Home » Linux & Server » Hardening Linux Server — 10 Langkah Mengamankan Server Ubunt...
Linux & Server

Hardening Linux Server — 10 Langkah Mengamankan Server Ubuntu

Penguin Linux berbaju zirah menjaga rak server, konsep hardening server, ilustrasi teknologi

Hardening Linux Server — 10 Langkah Mengamankan Server Ubuntu

Kalau lo punya VPS atau dedicated server dan lo mikir “ah, server gue kecil, siapa juga yang mau hack,” let me stop you right there. Bot scanner dari internet nggak peduli server lo besar atau kecil. Mereka auto-scan ribuan IP tiap detik, nyari port SSH default, root login terbuka, service vulnerable. Gue udah berkali-kali nanganin VPS yang kena hack bukan karena targeted attack, tapi karena kena random scan.

Ini checklist hardening yang gue pake sendiri untuk setiap server yang gue deploy.

Langkah 1: Update & Unattended Upgrades

sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Konfigurasi di /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Langkah 2: Amankan SSH

Edit /etc/ssh/sshd_config:

PermitRootLogin no
AllowUsers banditz
Port 2222
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 0
X11Forwarding no
Protocol 2

Setelah edit, verifikasi dan restart:

sudo sshd -t
sudo systemctl restart sshd

PENTING: Setup SSH key DULU sebelum disable password auth.

Generate SSH key (di komputer lokal, BUKAN server):

ssh-keygen -t ed25519 -C "email@example.com"
ssh-copy-id -p 22 user@SERVER_IP

Setelah yakin bisa login pake key, baru disable password auth.

Langkah 3: Setup UFW Firewall

sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw limit 2222/tcp
sudo ufw enable
sudo ufw status verbose

Langkah 4: Install Fail2ban

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
sudo systemctl restart fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

Langkah 5: Nonaktifkan Service Nggak Perlu

sudo systemctl list-units --type=service --state=running
sudo ss -tlnp
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now cups
sudo systemctl disable --now rpcbind

Langkah 6: Setup Auditd

sudo apt install auditd -y
sudo systemctl enable auditd
sudo systemctl start auditd

Rules di /etc/audit/rules.d/audit.rules:

-D
-b 8192

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /etc/sudoers -p wa -k sudoers

-a always,exit -F arch=b64 -S execve -k exec
sudo systemctl restart auditd
sudo ausearch -k identity

Langkah 7: Konfigurasi AppArmor

sudo apparmor_status
sudo apt install apparmor-utils -y
sudo aa-enforce /etc/apparmor.d/usr.sbin.mysqld
sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2

Langkah 8: Kernel Hardening via sysctl

Edit /etc/sysctl.d/99-hardening.conf:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.unprivileged_bpf_disabled = 1
sudo sysctl -p /etc/sysctl.d/99-hardening.conf

Langkah 9: File Permission Hardening

sudo chmod 600 /etc/crontab
sudo chmod 600 /etc/ssh/ssh_host_*_key
sudo chmod 000 /etc/shadow

# Cek SUID/SGID files
sudo find / -perm /6000 -type f 2>/dev/null

# Cek world-writable files
sudo find / -perm -2 -type f 2>/dev/null

Langkah 10: Monitoring & Log Management

sudo apt install logwatch -y
sudo logwatch --detail High --mailto admin@domain.com --range today

# AIDE untuk file integrity
sudo apt install aide -y
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide.wrapper --check

Bonus: 2FA untuk SSH

sudo apt install libpam-google-authenticator -y
google-authenticator

Edit /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Edit /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

Sekarang login perlu SSH key + 2FA code.

Checklist Ringkas

  1. [ ] Unattended security updates
  2. [ ] Root SSH login disable
  3. [ ] SSH port diganti
  4. [ ] Password auth dimatikan (pakai key)
  5. [ ] 2FA untuk SSH (bonus)
  6. [ ] UFW firewall aktif
  7. [ ] Fail2ban terinstall
  8. [ ] Service nggak perlu dimatikan
  9. [ ] Auditd aktif
  10. [ ] AppArmor enforce mode
  11. [ ] Kernel parameters di-hardening
  12. [ ] File permission diperketat
  13. [ ] Monitoring & log management setup

Kesimpulan

Server hardening bukan one-time job, tapi ongoing process. Jalankan checklist di atas untuk setiap server baru. Gue pribadi bikin Ansible playbook untuk otomatisasi semua langkah, jadi deploy server tinggal run playbook dalam 5 menit. Automation is your friend.

