Client Area

Ubuntu Server Hardening: OS-Level Security Practices

Hardening an Ubuntu server means systematically reducing its attack surface, enforcing least privilege, eliminating unnecessary functionality, and applying defense-in-depth controls at the operating system level. While no system can be made completely invulnerable, a well-hardened Ubuntu server significantly raises the effort, skill, and noise required for successful compromise.

This guide focuses on practical, production-grade OS-level hardening for Ubuntu 24.04 LTS (Noble Numbat) and later — the current long-term support release in early 2026. It draws from Canonical’s own recommendations, the CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 (Level 1 Server profile), DISA STIG guidance where applicable, and real-world operational experience.

Core Principles of Effective Hardening

Before diving into controls, internalize these invariants:

  • Minimize — Every installed package, open port, running service, and writable directory increases risk.
  • Authenticate strongly — Passwords alone are obsolete for remote access in 2026.
  • Enforce least privilege — No process should run with more rights than it needs.
  • Monitor and log centrally — Attacks often succeed because defenders lack visibility.
  • Automate compliance — Manual hardening drifts; use tools to enforce and audit state.
  • Patch continuously — Unpatched CVEs remain the #1 initial access vector.

1. Foundational Setup (Do This First)

  • Perform a minimal server installation (no tasksel extras, no unnecessary language packs).
  • Enable full-disk encryption (LUKS) during install if the server is at risk of physical theft or cloud disk snapshot exposure.
  • Immediately after first boot:
    Bash
    sudo apt update && sudo apt full-upgrade -y
sudo apt install ubuntu-advantage-tools  # if not already present
sudo pro attach  # free personal token or paid subscription
sudo pro enable esm-apps esm-infra livepatch usg

    Ubuntu Pro (free for up to 5 machines) unlocks 10-year security maintenance, Livepatch kernel fixes without reboot, and the Ubuntu Security Guide (USG) tool

2. Automated Benchmark Hardening with Ubuntu Security Guide (USG)

Canonical’s Ubuntu Security Guide (USG) is the most efficient path to CIS Level 1 / Level 2 compliance on 24.04 LTS.

Install & use:

Bash
sudo pro enable usg
sudo apt install usg

Apply CIS Level 1 Server profile (recommended starting point — balanced security vs. breakage):

Bash
sudo usg audit cis_level1_server    # dry-run report
sudo usg fix cis_level1_server      # apply fixes (reversible)

Level 2 adds stricter controls (e.g., more aggressive password policies, disabling uncommon filesystems) but may break legitimate workloads — test thoroughly.

USG also supports DISA-STIG profiles for DoD-aligned environments.

3. Authentication & Access Controls

ControlWhy It MattersImplementation (2026-era)
Disable direct root loginPrevents credential-stuffing on rootPermitRootLogin no in /etc/ssh/sshd_config
SSH key-only + ed25519Passwords are brute-forced; RSA is legacyPasswordAuthentication no PubkeyAcceptedKeyTypes +ssh-ed25519
Restrict SSH to specific usersLimits blast radiusAllowUsers alice bob or AllowGroups ssh-users
Enforce MFA for SSHStops key theft alone from granting accessUse pam_u2f / Google Authenticator / YubiKey
Lock out after failed attemptsSlows brute-forceInstall & configure fail2ban (or crowdsec)
Strong password policy (if used)Defends local accounts & sudopam_pwquality + cracklib, minlen=14, difok=8

Modern recommendation (2026): Disable password auth entirely for SSH and rely on key + MFA (or short-lived certificates via ssh-ca).

4. Network & Firewall Hardening

Use UFW (Uncomplicated Firewall) — it is frontend for nftables in 24.04+.

Basic production posture:

Bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp comment 'Management subnet'
sudo ufw allow 80,443/tcp comment 'Web'
sudo ufw --force enable

Advanced options:

  • Rate-limit SSH: sudo ufw limit OpenSSH
  • Drop invalid packets early: Edit /etc/ufw/before.rules to add -A ufw-before-input -m conntrack –ctstate INVALID -j DROP
  • Consider nftables directly or firewalld if you need zones/dynamic rules.

5. Kernel & Runtime Protections

  • Enable Livepatch (via Ubuntu Pro) → rebootless kernel CVE fixes for high/critical issues.
  • Install apparmor-profiles and ensure AppArmor is in enforcing mode:
    Bash
    sudo aa-status   # should show profiles in enforce
  • Consider LKRG (Linux Kernel Runtime Guard) for runtime kernel integrity checking against LKM rootkits and credential exploits (available via third-party repos).
  • Disable unneeded filesystems in kernel cmdline:
    text
    echo "install squashfs /bin/false" | sudo tee /etc/modprobe.d/blacklist-fs.conf
# similarly for cramfs, freevxfs, jffs2, hfs, hfsplus, udf, etc.

6. File System & Permission Hardening

CIS Level 1 covers most of these automatically via USG, but key manual checks:

  • No world-writable directories (find / -xdev -type d -perm -0002)
  • Secure /tmp & /var/tmp (nodev, nosuid, noexec)
  • Restrict core dumps: * hard core 0 in /etc/security/limits.conf
  • Protect sensitive files:
    Bash
    chmod 600 /etc/shadow /etc/gshadow /boot/grub/grub.cfg
chmod 644 /etc/passwd /etc/group

7. Logging, Auditing & Monitoring

  • Enable auditd and add key rules (USG can apply CIS audit rules):
    Bash
    sudo apt install auditd audispd-plugins
sudo systemctl enable auditd
  • Forward logs centrally (rsyslog → remote server or journald → ELK / Loki / Graylog).
  • Monitor for tampering: AIDE or OSSEC / Wazuh for file integrity.

8. Ongoing Operations & Automation

  • Unattended-upgrades for security patches:
    Bash
    sudo dpkg-reconfigure --priority=low unattended-upgrades
  • Weekly apt list –upgradable checks or Pro’s Landscape / UA Insights.
  • Regular USG audits: sudo usg audit cis_level1_server –output csv
  • Backup /etc, /boot, and package selection list (dpkg –get-selections).

Quick Hardening Checklist (2026 Perspective)

  1. Minimal install + full-disk encryption
  2. Ubuntu Pro attached + Livepatch + USG installed
  3. Apply CIS Level 1 Server via usg fix
  4. SSH → keys only + MFA + restricted subnets
  5. UFW deny-by-default + explicit allows
  6. AppArmor enforcing + fail2ban / crowdsec
  7. Automatic security patching enabled
  8. auditd active + central logging
  9. Disable legacy protocols/filesystems
  10. Document exceptions & re-audit quarterly

Hardening is not a one-time task — it is a lifecycle process. Use tools like USG, Ansible-lockdown (UBUNTU24-CIS role), or Lynis to continuously validate posture.

For environments requiring certification (FedRAMP, CMMC, NIST 800-53, EU CRA), combine USG CIS profiles with Ubuntu Pro’s expanded patching and attestation features.

A hardened Ubuntu server remains one of the most defensible general-purpose OS platforms available today — provided you keep it updated, minimal, and actively monitored.

Leave a Reply