf-automatic:
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer
Edit /etc/dnf/automatic.conf:
- Set
upgrade_type = security - Enable
apply_updates = yes
Schedule reboots during maintenance windows using cron or systemd timers. Monitor logs with journalctl -u unattended-upgrades (Ubuntu) or dnf history (RHEL). For more Linux server management strategies, see our enterprise guides.
Implementing least privilege for root access
Root accounts are prime attack targets. Implement privilege separation:
- Disable root SSH: Already configured in SSH hardening
- Use sudo selectively: Grant specific privileges via
/etc/sudoers - Create limited admin accounts: Group membership defines capabilities
Example sudoers entry for database admins:
%db-admins ALL=(ALL) /usr/bin/systemctl restart postgresql*, /usr/bin/psql
Configure sudo security policies:
- Set
Defaults timestamp_timeout=5(re-authenticate after 5 minutes) - Enable
Defaults use_pty(prevents some injection attacks) - Add
Defaults logfile=/var/log/sudo.log(audit trail)
For sensitive operations, consider privileged access management solutions with session recording.
Advanced hardening: Fail2ban and kernel protection
Deploy secondary defenses against persistent threats:
Fail2ban installation
Blocks IPs after repeated failed attempts:
# Ubuntu
sudo apt install fail2ban# RHEL
sudo dnf install epel-release
sudo dnf install fail2ban
Configure jail rules in /etc/fail2ban/jail.local:
- Set
maxretry = 3for SSH - Adjust
bantime = 1hfor temporary blocks
Kernel hardening
Enable security modules:
- RHEL: Ensure SELinux is enforcing (
sestatus) - Ubuntu: Install AppArmor (
sudo apt install apparmor-profiles)
Set kernel parameters in /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
Apply with sysctl -p. For comprehensive security, see the CIS Ubuntu Benchmark.
Frequently asked questions
How often should I rotate SSH keys?
Industry best practice recommends rotating SSH keys every 3-6 months for critical systems. Always rotate immediately if a key is suspected compromised. Use ssh-keygen -p to change passphrases without generating new keys.
Can UFW and Firewalld coexist?
No, they conflict as both manage iptables/nftables. Choose one based on your distribution: UFW for Ubuntu/Debian systems, Firewalld for RHEL/CentOS. Mixing them causes unpredictable firewall behavior.
What’s the safest way to automate reboots after patching?
Schedule reboots during maintenance windows using:
- Ubuntu:
Unattended-Upgrade::Automatic-Reboot-Time "04:00" - RHEL: Combine
dnf-automaticwith a cron job (0 4 * * * /sbin/reboot)
Always notify connected users and verify services restart properly.
Should I disable root entirely?
Never fully disable root – system services require it. Instead: 1) Disable root SSH access, 2) Set strong root password, 3) Use sudo for administrative tasks, and 4) Enable SELinux/AppArmor. Root should only be used via sudo -i when absolutely necessary.
Conclusion
Securing Ubuntu and RHEL servers demands layered defenses: SSH key authentication eliminates password risks, properly configured firewalls filter malicious traffic, automated patching closes vulnerabilities, and least privilege access minimizes breach impact. Remember that security isn’t a one-time setup but an ongoing process. Regularly audit configurations using tools like Lynis or OpenSCAP, monitor logs for anomalies, and stay informed about emerging threats. Implement these measures today to transform your servers from vulnerable targets into hardened infrastructure. For continued learning, explore our Linux security resources covering intrusion detection and compliance frameworks.