Hardening untuk Aplikasi Web Server

Kalau server lo menjalankan web server (Nginx/Apache), ada langkah tambahan:

Nginx hardening:

# Di /etc/nginx/nginx.conf
server_tokens off;                         # Jangan kasih tau versi
client_body_buffer_size 1k;                # Batasi request body
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
client_max_body_size 10m;                  # Batasi upload size
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
limit_req zone=one burst=10 nodelay;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";

PHP hardening (kalau pakai PHP-FPM):

; /etc/php/8.1/fpm/php.ini
expose_php = Off
display_errors = Off
log_errors = On
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,show_source
allow_url_fopen = Off
open_basedir = /var/www/html:/tmp
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = Strict

Security Auditing Tools

Selain tools yang udah disebut, ada beberapa tools audit yang bagus:

  • Lynis: Security auditing tool untuk Linux/Unix. sudo lynis audit system
  • CIS-CAT: Compliance checker untuk CIS Benchmarks
  • OpenSCAP: Framework untuk compliance scanning (SCAP standar)
  • TestSSL.sh: Test SSL/TLS configuration di server lo
  • Nikto: Web server scanner (deteksi misconfigurasi umum)

Jalankan audit tools ini secara berkala, idealnya sebulan sekali. Bandingkan hasilnya dari waktu ke waktu — jangan sampai security posture lo menurun.

Incident Response Preparation

Hardening hanya setengah dari pekerjaan. Lo juga harus siap kalau terjadi breach:

  • Siapkan USB bootable dengan tools forensik
  • Dokumentasiin semua IP, credential, dan kontak darurat
  • Simpan log di server terpisah (attacker sering hapus log lokal)
  • Punya backup yang bisa di-restore dengan cepat
  • Tentukan who to call: siapa yang harus dihubungi kalau server kena hack

Continuous Compliance

Kalau lo ngurusin server buat perusahaan yang harus comply dengan regulasi (PCI DSS, HIPAA, ISO 27001), hardening adalah mandatory, bukan optional. Setiap kontrol di checklist di atas bisa di-map ke kontrol compliance. Misalnya:

  • UFW firewall -> PCI DSS Requirement 1: Install and maintain firewall
  • Fail2ban + Auditd -> PCI DSS Requirement 10: Track and monitor access
  • Disable unused services -> PCI DSS Requirement 2: Harden configurations
  • AppArmor -> ISO 27001 A.14.2.5: Secure system engineering principles

Dokumentasiin hardening steps lo. Compliance auditor akan minta bukti bahwa hardening udah dilakukan.

Docker dan Container Security

Karena container makin populer, gue perlu nambahin bagian tentang container hardening:

Docker host hardening:

# Jangan expose Docker socket
# Docker daemon listen di network itu bahaya
# Edit /etc/docker/daemon.json:
{
  "icc": false,                      # Disable inter-container communication
  "userns-remap": "default",         # User namespace remapping
  "no-new-privileges": true,         # Container nggak bisa gain new privileges
  "live-restore": false,
  "userland-proxy": false
}

Dockerfile best practices:

# JANGAN run sebagai root di container
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

# JANGAN COPY . (semua) — COPY hanya yang diperlukan
COPY package.json package-lock.json ./
RUN npm ci --production
COPY src/ ./src/

# EXPOSE hanya port yang diperlukan
EXPOSE 3000

Container image security:

# Scan image untuk vulnerability (gratis!)
docker scan IMAGE_NAME                    # Snyk
trivy image IMAGE_NAME                    # Trivy (aquasecurity)
grype IMAGE_NAME                          # Grype (anchore)

Kubernetes pod security:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true  # Kalau app mendukung
  capabilities:
    drop:
      - ALL

