Ubuntu VPS Security Hardening Checklist

Why Hardening Matters on a Public VPS

Every Ubuntu VPS with a public IP faces continuous automated scanning. SSH brute-force attempts, exposed admin panels, and unpatched services are the top causes of compromise. This checklist covers the controls you should apply on Ubuntu 22.04 LTS and Ubuntu 24.04 LTS within the first hour of provisioning.

1. Patch the System and Enable Auto-Updates

Start with a full upgrade and configure unattended security updates:

apt update && apt full-upgrade -y
apt install -y unattended-upgrades apt-listchanges
dpkg-reconfigure --priority=low unattended-upgrades

Edit /etc/apt/apt.conf.d/50unattended-upgrades and enable automatic reboots during a maintenance window:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";

2. SSH Hardening

SSH is the first door attackers knock on. Lock it down in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy
Protocol 2

Use Ed25519 keys on the client side:

ssh-keygen -t ed25519 -C "admin@example.com"

Reload SSH with systemctl reload ssh and always test from a second session before disconnecting.

3. Firewall Rules with UFW

Default deny incoming, allow only required services:

ufw default deny incoming
ufw default allow outgoing
ufw limit 22/tcp
ufw allow 80,443/tcp
ufw enable

The limit rule throttles repeat connection attempts - a lightweight second layer alongside Fail2ban. Review active rules with ufw status numbered.

4. Install Fail2ban

Fail2ban parses logs and bans abusive IPs:

apt install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

In /etc/fail2ban/jail.local under [sshd]:

enabled = true
maxretry = 4
findtime = 10m
bantime = 1h

Restart: systemctl restart fail2ban. Check banned IPs with fail2ban-client status sshd.

5. Kernel and Sysctl Hardening

Add protective kernel parameters in /etc/sysctl.d/99-hardening.conf:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.randomize_va_space = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

Apply with sysctl -p /etc/sysctl.d/99-hardening.conf.

6. Audit Running Services

Reduce attack surface by disabling anything unused:

systemctl list-units --type=service --state=running
ss -tulpn

Common services to review: rpcbind, avahi-daemon, cups, legacy MTAs. Disable with systemctl disable --now <service>.

7. User and Sudo Policy

Enforce strong password policies for the few local accounts you keep:

apt install -y libpam-pwquality
# Edit /etc/security/pwquality.conf: minlen = 14, dcredit = -1, ucredit = -1

Grant sudo only through group membership (usermod -aG sudo deploy) and require password for sudo escalation. Avoid NOPASSWD entries on production systems.

8. File Integrity and Auditing

Install AIDE for file integrity monitoring and auditd for syscall logging:

apt install -y aide auditd
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
systemctl enable --now auditd

Schedule a weekly AIDE check via cron - see our cron jobs guide for timing patterns.

9. Two-Factor SSH (Optional)

For extra protection on bastion hosts, add TOTP:

apt install -y libpam-google-authenticator
google-authenticator

Configure /etc/pam.d/sshd and sshd_config to require both a key and a TOTP code.

10. Logging and Alerting

Centralize logs off-box with rsyslog, Vector, or journald forwarding. An attacker who roots the box will rewrite local logs, so remote copies are the only reliable audit trail.

Layer	Control
Network	UFW + DDoS protection
Access	SSH keys, Fail2ban, 2FA
System	Auto-updates, sysctl hardening
Monitoring	auditd, AIDE, remote syslog

Ongoing Operations

Hardening is never "done". Review CVE feeds, rotate keys quarterly, and rehearse incident response. For the full base setup that precedes this checklist, see our Ubuntu VPS setup guide.

Running production Ubuntu servers? MassiveGRID's Cloud VPS provides NVMe storage, integrated DDoS protection, and a full security overview with ISO 27001 certified data centers. Contact our team to discuss hardening for regulated workloads.

Published by MassiveGRID - cloud hosting with 24/7 NOC and SOC monitoring across four global regions.