Community
Classroom
Calendar
Members
Map
Leaderboards
About
🔥
21d • Linux
How I Do Basic Ubuntu Hardening
I’m currently testing different configurations for virtual machines in my Proxmox setup, and it reminded me of a story I once came across.
I’m not sure if this story is entirely true, but it’s still worth telling.
A few years ago, someone on a small DevOps forum shared a painful story. He had a “temporary” Ubuntu VM running on his home server—nothing public, just a test box behind NAT. He skipped hardening because “it’s not exposed anyway.”
A few weeks later, one misconfigured port forward and a weak SSH setup were all it took. The machine got brute-forced overnight, quietly joined a botnet, and started sending spam. He only noticed when his ISP throttled his connection.
That story stuck with me. Since then, I always do a minimal hardening routine—even for throwaway machines.
Here’s what that looks like.
1. Create a non-root user
First thing: stop using root.
adduser myuserusermod -aG sudo myuser
2. Set up SSH keys
On your local machine:
ssh-keygen
Copy the public key:
ssh-copy-id myuser@server_ip
Or manually place it in:
~/.ssh/authorized_keys
Make sure permissions are correct:
chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keys
3. Log in as the new user
Reconnect:
ssh myuser@server_ip
Update the system:
sudo apt update && sudo apt upgrade -y
4. Disable root SSH login
Edit:
sudo nano /etc/ssh/sshd_config
Set:
PermitRootLogin no
Restart SSH:
sudo systemctl restart ssh
5. Set hostname properly
Edit:
sudo nano /etc/hostname
Use a fully qualified domain name if possible, for example:
server.example.com
Then update hosts:
sudo nano /etc/hosts
Modify:
127.0.1.1 server.example.com server
6. Reboot
sudo reboot
7. Configure firewall (UFW)
Install and enable:
sudo apt install ufwsudo ufw allow OpenSSHsudo ufw enable
8. Install Fail2Ban
sudo apt install fail2ban
Default config already protects SSH reasonably well.
9. Change SSH port
Edit:
sudo nano /etc/ssh/sshd_config
Change:
Port 2222
Update firewall:
sudo ufw allow 2222/tcpsudo ufw delete allow OpenSSH
Restart SSH:
sudo systemctl restart ssh
Reconnect using:
ssh -p 2222 myuser@server_ip
Final thought
None of this is “advanced security.” It won’t stop a determined attacker.
But it will stop the lazy ones, and most attacks are exactly that.
The biggest mistake is assuming your server is “not important enough” to secure. That’s exactly the kind of machine attackers love. It also helps build good habits and operational discipline over time.
3
0 comments
Karol Szykula
4
How I Do Basic Ubuntu Hardening
powered by
EngineeringTech
skool.com/szykulatech-3240
We focus on JS/TS, React, Next.js, Supabase, shadcn/ui, Tailwind CSS, and deployments on Netlify. We focus on fast learning.
Suggested communities
The Stoa of AI
Ai Creators Academy
The AI Agents Course
Ninjas AI Automation
AI Video Bootcamp
Build your own community
Bring people together around your passion and get paid.
Powered by