Server Hardening Checklist for Ubuntu VPS: Best 2026 Guide

Discover the 2026 server hardening checklist for Ubuntu VPS. Learn security tips to protect your server. Get started now!

Modern server room with secure, glowing Ubuntu racks, cybersecurity icons, and a checklist on tablet.

Why Server Hardening Matters for Your Ubuntu VPS

Key Security Risks Facing Ubuntu VPS in 2026

Running a VPS (Virtual Private Server) with Ubuntu is a popular option for hosting websites and apps. However, even the latest Ubuntu versions face risks like hacking attempts, malware, unauthorized access, and data loss. Attackers scan for servers with weak security and exploit them quickly. In 2026, threats are even more advanced with more automated attacks targeting default settings and weak credentials.

Overview of Security Principles and Hardening Benefits

Server hardening means making your VPS stronger by reducing possible attack points. The main principles are: keeping everything up to date, limiting who can access your VPS, using strong passwords or keys, and controlling which services can run. Hardening secures sensitive data, prevents unauthorized changes, and protects your server from being used in attacks on others.

Prerequisites: What You Need Before You Begin Ubuntu VPS Hardening

Supported Ubuntu Versions (Including Ubuntu 24.04 LTS)

This guide is suitable for most supported Ubuntu VPS versions, including Ubuntu 22.04 LTS and the latest Ubuntu 24.04 LTS. The commands and settings are made for these long-term support versions, known for stability and security.

Tools and Access Requirements

  • Ubuntu VPS (with root/sudo access)
  • SSH client (like PuTTY or Terminal)
  • Basic command-line skills
  • At least one non-root user with sudo privileges

Creating a Pre-Hardening Backup

Before making big changes, always back up your server. Use your VPS provider’s snapshot tools or run:

  • sudo tar -czvf /root/backup.tar.gz /etc /var /home
  • Download the backup or store it safely in case you need to restore your settings.

Quick Reference: Complete Ubuntu VPS Hardening Checklist (Downloadable PDF)

How to Use This Checklist

The checklist helps you remember each step. Print the PDF version or keep it open while hardening your VPS. Mark off each item as you finish.

Explanation of Verification Marks

  • ✅ = Step completed
  • 🟡 = Optional/Review
  • ❌ = Not done, needs attention

Step 1: System Update and Patch Management for Ubuntu VPS Security

Enabling Automatic Security Updates

Automatic updates help you get the latest security fixes fast. To enable:

  1. Edit automatic upgrades file:
    sudo nano /etc/apt/apt.conf.d/20auto-upgrades
  2. Set:
    • APT::Periodic::Update-Package-Lists "1";
    • APT::Periodic::Unattended-Upgrade "1";
  3. Save and exit (Ctrl+O, Enter, Ctrl+X)

Manual Update Commands and Best Practices

Always run manual updates before hardening:

  1. sudo apt update
  2. sudo apt upgrade -y
  3. Reboot if the kernel updates: sudo reboot

Verifying Update Status

  • Check if updates are pending: sudo apt list --upgradable
  • Check recent upgrades: grep " upgrade " /var/log/dpkg.log

Step 2: SSH Hardening Checklist for Ubuntu VPS

Disabling Root Login and Password Authentication

  1. Edit SSH settings: sudo nano /etc/ssh/sshd_config
  2. Find and change:
    • PermitRootLogin no
    • PasswordAuthentication no
  3. Restart SSH: sudo systemctl restart sshd

Enforcing SSH Key Authentication

  1. Generate a key on your local machine: ssh-keygen -t ed25519
  2. Upload the key: ssh-copy-id user@your-vps-ip
  3. Test login: ssh user@your-vps-ip

Changing Default SSH Port and Setting Up Firewall Rules

  1. Edit SSH port: sudo nano /etc/ssh/sshd_config then change Port 22 to a less common number (e.g., 2022).
  2. Add the firewall rule: sudo ufw allow 2022/tcp
  3. Restart SSH: sudo systemctl restart sshd

Implementing Multi-Factor Authentication (MFA) for SSH

  1. Install Google Authenticator: sudo apt install libpam-google-authenticator
  2. Run on each user: google-authenticator
  3. Edit /etc/pam.d/sshd and add: auth required pam_google_authenticator.so
  4. In sshd_config, set ChallengeResponseAuthentication yes
  5. Restart SSH: sudo systemctl restart sshd

Example SSH Configuration for Ubuntu 24.04

Sample relevant lines for /etc/ssh/sshd_config:

 Port 2022 PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication yes PubkeyAuthentication yes

Step 3: Configuring and Hardening the Ubuntu VPS Firewall (UFW)

Setting Up UFW for Default Deny Policy

  1. Enable UFW: sudo ufw enable
  2. Set default deny:
    • sudo ufw default deny incoming
    • sudo ufw default allow outgoing

Allow-Listing Essential Services

  • For SSH (replace 2022 with your port): sudo ufw allow 2022/tcp
  • For HTTP: sudo ufw allow 80/tcp
  • For HTTPS: sudo ufw allow 443/tcp

Testing Your Firewall Configuration

  1. Check status: sudo ufw status numbered
  2. Test connections from another device to ensure only allowed ports are open.

