Ubuntu Server Security Hardening Best Practices

Ubuntu Server Security Hardening Best Practices

Hardening an Ubuntu Server involves systematically reducing the attack surface, enforcing least privilege, applying defense-in-depth layers, and maintaining continuous compliance and visibility. Ubuntu 24.04 LTS (Noble Numbat) and its point releases incorporate numerous upstream security improvements — including stricter unprivileged user namespace restrictions, binary hardening via FORTIFY_SOURCE=3, enhanced AppArmor 4 profiles, kernel lockdown options, and disabled legacy TLS protocols — that provide a stronger baseline than previous LTS releases.

The most efficient path to production-grade hardening leverages Canonical’s native tools (especially with Ubuntu Pro) alongside manual best practices. This guide prioritizes high-impact, low-regression changes suitable for web servers, databases, containers, cloud VMs, and bare-metal deployments.

1. Foundation: Ubuntu Pro & Automated Hardening

Ubuntu Pro (free for up to 5 machines, or paid for larger fleets) unlocks extended security maintenance (ESM) for 10 years, live kernel patching, and the Ubuntu Security Guide (USG) tool — the single most powerful hardening accelerator.

  • Enable Ubuntu Pro: sudo pro attach (or use free token from ubuntu.com/pro)
  • Install & enable USG: sudo pro enable usg && sudo apt install usg

USG automates CIS Benchmark Level 1 Server compliance (v1.0.0 for 24.04 LTS), covering hundreds of rules for authentication, filesystem permissions, network parameters, service hardening, auditing, and logging.

Typical workflow:

  • Audit current state: sudo usg audit cis_level1_server
  • Generate a tailoring file for custom exceptions: sudo usg generate-tailoring cis_level1_server myprofile.xml
  • Apply hardening: sudo usg fix cis_level1_server –tailoring-file=myprofile.xml
  • Re-audit periodically or via cron to detect drift

For regulated environments (FedRAMP, NIST 800-53, CMMC, DISA-STIG), USG profiles exist or can be tailored.

2. Core System-Level Hardening

Patch Management & Kernel Protection

  • Enable automatic security updates: Install unattended-upgrades and configure /etc/apt/apt.conf.d/50unattended-upgrades to include security origins.
  • Activate Ubuntu Pro Livepatch for rebootless kernel fixes (critical for always-on servers).
  • Enable kernel lockdown (integrity mode) via GRUB: add lockdown=integrity to reduce risk from rootkits or boot-time tampering.
  • Use AppArmor (enforcing by default): Verify with aa-status. Tighten profiles for high-risk services (e.g., systemd-resolved, snap daemons).

User & Authentication Controls

  • Disable direct root login via SSH.
  • Enforce strong password policies (PAM): Increase minlen, require complexity, set maxdays=90, enforce history.
  • Prefer SSH key-based auth only; disable password auth in /etc/ssh/sshd_config.
  • Implement sudo timeout reduction and require tty: Defaults timestamp_timeout=5, requiretty.
  • Lock unused accounts and remove unnecessary users/groups (e.g., games, news).

Service Minimization

  • Remove or mask unneeded services: systemctl mask bluetooth cups avahi-daemon (if present).
  • Audit running services: systemctl list-units –type=service –state=running.
  • Install only required packages; avoid meta-packages that pull in extras.

Filesystem & Partitioning

  • Use separate partitions for /var, /tmp, /home (nodev, nosuid, noexec where possible).
  • Mount /tmp as tmpfs or with noexec,nodev,nosuid.
  • Reduce ext4 reserved blocks on small volumes: tune2fs -m 1 /dev/sdX.
  • Enable filesystem integrity checks via AIDE or debsums periodically.

3. Network & Access Controls

Firewall (UFW or nftables)

  • Enable UFW with default deny incoming: ufw default deny incoming, ufw default allow outgoing.
  • Allow only required ports (e.g., ufw allow OpenSSH, ufw allow ‘Nginx Full’).
  • Use rate limiting on SSH: ufw limit OpenSSH.
  • For advanced needs, transition to direct nftables rulesets.

SSH Hardening

  • Change default port (optional but reduces noise).
  • Restrict to specific source IPs/subnets.
  • Use strong ciphers/MACs/KexAlgorithms; disable legacy (e.g., diffie-hellman-group1-sha1).
  • Set PermitRootLogin no, PasswordAuthentication no, MaxAuthTries 3, LoginGraceTime 30.

Fail2Ban or CrowdSec

  • Install Fail2Ban to dynamically ban IPs after repeated failures (SSH, nginx, postfix, etc.).
  • For modern, community-driven protection consider CrowdSec (behavioral analysis + bouncers).

4. Monitoring, Logging & Auditing

  • Enable auditd for syscall auditing: sudo apt install auditd audispd-plugins, configure rules for privileged operations.
  • Centralize logs: Forward journald to remote rsyslog/syslog-ng or ELK/Loki stack.
  • Use unattended-upgrades reporting and pro-active alerting (Netdata, Prometheus Node Exporter).
  • Regularly run Lynis audits (sudo apt install lynis; sudo lynis audit system) or OpenSCAP for compliance scanning.

5. Container & Cloud-Specific Hardening

  • For Docker/Podman: Use rootless mode, seccomp/AppArmor profiles, no –privileged containers.
  • Kubernetes nodes: Enforce Pod Security Admission, network policies, CIS kube-bench compliance.
  • Cloud (AWS/GCP/Azure): Leverage IMDSv2, disable password auth in cloud-init, use instance metadata restrictions.

Prioritized Hardening Checklist (High-Impact First)

  1. Attach Ubuntu Pro → enable USG → apply CIS Level 1 Server profile.
  2. Automate security patching + Livepatch.
  3. Harden SSH (keys only, limit sources, rate-limit).
  4. Configure UFW with deny-by-default incoming.
  5. Install Fail2Ban/CrowdSec.
  6. Enable auditd + log forwarding.
  7. Minimize installed packages/services.
  8. Enforce strong authentication policies.
  9. Apply kernel & filesystem protections.
  10. Regularly audit (USG, Lynis) and monitor.

These steps — especially USG + Ubuntu Pro — achieve strong alignment with CIS Level 1 Server, significantly raising the bar against commodity attacks (brute force, weak auth, unpatched CVEs, misconfigurations).

For maximum rigor, start with a fresh minimal install, apply USG CIS profile, then layer workload-specific controls (e.g., database encryption, web WAF). Test thoroughly in staging — automated hardening can occasionally break niche services.

If you specify your environment (cloud provider, primary workload, compliance needs like FedRAMP/CMMC), more targeted priorities or tailoring advice can be provided.

Fast • Reliable • Affordable VPS - DO It Now!

Get top VPS hosting with VPS.DO’s fast, low-cost plans. Try risk-free with our 7-day no-questions-asked refund and start today!

Contact Us

VPS.DO offers reliable, cost-effective KVM VPS hosting as a robust Cloud-as-a-Service solution worldwide. We DO our best to power your success with unbeatable VPS value.

Copyright © 2026 VPS.DO

Services
Information
Account