Ubuntu Security Best Practices

Ubuntu provides a solid security baseline, but a default installation still has room for hardening. The practices here address the most common real-world attack scenarios: unpatched vulnerabilities (the #1 cause of server compromises), unnecessary services increasing attack surface, and services binding to interfaces where they should not be accessible. These are not theoretical hardening suggestions — they are the changes that prevent real incidents.

Keep the system patched

# Check for available security updates
sudo apt list --upgradable 2>/dev/null | grep -i security

# Install all security updates
sudo apt update && sudo apt upgrade -y

# Show only security-relevant packages
sudo unattended-upgrades --dry-run --debug 2>&1 | grep "Packages that will be upgraded"

# Check when packages were last updated
grep "upgrade\|install" /var/log/dpkg.log | tail -20

Minimal installation

# Every installed package is a potential vulnerability
# Audit what's installed and remove what's not needed

# Find recently installed packages
grep " install " /var/log/dpkg.log | awk '{print $4}' | sort | uniq

# List all installed packages sorted by size (large packages are candidates to review)
dpkg-query -W --showformat='${Installed-Size}	${Package}
' | sort -rn | head -20

# Remove packages you don't need
sudo apt remove --purge packagename
sudo apt autoremove --purge    # Also remove orphaned dependencies

# Check for services you didn't install intentionally
systemctl list-units --type=service --state=active | grep -v "ubuntu\|systemd\|snap\|dbus"

Disable unnecessary services

# Common services that are often running but not needed on servers:

# avahi-daemon: mDNS/Bonjour — useful for desktop, not for servers
sudo systemctl disable --now avahi-daemon

# cups: printing system — definitely not needed on servers
sudo systemctl disable --now cups
sudo systemctl disable --now cups-browsed

# bluetooth: not relevant on server
sudo systemctl disable --now bluetooth

# After disabling:
systemctl list-units --type=service --state=active | wc -l  # Count running services

Limit network exposure

# Check what services are listening on network interfaces
ss -tlnp    # TCP
ss -ulnp    # UDP

# Common misconfigurations:
# MySQL/PostgreSQL binding to 0.0.0.0 (should be 127.0.0.1 unless remote access needed)
ss -tlnp | grep -E ":3306|:5432"

# Fix: bind databases to localhost only
# MySQL: in /etc/mysql/mysql.conf.d/mysqld.cnf: bind-address = 127.0.0.1
# PostgreSQL: in /etc/postgresql/14/main/postgresql.conf: listen_addresses = 'localhost'

# Redis: should never be exposed to internet
ss -tlnp | grep :6379
# Fix: in /etc/redis/redis.conf: bind 127.0.0.1

⚠️ WARNING: Databases (MySQL, PostgreSQL, MongoDB, Redis) that bind to all interfaces (0.0.0.0) with default credentials are actively exploited on the internet. Every day, automated scanners find and compromise databases accessible from the internet. Always bind databases to 127.0.0.1 unless remote access is specifically required, and then protect the port with firewall rules.

Automating security updates

# Install unattended-upgrades
sudo apt install -y unattended-upgrades

# Enable automatic security updates
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Answer "Yes" to enable

# Configure in /etc/apt/apt.conf.d/50unattended-upgrades:
# The default config already auto-installs security updates
# Key settings:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Key settings in 50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
};

Unattended-Upgrade::Automatic-Reboot "false";  // Set true for fully automatic
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Mail "irfan@example.com";  // Email on failure

# Test unattended-upgrades
sudo unattended-upgrades --dry-run --debug

# Check logs
cat /var/log/unattended-upgrades/unattended-upgrades.log | tail -20

Conclusion

The practical Ubuntu security baseline: enable unattended-upgrades for automatic security patches, review and remove packages you do not need, disable services that are not required (avahi, cups, bluetooth), and verify databases are bound to 127.0.0.1 not 0.0.0.0. These four actions address the most common server compromise paths. Subscribe to Ubuntu Security Notices at usn.ubuntu.com to stay informed about critical vulnerabilities in packages you use.

FAQ

Is Ubuntu Security Best Practices important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support