Debian / Ubuntu Hardening
We've built a custom cloud-init config to set up basic security hardening on a new server instance by installing and configuring fail2ban and ufw (firewall), applying SSH hardening settings, and rebooting the server to apply changes.
Specific Actions
Package Management
-
Installs
fail2ban(brute-force protection for SSH and other services). -
Installs
ufw(Uncomplicated Firewall). -
Updates the package list.
-
Upgrades all installed packages to the latest version.
Runtime Configuration (runcmd)
-
Writes a minimal configuration file for
fail2banto enable SSH protection and useiptables-multiportfor banning. -
Enables
fail2banservice to start on boot. -
Allows inbound SSH (port 22) through the firewall.
-
Enables
ufwfirewall. -
Applies multiple SSH hardening settings via
sedto modify/etc/ssh/sshd_config:-
Disables keyboard-interactive authentication.
-
Disables challenge-response authentication.
-
Limits maximum authentication attempts to 2.
-
Disables TCP forwarding.
-
Disables X11 forwarding.
-
Disables agent forwarding.
-
-
Reboots the system to apply all changes.
O/S Supported
- Debian 12 (Bookworm)
- Ubuntu 24.04 LTS (Noble Numbat)