Contents

1 Security Hardening Ubuntu Linux

Security Hardening Ubuntu Linux

Ubuntu is one of the most popular Linux distributions, widely used in servers, desktops, and cloud environments. Out of the box, it is reasonably secure, but additional hardening is essential for production and internet-facing systems. This page covers practical steps to harden an Ubuntu server.

Quick take

Goal: Reduce attack surface, enforce least privilege, and improve resilience.
Approach: Patch promptly, minimise services, enforce strong authentication, monitor activity, and use hardening tools.
Scope: Applies to Ubuntu Server LTS releases (20.04/22.04/24.04).

1. Keep the system updated

sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure --priority=low unattended-upgrades

Tip: Enable unattended-upgrades for security patches, but still review logs regularly.

2. User accounts and SSH

Disable direct root login.
Use SSH keys instead of passwords.
Restrict access to specific users and IPs.

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
AllowUsers ansible adminuser

Reload SSH after changes: sudo systemctl reload ssh

3. Firewall and network

Ubuntu ships with ufw (Uncomplicated Firewall):

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose

Tip: For complex setups use nftables or iptables directly.

4. Remove unnecessary packages

Reduce attack surface by uninstalling software you don’t need.

sudo apt remove --purge telnet rsh-server xinetd rpcbind -y
sudo apt autoremove -y

5. Logging and auditing

Enable system auditing with auditd:

sudo apt install auditd audispd-plugins
sudo systemctl enable auditd
sudo systemctl start auditd

Example audit rule (log access to /etc/passwd):

echo "-w /etc/passwd -p wa -k passwd_changes" | sudo tee -a /etc/audit/rules.d/hardening.rules
sudo augenrules --load

6. Minimise services and daemons

systemctl list-unit-files --state=enabled
sudo systemctl disable avahi-daemon
sudo systemctl disable cups

Rule of thumb: if you don’t use it, disable it.

7. Mandatory Access Control

Ubuntu supports AppArmor by default.

sudo aa-status
sudo apt install apparmor-utils
sudo aa-enforce /etc/apparmor.d/*

Use AppArmor profiles for web servers, databases, and custom applications.

8. Kernel and sysctl hardening

Adjust kernel parameters for better security. Edit /etc/sysctl.conf or drop files into /etc/sysctl.d/:

# /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv6.conf.all.accept_redirects=0
kernel.randomize_va_space=2

Apply changes: sudo sysctl -p

9. Filesystem protections

Mount /tmp, /var/tmp with noexec,nosuid,nodev.
Enable nodev on removable storage.

# /etc/fstab example
tmpfs   /tmp        tmpfs   defaults,noexec,nosuid,nodev 0 0

10. Automated hardening and scanning tools

Lynis – auditing and hardening suggestions:

sudo apt install lynis
sudo lynis audit system

OpenSCAP – compliance scanning (CIS/NIST profiles):

sudo apt install libopenscap8 openscap-utils
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

11. Monitoring and intrusion detection

Enable fail2ban to block brute force SSH attempts:

sudo apt install fail2ban
sudo systemctl enable fail2ban

Consider a host intrusion detection system (HIDS) like AIDE or OSSEC.

Summary

Hardening Ubuntu Linux involves:

Keeping the system patched.
Locking down accounts and SSH.
Restricting the network with a firewall.
Removing unnecessary software.
Applying AppArmor and kernel-level protections.
Auditing, monitoring, and intrusion detection.

Combine these steps with compliance scans (Lynis, OpenSCAP) to measure improvements. Security is an ongoing process — monitor logs, review configurations, and adapt to emerging threats.

🛡️Latest Security Alerts 🛡️