Well, its about time I upgrade and test backups at the same time, so thats what I’m doing today. This is to document the process I took for posterity and maybe to help someone else.

Download and Install Ubuntu 22.04

Even though this will be mostly utilized as a server, I dont mind spending a few extra resources to have a GUI (Graphical User Interface) installed for ease of use. I downloaded the latest Ubuntu LTS version, which at the time of writing this is 22.04:

I use “Startup Disk Creator” which is on my current version of Ubuntu to create a bootable usb disk with the iso downloaded above. Then insert the bootable usb into the server and power it up.

You may have to change the boot sequence or type a special key during bios boot to select the usb drive as your boot media. I will not go into that detail but feel free to google it if necessary.

Select Install Ubuntu and follow the prompts - this part is pretty self-explanatory and the defaults should work most of the time. After following all prompts, you will be asked to remove the USB and reboot the server. Upon reboot, you will be in your new Ubuntu installation!

Securing The Server

The very next step I take after building the server is to enable remote access (only to my internal network!) and secure the server. Welp, lets begin!

1. Open UFW ports and enable UFW

   1. NOTE: If you do this step out of order you could lock yourself out from any remote connections - if you’ve already enabled ssh and are connected remotely, in other words.

   2. Allow port 22 - I specify my internal ip range just as an extra precaution, but you could just sudo ufw allow ssh

      sudo ufw allow from 192.168.0.0/24 to any port 22

   3. Enable ufw

      sudo ufw enable

   4. you can replicate that rule for any port you require later on, modifying the port as required.

   5. Now we verify from a remote host that they can connect to the server

      telnet 192.168.0.190 22

      We should see a response such as:
      Trying 192.168.0.190...
Connected to 192.168.0.190. Escape character is '^]'.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1

      If you see something such as the following, then you should go back and try all the steps above again or check the ip address you’re hitting because something isnt correct
      Trying 192.168.0.190...
telnet: connect to address 192.168.0.190: Connection refused
telnet: Unable to connect to remote host

   6. To exit, type control +]then type quit

   Next we secure SSH to prevent unauthorized access. We will harden ssh by disallowing root login - dont worry, you can still sudo to root after logging in as your user - and forcing ssh key login, thus making brute-force password guessing impossible, even though we will not be opening ssh to the world, I like to do this.

2. Secure SSH

   1. make a backup of the original sshd config so we can always revert if we mess up

      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

   2. Now we make changes with sudo vi /etc/ssh/sshd_config - feel free to use any editor of your choice, such as nano or even gedit

      1. Verify PasswordAuthentication is disabled by unhashing out that line (line 57 in my default config) and changing to no.

         from:

         #PasswordAuthentication yes

         to:

         PasswordAuthentication no

      2. Next we disable root login. Line 33 in my default config

         from:
         #PermitRootLogin prohibit-password
         to:
         PermitRootLogin no

      3. I dont know which protocol version openssh uses by default, so to guarantee I added the following line:
         Protocol 2

      4. Save the file and restart ssh daemon to take these new settings into effect:
         sudo systemctl restart sshd

   3. Install and configure Fail2Ban

      1. Install fail2ban:
         sudo apt install -y fail2ban

      2. fail2ban protects ssh by default, but I like to loosen the restrictions a bit, just in case I messup:
         sudo vi /etc/fail2ban/jail.d/defaults-debian.conf

         Add the following lines to the [sshd] section:
         logpath = /var/log/auth.log
maxretry = 10

   4. Configure PAM to email any time someone successfully SSHs into your machine. If you SSH in a lot this may be daunting, but it could be a great first alert.

      1. Install mailx with sudo apt install -y mailutils

      2. Create an App Password for gmail:

         https://support.google.com/mail/answer/185833?hl=en

      3. Create a password file for postfix sudo vi /etc/postfix/sasl/sasl_password
         Add:
         [smtp.gmail.com]:587 youremail@gmail.com:yourapppasswd

      4. Lock down the file with sudo chmod 600 /etc/postfix/sasl/sasl_password

      5. Modify postfix main.cf sudo vi /etc/postfix/main.cf
         Add the following:
         mydestination =
relayhost = [smtp.gmail.com]:587 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

      6. Feed password file to app sudo postmap /etc/postfix/sasl/sasl_passwd

      7. restart postfix sudo systemctl restart postfix

      8. send a test email to check:
         echo "test email" | mailx -s "test email" myemail@gmail.com

      9. If you received that email you’re good to go. If not, check /var/log/mail.log for troubleshooting

      10. install libpam-script sudo apt install -y libpam-script

      11. make a scripts dir and create a script called ssh-notify.sh
          sudo mkdir /opt/scripts
sudo vi /opt/scripts/ssh-notify.sh

          #!/bin/bash
EMAIL=youremail@gmail.com
USER=$(whoami)
IP=$(echo $SSH_CONNECTION | awk ‘{print $1}’)
echo “User $USER logged in to server from IP:${IP} | mailx -s “SSH Login to Server” $EMAIL

      12. make executable sudo chmod +x /opt/scripts/ssh-notify.sh

      13. modify pam config sudo vi /etc/pam.d/sshd

          Add to the end of the file:
          session optional pam_exec.so seteuid /opt/scripts/ssh_notify.sh

      14. restart sshd sudo systemctl restart sshd

      15. Login to your server via ssh and test receiving the email. If you dont get an email you might check your /var/log/mail.log file again, and verify your script is correct and that you restarted sshd.

   5. Register for and configure Ubuntu Pro to enable automatic security updates. This is free for personal use and highly recommended. I will not go over the details of the process but you can find out more here:

      https://ubuntu.com/pro