hardening linux ubuntu

Why Your “Safe” Ubuntu Box Is Already Under Attack

Last week I spun up a fresh Ubuntu 24.04 VM on DigitalOcean.
Within two hours it had 47 failed SSH logins from three different countries.
And that was before I even installed a single app.

Moral of the story: the defaults are not safe.
They’re just “convenient.”
Convenient for you and for anyone scanning the internet with a script.

The Checklist I Run on Every New Machine

Copy, paste, done. I’ve trimmed this to the commands that matter most and added the tiny tweaks the tutorials usually skip.

1. Patch Everything First

sudo apt update && sudo apt full-upgrade -y
sudo snap refresh
sudo reboot

Yes, reboot. Half the kernel patches don’t kick in until you do.

2. Rip Out the Junk

sudo apt autoremove --purge -y
sudo snap list --all | awk '/disabled/{print $1,$3}' | \
  while read snapname revision; do
      sudo snap remove "$snapname" --revision="$revision"
  done

That second line nukes every old snap revision that still sits on disk eating space and surface area.

3. Lock the Front Door (UFW)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp  # change 2222 to whatever port you’ll actually use
sudo ufw --force enable

Now test it from another terminal before you close your current one. I’ve locked myself out more times than I care to admit.

4. SSH: Kill the Root Key and Move the Lock

Open /etc/ssh/sshd_config and change three lines:

Port 2222
PermitRootLogin no
PasswordAuthentication no

Restart:

sudo systemctl restart sshd

If you need help setting up key-only auth, this step-by-step guide shows how I do it in under five minutes.

5. Let the Computer Update Itself

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

Select “Yes” when it asks. One less chore on Sunday night.

6. Add Google-Style 2FA

sudo apt install libpam-google-authenticator -y
google-authenticator

Copy the QR code to your phone. When it asks “Do you want me to update your .google_authenticator file?” say yes. Then add this to /etc/pam.d/sshd right after @include common-auth:

auth required pam_google_authenticator.so nullok

Restart SSH again.

7. Turn on AppArmor and Make It Angry

sudo systemctl enable --now apparmor
sudo aa-enforce /etc/apparmor.d/*

If a program starts throwing “permission denied” after this, that’s good news. It means AppArmor just caught something weird.

8. Encrypt the Disk (If You Haven’t Already)

On a fresh install, check the “Encrypt the new Ubuntu installation” box.
Retrofit on an existing box:

sudo apt install cryptsetup -y
sudo cryptsetup luksFormat /dev/sdX  # replace sdX with your actual disk

Reboot. You’ll be prompted for a passphrase once, then everything else runs normally.

9. Install the Silent Watchdog (Fail2Ban)

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

I leave the defaults alone; they block an IP after five failed attempts in ten minutes. Works like a charm.

10. One-Line Log Check

sudo fail2ban-client status sshd

You’ll see how many IPs are already in jail. Mine usually has three to five within 24 hours.

What I Actually Do Differently on Desktops vs. Servers

• Laptop: I install gufw so I can toggle the firewall with two clicks when I’m on sketchy hotel Wi-Fi.
• Home Server: I add unattended-upgrades but blacklist kernel updates. I like to test new kernels on a spare box first.
• Cloud VM: I bake these commands into a tiny cloud-init script. New droplet, zero manual steps.

The 30-Second “Am I Safe?” Test

1. Open a second terminal on your phone or another machine.
2. SSH in on your new port.
3. Run sudo lynis audit system quick. If you don’t have lynis, install it: sudo apt install lynis -y.
4. Anything marked [WARNING]? Fix those next.

When that scan prints HARDENING INDEX: 90+, you can sleep at night.

FAQ: The Stuff No One Tells You

Q: Will automatic updates break my custom config?
A: Only if you edited core packages directly (don’t). Use /etc/apt/apt.conf.d/50unattended-upgrades to blacklist packages you manage by hand.

Q: Does full-disk encryption slow things down?
A: On modern CPUs it’s ~3% CPU on my ThinkPad. On a $5 cloud droplet, I notice it during boots only.

Q: I forgot my LUKS passphrase. Help?
A: You’re out of luck. That’s the point. Write it on paper and keep it in your fire safe.

Q: Can I skip AppArmor if I already use Docker?
A: Nope. AppArmor protects the host; Docker secures the containers. Two different fences.

Take the ten minutes now.
Your future self—sipping coffee while the bots bounce off your firewall—will thank you.