Ubuntu Server 24.04 fresh-install hardening checklist

Every Ubuntu 24.04 host that joins our managed fleet goes through the same hardening pass before any workload is allowed to land on it. The defaults out of the cloud image are decent — they were not decent five years ago — but "decent" isn't a security baseline. There's a small set of changes that materially shift the threat model, and an even smaller set of additions that catch the rare incident when something gets through anyway.

This is the checklist we run as an Ansible role on every new host.

The first-hour pass

# SSH — keys only, restrict ciphers, disable root + password
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
cat >> /etc/ssh/sshd_config.d/00-hardening.conf <<EOF
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
EOF
systemctl restart ssh
 
# UFW — deny by default, allow only what's needed
ufw default deny incoming
ufw default allow outgoing
ufw allow from <bastion-cidr> to any port 22
ufw enable
 
# fail2ban — SSH brute force jail
apt install -y fail2ban
systemctl enable --now fail2ban

After this, the host is reachable only via the bastion, only with SSH keys, only on modern ciphers.

The full write-up covers:

• AppArmor profiles in enforce mode (the defaults that should be on)
• auditd configuration — file integrity for /etc, /usr/sbin, syscall monitoring
• The kernel sysctl hardening pass (net.ipv4.tcp_syncookies, rp_filter, etc.)
• needrestart for catching libraries that needed reboot-after-upgrade
• chrony for time sync (because Kerberos and TLS depend on it)
• The host-inventory beacon that auto-registers the host with our config management

We run this checklist on every Ubuntu 24.04 host on day zero.