Hardening Linux Server — 10 Langkah Mengamankan Server Ubuntu
Kalau lo punya VPS atau dedicated server dan lo mikir “ah, server gue kecil, siapa juga yang mau hack,” let me stop you right there. Bot scanner dari internet nggak peduli server lo besar atau kecil. Mereka auto-scan ribuan IP tiap detik, nyari port SSH default, root login terbuka, service vulnerable. Gue udah berkali-kali nanganin VPS yang kena hack bukan karena targeted attack, tapi karena kena random scan.
Ini checklist hardening yang gue pake sendiri untuk setiap server yang gue deploy.
Langkah 1: Update & Unattended Upgrades
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Konfigurasi di /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Langkah 2: Amankan SSH
Edit /etc/ssh/sshd_config:
PermitRootLogin no
AllowUsers banditz
Port 2222
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 0
X11Forwarding no
Protocol 2
Setelah edit, verifikasi dan restart:
sudo sshd -t
sudo systemctl restart sshd
PENTING: Setup SSH key DULU sebelum disable password auth.
Generate SSH key (di komputer lokal, BUKAN server):
ssh-keygen -t ed25519 -C "email@example.com"
ssh-copy-id -p 22 user@SERVER_IP
Setelah yakin bisa login pake key, baru disable password auth.
Langkah 3: Setup UFW Firewall
sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw limit 2222/tcp
sudo ufw enable
sudo ufw status verbose
Langkah 4: Install Fail2ban
sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
sudo systemctl restart fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
Langkah 5: Nonaktifkan Service Nggak Perlu
sudo systemctl list-units --type=service --state=running
sudo ss -tlnp
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now cups
sudo systemctl disable --now rpcbind
Langkah 6: Setup Auditd
sudo apt install auditd -y
sudo systemctl enable auditd
sudo systemctl start auditd
Rules di /etc/audit/rules.d/audit.rules:
-D
-b 8192
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /etc/sudoers -p wa -k sudoers
-a always,exit -F arch=b64 -S execve -k exec
sudo systemctl restart auditd
sudo ausearch -k identity
Langkah 7: Konfigurasi AppArmor
sudo apparmor_status
sudo apt install apparmor-utils -y
sudo aa-enforce /etc/apparmor.d/usr.sbin.mysqld
sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
Langkah 8: Kernel Hardening via sysctl
Edit /etc/sysctl.d/99-hardening.conf:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.unprivileged_bpf_disabled = 1
sudo sysctl -p /etc/sysctl.d/99-hardening.conf
Langkah 9: File Permission Hardening
sudo chmod 600 /etc/crontab
sudo chmod 600 /etc/ssh/ssh_host_*_key
sudo chmod 000 /etc/shadow
# Cek SUID/SGID files
sudo find / -perm /6000 -type f 2>/dev/null
# Cek world-writable files
sudo find / -perm -2 -type f 2>/dev/null
Langkah 10: Monitoring & Log Management
sudo apt install logwatch -y
sudo logwatch --detail High --mailto admin@domain.com --range today
# AIDE untuk file integrity
sudo apt install aide -y
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide.wrapper --check
Bonus: 2FA untuk SSH
sudo apt install libpam-google-authenticator -y
google-authenticator
Edit /etc/pam.d/sshd:
auth required pam_google_authenticator.so
Edit /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam
Sekarang login perlu SSH key + 2FA code.
Checklist Ringkas
- [ ] Unattended security updates
- [ ] Root SSH login disable
- [ ] SSH port diganti
- [ ] Password auth dimatikan (pakai key)
- [ ] 2FA untuk SSH (bonus)
- [ ] UFW firewall aktif
- [ ] Fail2ban terinstall
- [ ] Service nggak perlu dimatikan
- [ ] Auditd aktif
- [ ] AppArmor enforce mode
- [ ] Kernel parameters di-hardening
- [ ] File permission diperketat
- [ ] Monitoring & log management setup
Kesimpulan
Server hardening bukan one-time job, tapi ongoing process. Jalankan checklist di atas untuk setiap server baru. Gue pribadi bikin Ansible playbook untuk otomatisasi semua langkah, jadi deploy server tinggal run playbook dalam 5 menit. Automation is your friend.
Hardening untuk Aplikasi Web Server
Kalau server lo menjalankan web server (Nginx/Apache), ada langkah tambahan:
Nginx hardening:
# Di /etc/nginx/nginx.conf
server_tokens off; # Jangan kasih tau versi
client_body_buffer_size 1k; # Batasi request body
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
client_max_body_size 10m; # Batasi upload size
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
limit_req zone=one burst=10 nodelay;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
PHP hardening (kalau pakai PHP-FPM):
; /etc/php/8.1/fpm/php.ini
expose_php = Off
display_errors = Off
log_errors = On
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,show_source
allow_url_fopen = Off
open_basedir = /var/www/html:/tmp
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = Strict
Security Auditing Tools
Selain tools yang udah disebut, ada beberapa tools audit yang bagus:
- Lynis: Security auditing tool untuk Linux/Unix.
sudo lynis audit system - CIS-CAT: Compliance checker untuk CIS Benchmarks
- OpenSCAP: Framework untuk compliance scanning (SCAP standar)
- TestSSL.sh: Test SSL/TLS configuration di server lo
- Nikto: Web server scanner (deteksi misconfigurasi umum)
Jalankan audit tools ini secara berkala, idealnya sebulan sekali. Bandingkan hasilnya dari waktu ke waktu — jangan sampai security posture lo menurun.
