Lock Down Your Ubuntu 24.04 Server in 10 Steps
Practical, copy-paste-ready security hardening tips you can implement today — no risky PPAs required.
Here are 10 practical, immediately actionable steps (with commands where applicable) taken directly from the guide that you can implement right now to increase the security of your Ubuntu 24.04 server:
1. Use SSH key-based authentication
Disable password logins and require SSH key pairs instead:
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl reload sshd
2. Restrict SSH access to specific users or groups
Create a dedicated SSH group:
sudo groupadd sshusers
sudo usermod -aG sshusers your_username
Limit who can SSH in:
echo "AllowGroups sshusers" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl reload sshd
3. Harden SSH configuration
Remove weak Diffie–Hellman ciphers by editing
/etc/ssh/sshd_config, e.g.:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Then reload SSH:
sudo systemctl reload sshd
4. Enable two-factor authentication (2FA/MFA) for SSH
Install and configure a TOTP PAM module to add an extra authentication layer to SSH.
5. Enable unattended security updates
Install and configure automatic updates:
sudo apt update && sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
6. Set up a basic firewall with UFW
Allow only necessary services (e.g. SSH on port 22, HTTP/HTTPS):
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
7. Install Fail2Ban for intrusion prevention
Automatically ban IPs with multiple failed login attempts:
sudo apt install fail2ban
sudo systemctl enable --now fail2ban
8. Monitor open ports with ss
Quickly check which ports are listening:
ss -tuln
9. Run security audits with Lynis
Perform a full security scan:
sudo apt install lynis
sudo lynis audit system
10. Track file integrity with AIDE
Install AIDE and initialize its database:
sudo apt install aide
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
These steps directly map to the guide's sections on SSH hardening, firewall configuration, automated updates, intrusion prevention, service monitoring, auditing, and file integrity checks (meta.discourse.org, raw.githubusercontent.com, news.ycombinator.com).
Let me know if you'd like help refining any of these steps or implementing them via an automated tool like Ansible!