How to Secure an Ubuntu Linux Server for Production

如何保护生产环境下的 Ubuntu Linux 服务器

Securing a production Linux server is one of the most important responsibilities of a system administrator. A poorly configured server can become an easy target for brute-force attacks, malware, unauthorized access, and service disruption. In this guide, I’ll share essential steps to harden and secure an Ubuntu server for production environments.

保护生产环境的 Linux 服务器是系统管理员最重要的职责之一。配置不当的服务器很容易成为暴力破解、恶意软件、未经授权访问和服务中断的目标。在本指南中，我将分享加固和保护生产环境 Ubuntu 服务器的基本步骤。

1. Update Your Server Regularly

1. 定期更新服务器

Always keep your system packages updated to patch security vulnerabilities. 始终保持系统软件包更新，以修补安全漏洞。

sudo apt update && sudo apt upgrade -y

You should also remove unused packages: 你还应该删除未使用的软件包：

sudo apt autoremove -y

2. Create a Non-Root User

2. 创建非 Root 用户

Avoid using the root user directly for daily administration tasks. Create a new user: 避免直接使用 root 用户进行日常管理任务。创建一个新用户：

sudo adduser adminuser

Add the user to the sudo group: 将该用户添加到 sudo 组：

sudo usermod -aG sudo adminuser

3. Disable Root SSH Login

3. 禁用 Root SSH 登录

Root login through SSH is a major security risk. Edit the SSH configuration file: 通过 SSH 进行 root 登录是一个重大的安全风险。编辑 SSH 配置文件：

sudo nano /etc/ssh/sshd_config

Find: PermitRootLogin yes Change it to: PermitRootLogin no 找到 PermitRootLogin yes 并将其更改为 PermitRootLogin no。

Restart SSH: 重启 SSH：

sudo systemctl restart ssh

4. Change the Default SSH Port

4. 更改默认 SSH 端口

Changing the default SSH port helps reduce automated brute-force attacks. Inside the SSH config file: 更改默认 SSH 端口有助于减少自动化的暴力破解攻击。在 SSH 配置文件中设置：

Port 2222

Restart SSH: 重启 SSH：

sudo systemctl restart ssh

Remember to allow the new port in your firewall. 记得在防火墙中放行新端口。

5. Configure UFW Firewall

5. 配置 UFW 防火墙

Ubuntu comes with UFW (Uncomplicated Firewall). Allow required services: Ubuntu 自带 UFW（简单防火墙）。放行所需服务：

sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Enable the firewall: 启用防火墙：

sudo ufw enable

Check status: 检查状态：

sudo ufw status

6. Install Fail2Ban

6. 安装 Fail2Ban

Fail2Ban blocks repeated failed login attempts automatically. Install it: Fail2Ban 可以自动阻止重复的登录失败尝试。安装它：

sudo apt install fail2ban -y

Enable and start the service: 启用并启动服务：

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status: 检查状态：

sudo fail2ban-client status

7. Use SSH Key Authentication

7. 使用 SSH 密钥认证

SSH keys are much safer than passwords. Generate SSH keys on your local machine: SSH 密钥比密码安全得多。在本地机器上生成 SSH 密钥：

ssh-keygen

Copy the public key to the server: 将公钥复制到服务器：

ssh-copy-id user@server-ip

Then disable password authentication: PasswordAuthentication no Restart SSH afterward. 然后禁用密码认证：设置 PasswordAuthentication no，随后重启 SSH。

8. Secure Docker Containers

8. 保护 Docker 容器

If you use Docker in production: Avoid running containers as root, keep images updated, use trusted images only, limit exposed ports, and scan images for vulnerabilities. 如果你在生产环境中使用 Docker：避免以 root 身份运行容器，保持镜像更新，仅使用受信任的镜像，限制暴露的端口，并扫描镜像漏洞。

Update Docker regularly: 定期更新 Docker：

sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io

9. Enable Automatic Security Updates

9. 启用自动安全更新

Install unattended upgrades: 安装自动升级工具：

sudo apt install unattended-upgrades -y

Enable automatic security updates: 启用自动安全更新：

sudo dpkg-reconfigure unattended-upgrades

10. Monitor Logs and System Activity

10. 监控日志和系统活动

Regular monitoring helps detect suspicious activity early. Useful commands: 定期监控有助于及早发现可疑活动。常用命令：

sudo journalctl -xe
sudo tail -f /var/log/auth.log

You can also use tools like: Prometheus, Grafana, Netdata, Uptime Kuma. 你也可以使用以下工具：Prometheus, Grafana, Netdata, Uptime Kuma。

11. Backup Your Server

11. 备份服务器

Always maintain secure backups. Recommended practices: Daily automated backups, offsite storage, database dumps, and backup verification. 始终保持安全的备份。推荐做法：每日自动备份、异地存储、数据库转储以及备份验证。

Tools: rsync, BorgBackup, Restic, Rclone. 推荐工具：rsync, BorgBackup, Restic, Rclone。

Final Thoughts

结语

Server security is not a one-time setup. It’s an ongoing process that requires continuous monitoring, updates, and optimization. A properly secured Ubuntu server reduces risks, improves reliability, and helps maintain stable production environments. If you’re managing Linux servers in production, implementing these security practices is essential.

服务器安全不是一次性的设置，而是一个需要持续监控、更新和优化的过程。一台经过妥善保护的 Ubuntu 服务器可以降低风险、提高可靠性，并有助于维护稳定的生产环境。如果你正在管理生产环境的 Linux 服务器，实施这些安全实践至关重要。