Incident Response Preparation
Hardening hanya setengah dari pekerjaan. Lo juga harus siap kalau terjadi breach:
- Siapkan USB bootable dengan tools forensik
- Dokumentasiin semua IP, credential, dan kontak darurat
- Simpan log di server terpisah (attacker sering hapus log lokal)
- Punya backup yang bisa di-restore dengan cepat
- Tentukan who to call: siapa yang harus dihubungi kalau server kena hack
Continuous Compliance
Kalau lo ngurusin server buat perusahaan yang harus comply dengan regulasi (PCI DSS, HIPAA, ISO 27001), hardening adalah mandatory, bukan optional. Setiap kontrol di checklist di atas bisa di-map ke kontrol compliance. Misalnya:
- UFW firewall -> PCI DSS Requirement 1: Install and maintain firewall
- Fail2ban + Auditd -> PCI DSS Requirement 10: Track and monitor access
- Disable unused services -> PCI DSS Requirement 2: Harden configurations
- AppArmor -> ISO 27001 A.14.2.5: Secure system engineering principles
Dokumentasiin hardening steps lo. Compliance auditor akan minta bukti bahwa hardening udah dilakukan.
Docker dan Container Security
Karena container makin populer, gue perlu nambahin bagian tentang container hardening:
Docker host hardening:
# Jangan expose Docker socket
# Docker daemon listen di network itu bahaya
# Edit /etc/docker/daemon.json:
{
"icc": false, # Disable inter-container communication
"userns-remap": "default", # User namespace remapping
"no-new-privileges": true, # Container nggak bisa gain new privileges
"live-restore": false,
"userland-proxy": false
}
Dockerfile best practices:
# JANGAN run sebagai root di container
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
# JANGAN COPY . (semua) — COPY hanya yang diperlukan
COPY package.json package-lock.json ./
RUN npm ci --production
COPY src/ ./src/
# EXPOSE hanya port yang diperlukan
EXPOSE 3000
Container image security:
# Scan image untuk vulnerability (gratis!)
docker scan IMAGE_NAME # Snyk
trivy image IMAGE_NAME # Trivy (aquasecurity)
grype IMAGE_NAME # Grype (anchore)
Kubernetes pod security:
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true # Kalau app mendukung
capabilities:
drop:
- ALL
Automated Hardening dengan Ansible
Gue mention sebelumnya bahwa gue pake Ansible untuk automasi hardening. Ini contoh playbook ringkas:
- name: Harden Ubuntu Server
hosts: all
become: yes
tasks:
- name: Install unattended-upgrades
apt: name=unattended-upgrades state=present
- name: Configure unattended upgrades
copy:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
content: |
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
- name: Install UFW
apt: name=ufw state=present
- name: Configure UFW defaults
ufw: direction="{{ item.direction }}" policy="{{ item.policy }}"
loop:
- { direction: incoming, policy: deny }
- { direction: outgoing, policy: allow }
- name: Allow SSH
ufw: rule=limit port=2222 proto=tcp
- name: Enable UFW
ufw: state=enabled
- name: Harden SSH config
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^{{ item.key }}"
line: "{{ item.key }} {{ item.value }}"
loop:
- { key: PermitRootLogin, value: "no" }
- { key: PasswordAuthentication, value: "no" }
- { key: Port, value: "2222" }
- { key: X11Forwarding, value: "no" }
- { key: MaxAuthTries, value: "3" }
- name: Restart SSH
service: name=sshd state=restarted
Ini contoh sederhana. Di production, gue punya playbook yang jauh lebih kompleks dengan template modular, variable files untuk environment berbeda, dan integration dengan monitoring system.
Studi Kasus: Server yang Di-hack
Gue mau cerita satu studi kasus menarik. Sebuah server client, Ubuntu 18.04, di-hack karena:
- SSH port 22 default, root login enabled
- Password “admin123” untuk user root
- Nggak ada fail2ban
- UFW disabled
- Nggak ada update sejak install (kernel 4.15 lawas)
Gimana gue tau cara masuknya? Dari auth.log:
Accepted password for root from 185.xxx.xxx.xxx port 52341 ssh2
Itu aja. Satu baris. Seorang hacker (atau bot) dari IP di Rusia berhasil brute force password root. Dari situ, mereka install crypto miner yang berjalan di background, menyedot CPU 100%. Client baru sadar setelah tagihan cloud mereka membengkak 3x lipat.
Setelah gue hardening server tersebut (semua langkah di checklist atas), nggak ada lagi insiden. Auth.log menunjukkan ribuan attempt brute force yang diblokir fail2ban, tapi nggak ada yang berhasil masuk.
Pelajaran: hardening itu bukan paranoia. Hardening adalah necessity. Bot scanner nggak peduli lo siapa. Mereka cuma cari server lemah.
Checklist Terakhir: Sebelum Deploy ke Production
Sebelum lo deploy server ke production, pastikan:
- [ ] SSH root login disabled, pakai SSH key, port non-default
- [ ] UFW active, default deny, hanya port yang diperlukan terbuka
- [ ] Fail2ban active, monitored services: sshd, web-auth
- [ ] Unattended security updates enabled
- [ ] Semua service nggak perlu dimatikan
- [ ] Auditd running dengan rules monitoring
- [ ] AppArmor enforcing untuk services kritikal
- [ ] Kernel parameters hardened via sysctl
- [ ] File permissions diperketat
- [ ] Backup configured dan TEST RESTORE berhasil
- [ ] Monitoring dan alerting siap
- [ ] Akses konsol darurat tersedia
Kalau semua checkbox di atas tercentang, server lo udah dalam kondisi yang cukup solid untuk menghadapi internet yang wild west ini.
Penulis Linux system administrator & security engineer 20+ tahun, RHCE & CISSP certified.