Learn how we secure Ubuntu 24.04 LTS servers for production use. This guide covers SSH hardening, firewall configuration, automated security updates, kernel tuning, and operational best practices for reliable deployments.
Ubuntu 24.04 LTS is designed for long-term stability and enterprise workloads. However, a default installation is intentionally permissive and must be hardened before being used in production environments.
This guide documents a practical and current security baseline for Ubuntu 24.04 servers deployed in production. The objective is to reduce attack surface, enforce access control, apply system hardening, and establish a reliable operational standard suitable for business-critical workloads.
All steps described below reflect widely accepted industry practices and are compatible with modern infrastructure, compliance requirements, and automated security assessments.
Prerequisites
Before we begin, ensure we have the following:
- An Ubuntu 24.04 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Learn how to secure Ubuntu 24.04 server for production environments
Step 1: Apply System Updates
The first step after provisioning a server is to ensure all packages and security patches are current.
sudo apt update
sudo apt full-upgrade -y
sudo reboot
Keeping the operating system fully updated ensures that known vulnerabilities are addressed and that the system is running the latest supported kernel and libraries.
Step 2: Create a Dedicated Administrative User
Production servers should not be operated directly as the root user. A dedicated administrative account provides controlled access and improves auditability.
sudo adduser adminuser
sudo usermod -aG sudo adminuser
After creation, log in using the new account and reserve root access for explicit administrative actions only.
Step 3: Secure SSH Access
SSH is the primary remote access mechanism and must be hardened to prevent unauthorized entry.
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Apply the following settings:
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers adminuser
Restart the SSH service:
sudo systemctl restart ssh
These changes restrict access to approved users, enforce key-based authentication, and reduce exposure to automated scanning.
Step 4: Configure SSH Key Authentication
Generate an SSH key pair on the local system and copy the public key to the server.
ssh-keygen -t ed25519
ssh-copy-id -p 2222 adminuser@server_ip
Confirm that SSH access functions correctly using the key before continuing. Key-based authentication is the standard for secure administrative access in production environments.
Step 5: Enable and Configure the Firewall
Ubuntu includes Uncomplicated Firewall (UFW), which should be enabled to control inbound traffic.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw enable
Verify firewall status:
sudo ufw status verbose
Only services that are explicitly required should be accessible from external networks.
Step 6: Install Fail2Ban
Fail2Ban provides automated protection against repeated authentication attempts and common intrusion patterns.
sudo apt install fail2ban -y
Create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the configuration to enable SSH monitoring:
[sshd]
enabled = true
port = 2222
Restart the service:
sudo systemctl restart fail2ban
This adds an additional layer of protection for exposed services.
Step 7: Enable Automatic Security Updates
To ensure timely application of security patches, automatic updates should be enabled.
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
This configuration allows critical security updates to be applied without manual intervention while maintaining system stability.
Step 8: Review and Disable Unnecessary Services
Only required services should be running on a production server.
List enabled services:
systemctl list-unit-files --type=service --state=enabled
Disable services that are not part of the deployment architecture:
sudo systemctl disable service_name
sudo systemctl stop service_name
This reduces resource usage and limits potential exposure.
Step 9: Apply Kernel and Network Hardening
System-level hardening improves resilience against network-based and memory-related attacks.
Edit the system configuration:
sudo nano /etc/sysctl.conf
Add or verify the following parameters:
net.ipv4.ip_forward=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.tcp_syncookies=1
kernel.randomize_va_space=2
Apply the configuration:
sudo sysctl -p
These settings align with recommended Linux security baselines.
Step 10: Ensure Accurate Time Synchronization
Consistent timekeeping is required for logging, authentication, and security audits.
Verify time synchronization:
timedatectl
Enable NTP if not already active:
sudo timedatectl set-ntp true
Step 11: Verify AppArmor Enforcement
Ubuntu 24.04 includes AppArmor as its mandatory access control framework.
Check status:
sudo aa-status
Ensure active profiles are running in enforcing mode. AppArmor limits the scope of potential application-level compromises.
Step 12: Configure Persistent Logging
Persistent logs are required for operational monitoring and incident analysis.
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald
This ensures system logs remain available across reboots.
Step 13: Establish Ongoing Security Practices
Production security requires continuous attention. Recommended operational practices include:
- Regular system updates and patch reviews
- Periodic access and key rotation audits
- Centralized log monitoring
- Scheduled vulnerability assessments
Ubuntu 24.04 provides a stable and secure foundation. Long-term reliability depends on consistent operational discipline.
Conclusion
This guide establishes a clear, production-ready security baseline for Ubuntu 24.04 servers. The configurations outlined here are suitable for enterprise deployments, customer-facing services, and compliance-oriented environments.
A secure server is not defined by a single configuration step, but by a structured approach, controlled access, and ongoing maintenance. This is the standard expected for modern production infrastructure.
