3 min read

Server hardening

Server hardening
Photo by Gabriel Heinzer / Unsplash
Lynis - Security auditing and hardening tool for Linux/Unix
Lynis is an open source security auditing tool. Part of Lynis Enterprise Suite, its main goal is to audit and harden Unix and Linux based systems.
Logo of CISOfy, a company specialized in Linux security solutionsCISOfy

Ubuntu Server Security Best Practices (Derived from Top GitHub Projects)

Executive Summary

Across popular Ubuntu-centric security projects—hardening roles, auditing tools, firewalls, intrusion prevention, and CIS implementations—the most consistent practices are: keep a tight patch cadence with auto-security updates; minimize the attack surface; lock down SSH; enforce host-level firewalling (mind Docker interactions); add active abuse prevention (e.g., Fail2Ban/CrowdSec); baseline against CIS/DevSec; audit continuously (Lynis/ssh-audit); and log/monitor aggressively.

Corpus (10 GitHub Projects)

  1. dev-sec/ansible-collection-hardening — battle-tested hardening for Linux/SSH/nginx/MySQL aligned to DevSec baselines.
  2. konstruktoid/hardening — opinionated Ubuntu hardening (systemd), tested on 20.04/22.04.
  3. CISOfy/lynis — on-host security auditing with hardening guidance.
  4. fail2ban/fail2ban — log-driven bans for brute-force/abuse; ships with SSH/Apache jails.
  5. mvo5/unattended-upgrades — automatic installation of security updates on Debian/Ubuntu.
  6. jtesta/ssh-audit — audits SSH server/client algorithms & config, with hardening hints.
  7. crowdsecurity/crowdsec — crowdsourced detection & community blocklists; agent + bouncers.
  8. UFW — uncomplicated firewall (iptables/nftables frontend).
  9. ansible-lockdown/UBUNTU22-CIS — automates CIS Ubuntu 22.04 LTS Benchmark controls.
  10. canonical/ubuntu-server-documentation — official Ubuntu Server docs (baseline procedures).

(Note: Docker can bypass UFW unless specifically handled; see ufw-docker guidance.)

Best Practices

1. Patch Management

  • Enable automatic security updates with unattended-upgrades.
  • Keep mirrors healthy; verify after incidents.
sudo apt-get update && sudo apt-get install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades

2. Minimize Attack Surface

  • Remove unused packages/services.
  • Apply secure sysctl and filesystem options.

3. SSH Hardening

  • Disable root login and password authentication.
  • Enforce strong ciphers, MACs, KEX.
  • Validate with ssh-audit.
# /etc/ssh/sshd_config.d/10-hardening.conf
PermitRootLogin no
PasswordAuthentication no
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
MACs hmac-sha2-512,hmac-sha2-256

4. Firewalling

  • Enable UFW with default deny inbound, allow outbound.
  • Handle Docker bypass properly.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable

5. Abuse Prevention

  • Configure Fail2Ban jails.
  • Use CrowdSec for community-driven IP reputation.

6. Compliance & Baselines

  • Apply CIS Ubuntu or DevSec baselines via Ansible.
  • Tailor exceptions as needed.

7. Continuous Auditing

  • Run Lynis regularly.
  • Pair with ssh-audit for SSH.

8. Logging & Monitoring

  • Persist and centralize logs.
  • Ensure logrotate hygiene.

9. Secrets & Least Privilege

  • Restrict sudo and enforce granular privileges.
  • Apply AppArmor profiles.

10. Web & Reverse Proxy Hardening

  • Harden TLS/cipher suites.
  • Remove unused nginx modules.

Secure-by-Code

Codify hardening and auditing in Ansible/Terraform pipelines.
Validate post-boot with Lynis & CIS checks.

Starter Runbook (Ubuntu 22.04/24.04 LTS)

  1. Patch & reboot: unattended-upgrades + weekly reboots.
  2. Baseline hardening: apply dev-sec/ansible-collection-hardening.
  3. SSH lockdown: keys only, validate with ssh-audit.
  4. Firewall: UFW default-deny + Docker-aware config.
  5. Abuse prevention: Fail2Ban + CrowdSec.
  6. Compliance: CIS audits.
  7. Logging: journald persistence + central log shipping.
  8. Docs: maintain ops runbooks.

References

  • dev-sec/ansible-collection-hardening
  • konstruktoid/hardening
  • CISOfy/lynis
  • fail2ban/fail2ban
  • mvo5/unattended-upgrades
  • jtesta/ssh-audit
  • crowdsecurity/crowdsec
  • UFW project
  • ansible-lockdown/UBUNTU22-CIS
  • canonical/ubuntu-server-documentation
  • ufw-docker guidance