TickYouOff
Back
🔒

Ubuntu Server Hardening Checklist

Hard 21 items · 1 hour
testuser's avatar
testuser Published 1 month ago

This checklist provides practical, prioritized steps to harden an Ubuntu server for administrators and small-team operators. It covers SSH locking, firewall rules, intrusion protection, automated updates, logging, and auditing tools.

Progress
0 / 21
  1. Update and upgrade installed packages — Run apt update && apt upgrade to apply the latest security patches.
  2. Create a non-root sudo user — Add an administrative user and grant sudo; avoid routine root logins.
  3. Upload and test SSH public key for the new user — Install your key in ~/.ssh/authorized_keys and verify passwordless login.
  4. Configure SSH settings — Edit /etc/ssh/sshd_config and apply the secure changes listed below.
  5. Change SSH port to a non-standard high port — Pick a port >1024 and update Port in sshd_config; note the port for firewall rules.
  6. Disable root SSH login — Set PermitRootLogin no in /etc/ssh/sshd_config to prevent direct root access.
  7. Require public-key auth and disable password login — Set PasswordAuthentication no and PubkeyAuthentication yes to use keys only.
  8. Configure UFW firewall — Define a minimal allowlist and enable the firewall to block unwanted traffic.
  9. Set UFW default incoming policy to deny — Run ufw default deny incoming to enforce explicit allow rules only.
  10. Allow SSH through UFW on the chosen port — Run ufw allow <port>/tcp (or ufw allow ssh if keeping port 22) before enabling firewall.
  11. Enable UFW and verify rules — Run ufw enable then ufw status numbered to confirm rules and avoid lockout.
  12. Install and configure Fail2Ban to block brute-force attempts — Enable the sshd filter and tune bantime, findtime, and maxretry for your environment.
  13. Enable automatic security updates (unattended-upgrades) — Configure unattended-upgrades to install security updates automatically.
  14. Install and enable auditd logging — Install auditd, enable the service, and configure rules for critical files and commands.
  15. Install Lynis security auditing tool — Install Lynis (apt or official repo) to run a comprehensive local audit.
  16. Run Lynis security audit and review findings — Run lynis audit system and address high/important warnings first.
  17. Run a CIS Benchmark scan and address high findings — Use CIS guides/tools to evaluate compliance and remediate critical issues.
  18. Remove unused packages and disable unnecessary services — Run apt autoremove and systemctl disable/stop services you don't need.
  19. Apply kernel hardening sysctl settings — Harden network and kernel settings (persist in /etc/sysctl.conf) and reload.
  20. Set up regular backups of /etc and critical configs — Automate periodic backups of configuration files to remote or offsite storage.
  21. Review and enforce AppArmor profiles — Ensure AppArmor is enabled and set profiles to enforce for exposed services.
Sign in to save
📝 My Notes