Securing Your Ubuntu 22.04 Server

A compact checklist for hardening a fresh Ubuntu 22.04 server. These steps cover the essentials — from SSH lockdown to automatic updates.

SSH

  • Disable password authentication — use key-based auth only:

    PasswordAuthentication no

  • Disable root login:

    PermitRootLogin no

  • Restrict to IPv4 if you don’t need IPv6:

    AddressFamily inet

  • Disable X11 forwarding:

    X11Forwarding no

  • Reload after changes: sudo systemctl reload sshd

Firewall (UFW)

  • Enable UFW and allow only what you need:

    sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

  • Always use protocol-specific rules (22/tcp instead of 22) to avoid opening unnecessary ports.

fail2ban

  • Install and enable:

    sudo apt install fail2ban
sudo systemctl enable fail2ban

  • Create /etc/fail2ban/jail.local with a strict SSH jail:

    [sshd]
enabled = true
mode = aggressive
maxretry = 3
bantime = 7200

  • Depends on rsyslog writing to /var/log/auth.log — make sure it’s running.

Automatic Security Updates

  • Install and enable unattended-upgrades:

    sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

  • Security patches will be applied automatically without manual intervention.

HTTPS with Let’s Encrypt

  • Install Certbot via Snap:

    sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

  • Obtain a certificate:

    sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

  • Renewal runs automatically via snap.certbot.renew.timer.

nginx Security Headers

Add these to your server block for defense in depth:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

Hide the nginx version:

server_tokens off;

Restrict TLS to modern protocols:

ssl_protocols TLSv1.2 TLSv1.3;

Swap

On low-memory servers, add a swap file as a safety net:

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

Make it persistent by adding to /etc/fstab:

/swapfile none swap sw 0 0

Set swappiness low to prefer RAM:

sudo sysctl vm.swappiness=10

Quick Checklist

  • SSH: key-only, no root, no password auth
  • UFW: enabled, only required ports open (tcp/udp specific)
  • fail2ban: active with strict SSH jail
  • unattended-upgrades: enabled
  • HTTPS: Let’s Encrypt with auto-renewal
  • nginx: security headers, version hidden, TLS 1.2+
  • Swap: configured on low-memory servers

Each of these steps reduces your attack surface. Combined, they provide a solid baseline for any Ubuntu 22.04 server exposed to the internet.