Automated Hardening dengan Ansible

Gue mention sebelumnya bahwa gue pake Ansible untuk automasi hardening. Ini contoh playbook ringkas:

- name: Harden Ubuntu Server
  hosts: all
  become: yes
  tasks:
    - name: Install unattended-upgrades
      apt: name=unattended-upgrades state=present
    - name: Configure unattended upgrades
      copy:
        dest: /etc/apt/apt.conf.d/50unattended-upgrades
        content: |
          Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}-security";
          };
    - name: Install UFW
      apt: name=ufw state=present
    - name: Configure UFW defaults
      ufw: direction="{{ item.direction }}" policy="{{ item.policy }}"
      loop:
        - { direction: incoming, policy: deny }
        - { direction: outgoing, policy: allow }
    - name: Allow SSH
      ufw: rule=limit port=2222 proto=tcp
    - name: Enable UFW
      ufw: state=enabled
    - name: Harden SSH config
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^{{ item.key }}"
        line: "{{ item.key }} {{ item.value }}"
      loop:
        - { key: PermitRootLogin, value: "no" }
        - { key: PasswordAuthentication, value: "no" }
        - { key: Port, value: "2222" }
        - { key: X11Forwarding, value: "no" }
        - { key: MaxAuthTries, value: "3" }
    - name: Restart SSH
      service: name=sshd state=restarted

Ini contoh sederhana. Di production, gue punya playbook yang jauh lebih kompleks dengan template modular, variable files untuk environment berbeda, dan integration dengan monitoring system.

Studi Kasus: Server yang Di-hack

Gue mau cerita satu studi kasus menarik. Sebuah server client, Ubuntu 18.04, di-hack karena:

  1. SSH port 22 default, root login enabled
  2. Password “admin123” untuk user root
  3. Nggak ada fail2ban
  4. UFW disabled
  5. Nggak ada update sejak install (kernel 4.15 lawas)

Gimana gue tau cara masuknya? Dari auth.log:

Accepted password for root from 185.xxx.xxx.xxx port 52341 ssh2

Itu aja. Satu baris. Seorang hacker (atau bot) dari IP di Rusia berhasil brute force password root. Dari situ, mereka install crypto miner yang berjalan di background, menyedot CPU 100%. Client baru sadar setelah tagihan cloud mereka membengkak 3x lipat.

Setelah gue hardening server tersebut (semua langkah di checklist atas), nggak ada lagi insiden. Auth.log menunjukkan ribuan attempt brute force yang diblokir fail2ban, tapi nggak ada yang berhasil masuk.

Pelajaran: hardening itu bukan paranoia. Hardening adalah necessity. Bot scanner nggak peduli lo siapa. Mereka cuma cari server lemah.

Checklist Terakhir: Sebelum Deploy ke Production

Sebelum lo deploy server ke production, pastikan:

  1. [ ] SSH root login disabled, pakai SSH key, port non-default
  2. [ ] UFW active, default deny, hanya port yang diperlukan terbuka
  3. [ ] Fail2ban active, monitored services: sshd, web-auth
  4. [ ] Unattended security updates enabled
  5. [ ] Semua service nggak perlu dimatikan
  6. [ ] Auditd running dengan rules monitoring
  7. [ ] AppArmor enforcing untuk services kritikal
  8. [ ] Kernel parameters hardened via sysctl
  9. [ ] File permissions diperketat
  10. [ ] Backup configured dan TEST RESTORE berhasil
  11. [ ] Monitoring dan alerting siap
  12. [ ] Akses konsol darurat tersedia

Kalau semua checkbox di atas tercentang, server lo udah dalam kondisi yang cukup solid untuk menghadapi internet yang wild west ini.


Penulis Linux system administrator & security engineer 20+ tahun, RHCE & CISSP certified.

Banditz Cyber Verified
Security Researcher at IT Security
Banditz Cyber adalah security researcher di IT Security yang berfokus pada keamanan web, analisis kerentanan, dan edukasi keamanan siber. Melalui tulisannya, ia membagikan panduan praktis, riset teknis, dan wawasan keamanan digital dengan pendekatan yang mudah dipahami.
View all posts