How to Harden Your Ubuntu Server (Step-by-Step Guide)

When deploying an Ubuntu server for production, security should be your top priority. An out-of-the-box Ubuntu installation is relatively secure, but it’s far from bulletproof. In this guide, we’ll explore practical steps to harden your Ubuntu server against common threats.

1. Keep Your System Updated

Security starts with patching known vulnerabilities. Regular updates ensure you have the latest security fixes.

sudo apt update && sudo apt upgrade -y 
sudo apt autoremove -y bash

Enable unattended upgrades for automatic security updates:

sudo apt install unattended-upgrades 
sudo dpkg-reconfigure unattended-upgrades

2. Create a Non-Root User

Avoid using the root account directly for daily operations.

adduser username 
usermod -aG sudo username

Then, disable root SSH login by editing /etc/ssh/sshd_config:

PermitRootLogin no

Restart SSH:

sudo systemctl restart ssh

3. Configure a Firewall (UFW)

Ubuntu includes UFW (Uncomplicated Firewall). Configure it to allow only necessary services:

sudo ufw default deny incoming 
sudo ufw default allow outgoing 
sudo ufw allow ssh sudo ufw enable

For specific ports:

sudo ufw allow 80/tcp   # HTTP 
sudo ufw allow 443/tcp  # HTTPS

4. Use Fail2Ban for Brute Force Protection

Fail2Ban blocks IP addresses that attempt too many failed logins.

sudo apt install fail2ban 
sudo systemctl enable fail2ban 
sudo systemctl start fail2ban

To customize rules, edit /etc/fail2ban/jail.local.

5. Disable Unused Services

List all active services:

sudo systemctl list-unit-files --type=service --state=enabled

Disable unnecessary services:

sudo systemctl disable service-name

6. Use SSH Keys Instead of Passwords

Generate a key on your local machine:

ssh-keygen -t rsa -b 4096

Copy it to the server:

ssh-copy-id username@server_ip

Then disable password logins in /etc/ssh/sshd_config:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

7. Enable Automatic Security Updates

Edit /etc/apt/apt.conf.d/50unattended-upgrades and ensure the following line is uncommented:

"${distro_id}:${distro_codename}-security";

Then enable:

sudo dpkg-reconfigure --priority=low unattended-upgrades

8. Protect Against Network Attacks

Install iptables-persistent or nftables for advanced rules if needed. For DDoS and port scanning:

sudo apt install iptables-persistent

CYou can also use fail2ban filters for extra protection.

9. Check for Rootkits

Install tools like chkrootkit and rkhunter:

sudo apt install chkrootkit rkhunter 
sudo chkrootkit 
sudo rkhunter --check

10. Regular Backups & Monitoring

Use automated backups and monitoring tools like:

rsnapshot, borgbackup, or restic
Logwatch or GoAccess for log monitoring
UptimeRobot or Nagios for system monitoring

Final Thoughts

Securing your Ubuntu server is an ongoing process. Always follow the principle of least privilege, monitor your logs, and apply updates promptly. The above steps significantly reduce your attack surface and make your server much harder to compromise.