Ubuntu in Production Environments

Ubuntu in Production Environments

Ubuntu is the most widely deployed Linux distribution in enterprise environments and cloud infrastructure. Running Ubuntu in production requires more than installing the OS — it demands consistent security hardening, update management, monitoring, and operational processes. A production Ubuntu server that works correctly at 2 AM, without a human present, requires deliberate upfront configuration that a development server never needs.

Production considerations

Production Ubuntu server checklist:
  Stability:    LTS release, tested update process, change management
  Security:     Minimal packages, firewall, unattended-upgrades, audit logs
  Monitoring:   CPU, memory, disk, service health, log aggregation
  Backups:      Automated, tested restores, offsite copies
  Access:       SSH key only, no root login, sudo logging
  Documentation: Server purpose, application, owner, last change date

LTS version selection and support lifecycle

# Check current Ubuntu version and support status:
lsb_release -a
ubuntu-advantage status    # Check ESM/Pro status

# Check when security support ends:
hwe-support-status --verbose

Hardening baseline

# Production hardening — run immediately after installation:

# Remove unnecessary packages:
sudo apt purge --auto-remove telnet ftp rsh-client rsh-redone-client

# Disable unnecessary services:
sudo systemctl disable --now cups    # Printing service (not needed on servers)
sudo systemctl disable --now avahi-daemon    # mDNS discovery (not needed)

# Enable automatic security updates:
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -f noninteractive unattended-upgrades

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

/etc/apt/apt.conf.d/50unattended-upgrades — key settings

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";  // Security updates only
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Mail "admin@example.com";    // Email on problems
Unattended-Upgrade::Automatic-Reboot "false";    // Don't auto-reboot in prod

Operational standards

# Set server timezone and NTP:
sudo timedatectl set-timezone UTC    # Always use UTC on servers
sudo timedatectl set-ntp true
timedatectl status

# System hostname convention:
sudo hostnamectl set-hostname web-01.prod.example.com

# Install baseline monitoring and logging tools:
sudo apt install -y   sysstat \      # sar, iostat, mpstat
  nload \        # network bandwidth monitor
  htop \         # interactive process viewer
  ncdu \         # disk usage analyzer
  mtr \          # network diagnostics
  jq             # JSON parser for API responses

# Enable process accounting (who ran what commands):
sudo apt install -y acct
sudo accton on

Conclusion

Every production Ubuntu server should have the same baseline: LTS release, unattended-upgrades for security patches, UFW firewall, fail2ban for SSH brute force protection, and a monitoring agent reporting metrics to your central monitoring system. The cost of implementing this baseline consistently (using an Ansible playbook) is an hour of work; the cost of skipping it is discovering what was missing after a security incident or outage.