Back
This checklist provides practical, prioritized steps to harden an Ubuntu server for administrators and small-team operators. It covers SSH locking, firewall rules, intrusion protection, automated updates, logging, and auditing tools.
Progress
0 / 21
- Update and upgrade installed packages — Run apt update && apt upgrade to apply the latest security patches.
- Create a non-root sudo user — Add an administrative user and grant sudo; avoid routine root logins.
- Upload and test SSH public key for the new user — Install your key in ~/.ssh/authorized_keys and verify passwordless login.
- Configure SSH settings — Edit /etc/ssh/sshd_config and apply the secure changes listed below.
- Change SSH port to a non-standard high port — Pick a port >1024 and update Port in sshd_config; note the port for firewall rules.
- Disable root SSH login — Set PermitRootLogin no in /etc/ssh/sshd_config to prevent direct root access.
- Require public-key auth and disable password login — Set PasswordAuthentication no and PubkeyAuthentication yes to use keys only.
- Configure UFW firewall — Define a minimal allowlist and enable the firewall to block unwanted traffic.
- Set UFW default incoming policy to deny — Run ufw default deny incoming to enforce explicit allow rules only.
- Allow SSH through UFW on the chosen port — Run ufw allow <port>/tcp (or ufw allow ssh if keeping port 22) before enabling firewall.
- Enable UFW and verify rules — Run ufw enable then ufw status numbered to confirm rules and avoid lockout.
- Install and configure Fail2Ban to block brute-force attempts — Enable the sshd filter and tune bantime, findtime, and maxretry for your environment.
- Enable automatic security updates (unattended-upgrades) — Configure unattended-upgrades to install security updates automatically.
- Install and enable auditd logging — Install auditd, enable the service, and configure rules for critical files and commands.
- Install Lynis security auditing tool — Install Lynis (apt or official repo) to run a comprehensive local audit.
- Run Lynis security audit and review findings — Run lynis audit system and address high/important warnings first.
- Run a CIS Benchmark scan and address high findings — Use CIS guides/tools to evaluate compliance and remediate critical issues.
- Remove unused packages and disable unnecessary services — Run apt autoremove and systemctl disable/stop services you don't need.
- Apply kernel hardening sysctl settings — Harden network and kernel settings (persist in /etc/sysctl.conf) and reload.
- Set up regular backups of /etc and critical configs — Automate periodic backups of configuration files to remote or offsite storage.
- Review and enforce AppArmor profiles — Ensure AppArmor is enabled and set profiles to enforce for exposed services.
Your Stats
🏆
0
Completed
📅
—
Last Done
⏱️
—
Last Time
Completion Rate
Items checked per run
⚡
—
Fastest Run
🔥
0
Streak
🚫
—
Most Skipped Step
🔄
0
Resets
📝 My Notes