Ubuntu Hardening Checklist

Ubuntu Hardening Checklist

This checklist provides a practical set of hardening steps for a new Ubuntu server. It is organized by priority — items listed first have the highest security impact and should be done on every server. Later sections cover additional hardening that is appropriate for servers with higher security requirements. Apply the items that are appropriate for your threat model; not every server needs every setting.

Initial setup hardening

# 1. Keep system updated (highest impact single action)
sudo apt update && sudo apt upgrade -y
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades    # Answer yes

# 2. Create a non-root admin user (if using root by default)
sudo adduser irfan
sudo usermod -aG sudo irfan

# 3. Set a strong password policy
sudo apt install -y libpam-pwquality
sudo nano /etc/security/pwquality.conf
# Set: minlen=12, dcredit=-1, ucredit=-1, lcredit=-1, ocredit=-1

# 4. Lock root password (force sudo usage)
sudo passwd -l root    # Prevent direct root login

# 5. Set correct permissions on sensitive files
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd

Network and firewall

# 1. Enable UFW with default deny
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh    # BEFORE enabling!
sudo ufw enable

# 2. Only open ports you actually use
sudo ufw allow 80/tcp   # If running web server
sudo ufw allow 443/tcp

# 3. Bind databases to localhost
# MySQL: bind-address = 127.0.0.1 in /etc/mysql/mysql.conf.d/mysqld.cnf
# PostgreSQL: listen_addresses = 'localhost' in postgresql.conf
# Redis: bind 127.0.0.1 in /etc/redis/redis.conf

# 4. Disable IPv6 if not used (reduces attack surface)
# In /etc/sysctl.d/99-disable-ipv6.conf:
# net.ipv6.conf.all.disable_ipv6 = 1

Authentication hardening

# 1. Configure SSH key-based auth and disable password login
# Deploy your public key first:
ssh-copy-id user@server

# In /etc/ssh/sshd_config:
# PasswordAuthentication no
# PermitRootLogin no
# AllowUsers irfan
# MaxAuthTries 3
# ClientAliveInterval 300
# ClientAliveCountMax 2
sudo sshd -t && sudo systemctl reload ssh

# 2. Install and configure fail2ban
sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Set: maxretry = 3, bantime = 1h for [sshd] jail
sudo systemctl enable --now fail2ban

# 3. Review sudo access
sudo visudo    # Check /etc/sudoers
ls /etc/sudoers.d/    # Review per-user sudo rules

System services

# 1. Disable services you don't need
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now cups
sudo systemctl disable --now bluetooth 2>/dev/null

# 2. Check for and remove unnecessary packages
dpkg -l | grep -E "telnet|rsh|ftp" | awk '{print $2}'  # Legacy insecure protocols
sudo apt remove --purge telnet

# 3. Set secure kernel parameters
sudo nano /etc/sysctl.d/99-hardening.conf
# Add:
# net.ipv4.tcp_syncookies = 1
# net.ipv4.conf.all.rp_filter = 1
# net.ipv4.conf.all.log_martians = 1
# kernel.dmesg_restrict = 1
sudo sysctl --system

Monitoring and detection

# 1. Enable and configure journald persistence
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald

# 2. Install rootkit scanners
sudo apt install -y rkhunter chkrootkit
sudo rkhunter --update && sudo rkhunter --propupd

# 3. Install file integrity monitor
sudo apt install -y aide
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# 4. Run Lynis audit and address findings
sudo apt install -y lynis
sudo lynis audit system 2>/dev/null | grep -E "WARNING|SUGGESTION"

# 5. Review auth logs regularly
sudo journalctl -u ssh --since "yesterday" | grep -i "failed\|invalid"

Conclusion

Security hardening is a risk-prioritized activity. Start with the highest-impact items: keep the system patched (unattended-upgrades), SSH key-only auth with fail2ban, and UFW with default-deny. These three changes address 80% of real-world server compromise scenarios. Then work through the remaining checklist based on the sensitivity of the data on the server. Run Lynis after completing your hardening to identify anything you missed, and schedule a monthly re-run to catch configuration drift.