How to Secure Ubuntu Servers After Deployment
Spinning up a fresh Ubuntu server takes only a few clicks, but the default configuration is rarely optimized for production environments. Standard installations often leave generic ports open, permit root access via SSH, and expose an unnecessarily wide attack surface (Rahman et al., 2026).
To safeguard data and infrastructure against brute-force attacks, unauthorized access, and lateral system movement, systematic hardening is required (Scarfone et al., 2008). This operational guide details the essential, practical post-deployment steps to transform a generic Ubuntu installation into a hardened, production-ready environment based on industry-standard Center for Internet Security (CIS) benchmarks (Irawan, 2026).
1. System Updates and Automatic Patching
Security vulnerabilities are continuously discovered. The absolute first step upon deployment is ensuring the system is operating on the latest patched software versions (Imoukhuede, 2025).
Log in and synchronize your package repositories to apply pending updates:
sudo apt update && sudo apt upgrade -y
sudo apt dist-upgrade -y
Manually updating a fleet of servers daily is inefficient. Enable the unattended-upgrades package to automate the installation of critical security patches without manual intervention:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
Pro-Tip: Review
/etc/apt/apt.conf.d/50unattended-upgradesto configure automatic reboots if patches require a kernel update, or to set up email alerts for patch failures.
2. Setting Up a Non-Root User with Privileges
Operating exclusively as the root user magnifies the risk of catastrophic accidental commands and provides a high-value target for automated exploit scripts. Creating a dedicated user with administrative privileges via sudo restricts daily activities to a lower privilege state.
Create a new user and add them to the system's administrative sudo group:
sudo adduser sysadmin
sudo usermod -aG sudo sysadmin
Verify the configuration by opening a parallel terminal session and logging in as sysadmin before logging out of your root session.
3. Hardening Secure Shell (SSH) Access
SSH is the primary entry point for remote server management, making it the most targeted interface for brute-force attacks (Rahman et al., 2026). Securing this gateway requires shifting away from password authentication to cryptographic keys and adjusting default daemon behaviors.
Generate and Deploy SSH Keys
On your local machine (not the server), generate a highly secure ED25519 key pair:
ssh-keygen -t ed25519 -b 4096
Copy the public key to your newly created server user:
ssh-copy-id -i ~/.ssh/id_ed25519.pub sysadmin@YOUR_SERVER_IP
Reconfigure the SSH Daemon
Open the SSH configuration file to implement stricter access policies:
sudo nano /etc/ssh/sshd_config
Modify or add the following directives to disable root logins, enforce key-based authentication, and limit login structural attempts:
Port 2222 # Move from default port 22 to reduce automated script scanning
PermitRootLogin no # Block direct root logins
PasswordAuthentication no # Disable password authentication entirely
MaxAuthTries 3 # Limit password/key attempts per connection
X11Forwarding no # Disable graphical forwarding to minimize attack vectors
Test the configuration file for syntax errors before restarting the service:
sudo sshd -t
sudo systemctl restart ssh
4. Configuring a Layered Network Defense (UFW)
A default Ubuntu installation may have active processes listening on unnecessary network interfaces (Rahman et al., 2026). Implementing a default-deny firewall policy ensures that only explicitly approved traffic can reach internal application stacks (Rahman et al., 2026).
The Uncomplicated Firewall (UFW) serves as a frontend tool to manage iptables rules easily.
# Enforce a strict default-deny incoming policy
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Explicitly permit traffic on your custom SSH port
sudo ufw allow 2222/tcp
# Open standard web traffic ports if hosting applications
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Review rules and enable the firewall
sudo ufw show added
sudo ufw enable
5. Brute-Force Mitigation with Fail2Ban
Even on a custom port, an open SSH interface will eventually attract automated connection attempts. Fail2Ban actively monitors system logs (such as /var/log/auth.log) for suspicious, repetitive patterns and dynamically updates firewall rules to block the source IP addresses of attackers (Rahman et al., 2026).
Install the utility and create a local configuration override:
sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Add or adjust the parameters within the [sshd] section to match your custom infrastructure environment:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 1h
findtime = 10m
Restart the utility to activate the active log-monitoring jail:
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd
6. Audit and Continuous Compliance Monitoring
Hardening is an ongoing process rather than a static post-install checkbox. System administrators must establish a baseline configuration and routinely audit for drift, unpatched dependencies, or altered system binaries (Erawan & Salman, 2023).
Automated Auditing with Lynis
Lynis is an open-source security auditing tool designed specifically for Linux environments. It scans the operating system architecture and generates an extensive report detailing vulnerability metrics, incorrect file permissions, and actionable hardening recommendations (Rahman et al., 2026).
sudo apt install lynis -y
sudo lynis audit system
The scan produces a breakdown of systemic risks and outputs a clear Hardening Index score out of 100 alongside exact log paths to investigate discrepancies (Rahman et al., 2026).
Hardening Checklist Matrix
To maintain an overview of your baseline status across deployed environments, utilize the following reference checklist:
| Hardening Area | Target Mechanism | Operational Goal |
| System Hygiene | unattended-upgrades |
Minimizes exposure windows for zero-day exploits. |
| Access Control | Non-root sudo user |
Establishes accountability and limits accidental privilege execution. |
| Edge Security | Ed25519 Keys Only | Nullifies credential-stufing and traditional brute-force tactics. |
| Network Control | UFW Default-Deny | Minimizes peripheral attack surfaces by closing unused listening ports. |
| Active Defense | Fail2Ban Automated Jails |
Temporarily or permanently isolates active infrastructure probing. |
| Compliance Verification | Lynis Framework Checks |
Identifies misconfigurations and measures overall security posture over time. |
References
-
Erawan, E., & Salman, M. (2023). Image based Ubuntu operating system using packer solutions. Gema Wiralodra, 14(2), 961-968. https://doi.org/10.31943/gw.v14i2.475
Cited by: 1 -
Imoukhuede, A. B. (2025). Optimization of network device hardening in a multivendor environment. PMC.
Cited by: 3 -
Irawan, B. (2026). Evaluating the effectiveness of Center of Internet Security Benchmark for hardening Linux servers against cyber attacks. Journal of Social Research.
Cited by: 1 -
Rahman, R., Farel, M., & Sopan, M. D. (2026). Implementasi hardening server Linux untuk mengurangi risiko serangan siber. Jurnal Riset Sistem Informasi. https://doi.org/10.69714/c4atnn70
Cited by: 0 -
Scarfone, K. A., Jansen, W., & Tracy, M. (2008). Guide to general server security. National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-123
Cited by: 111