Step 4: Intrusion Prevention and Monitoring (Fail2Ban & Auditd)

Installing and Configuring Fail2Ban

  1. sudo apt install fail2ban
  2. Copy config file:
    • sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. Edit jail.local to adjust ban times and triggers.
  4. Restart: sudo systemctl restart fail2ban

Setting Up Auditd for System Activity Monitoring

  1. sudo apt install auditd
  2. Start and enable service:
    • sudo systemctl enable --now auditd
  3. To see activities: sudo ausearch -m USER_AUTH

Reviewing and Fine-Tuning Logs

  • Check Fail2Ban bans: sudo fail2ban-client status sshd
  • Read Auditd logs: sudo ausearch
  • Adjust settings if too many false alarms or missed events.

Step 5: Hardening Users, Accounts, and Permissions

Removing Unnecessary Users and Groups

  1. List users: cat /etc/passwd
  2. Remove old or unused accounts:
    sudo deluser username

Enforcing Strong Password Policies

  1. Install password quality checker:
    • sudo apt install libpam-pwquality
  2. Edit /etc/security/pwquality.conf for password rules.

Restricting Use of Sudo and Limiting Privilege Escalation

  1. List sudo users: sudo getent group sudo
  2. Remove unnecessary sudo access: sudo deluser username sudo

Detecting and Fixing Insecure File Permissions

  • Find world-writable files: sudo find / -type f -perm -o+w
  • Fix permissions as needed: sudo chmod o-w /path/to/file

Step 6: Securing System Services and Reducing Attack Surface

Identifying and Disabling Unneeded Services and Daemons

  1. List running services: sudo systemctl list-units --type=service
  2. Disable unnecessary ones:
    sudo systemctl disable --now service_name

Using AppArmor to Confine Critical Applications

  1. Check AppArmor status: sudo aa-status
  2. Enable & load profiles:
    • sudo systemctl enable --now apparmor
  3. Place critical services (like nginx, mysql) in enforce mode using included profiles.

Kernel Parameter Hardening with sysctl

  1. Edit settings: sudo nano /etc/sysctl.conf
  2. Add or update:
    • net.ipv4.conf.all.rp_filter=1
    • net.ipv4.tcp_syncookies=1
    • kernel.randomize_va_space=2
  3. Apply changes: sudo sysctl -p

Step 7: Advanced Hardening Tips and Automation

Scripting the Hardening Process (with Example Scripts)

Automate repeated tasks using scripts. Save commands in a text file, make executable (chmod +x harden.sh), then run ./harden.sh as needed. Always test scripts on a test server first.

Using Security Benchmarks and Compliance Tools

  • Check your server using lynis or cis-cat for a full audit and hardening suggestions:
  • sudo apt install lynis
  • sudo lynis audit system

Preparing for Ongoing Maintenance and Security Checks

  • Create a habit of checking logs and user lists weekly.
  • Enable email alerts for system warnings.
  • Keep up-to-date on Ubuntu security advisories.

Verification: How to Validate Your Ubuntu VPS Hardening Steps

Manual Verification Commands

  • Check open ports: sudo ss -tulnp
  • Review SSH security: sshd -T | grep -E 'permitrootlogin|passwordauthentication'
  • Firewall and service status: sudo ufw status, sudo systemctl status service

Using Automated Tools to Audit Your Hardening

  • Scan config with lynis: sudo lynis audit system
  • Review audit logs for warnings and suggestions.

Download: Printable Server Hardening Checklist for Ubuntu VPS (2026 Edition)

Get the downloadable PDF version of the Ubuntu VPS Hardening Checklist. Use it offline to track your progress step by step.

FAQ: Server Hardening for Ubuntu VPS – Common Questions Answered

  • Q: What if I lock myself out after changing SSH settings?
  • A: Use your host’s console access to fix the config or reset the firewall.
  • Q: Why block unused ports?
  • A: Each open port is a door into your system. Fewer open doors mean fewer ways in for attackers.
  • Q: Can I skip steps?
  • A: Some steps are optional (e.g., MFA) but skipping key steps weakens your security.
  • Q: What is the difference between fail2ban and auditd?
  • A: Fail2Ban blocks suspicious logins; Auditd records all key server actions for review.

Summary: Key Takeaways and Next Steps

  • Hardening your Ubuntu VPS is critical in 2026 to protect from advanced cyber threats.
  • Start with updates, strong SSH settings, and a strict firewall.
  • Check users, lock permissions, and use intrusion prevention tools.
  • Automate and check your setup often—security is an ongoing process.
  • Download the checklist PDF and keep learning for even better protection.