Hardening an Ubuntu server involves a series of configuration adjustments to enhance security and performance. The first step secures shared memory by setting stricter mount options on /run/shm, preventing unauthorized code execution. Next, network-level hardening is done using sysctl by enabling protections against IP spoofing, SYN attacks, and disabling unnecessary routing and packet forwarding, effectively locking down the systemβs exposure to network threats. Setting the correct timezone ensures consistent logging and system behavior, especially in environments where accurate timestamps are critical.
System performance tuning follows, using both manual sysctl tweaks and the tuned utility. Sysctl allows for deeper kernel-level optimization like increasing buffer sizes and file handle limits, while tuned applies system-wide profiles like throughput-performance to improve efficiency. Adding the noatime flag in the file system mount options reduces disk I/O overhead by preventing unnecessary metadata writes. Lastly, managing swap space with a dedicated file, along with tuning swappiness and vfs_cache_pressure, helps balance memory usage and prolongs hardware lifespan by reducing excessive swapping and memory strain.
Table of Contents
π‘οΈ 1. Harden Shared Memory (/run/shm)
Backup and edit /etc/fstab
sudo cp /etc/fstab /etc/fstab.bak
sudo vi /etc/fstabAdd one of these lines at the bottom:
none /run/shm tmpfs defaults,ro 0 0
# If read-only causes issues, use this instead:
# none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0ro = read-only
noexec, nosuid, nodev = disable execution, SUID, and device files
Reboot to apply changes:
sudo rebootVerify the mount:
mount | grep /run/shmLook for:
none on /run/shm type tmpfs (ro,relatime)or the alternative options if used.
π 2. Harden the Network Layer with Sysctl
View all kernel parameters:
sudo sysctl -aBackup and edit sysctl.conf:
cd /etc
sudo cp sysctl.conf sysctl.conf.bak
sudo nano /etc/sysctl.confAdd or uncomment these security-related settings:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Disable routing (server only)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Do not accept source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0Apply the changes:
sudo sysctl -pβ° 3. Manage Timezone
Show current timezone:
sudo timedatectlList available timezones:
sudo timedatectl list-timezonesSearch for a city:
sudo timedatectl list-timezones | grep citySet timezone example:
sudo timedatectl set-timezone Africa/Johannesburg
sudo timedatectl set-timezone Asia/JakartaβοΈ 4. More Sysctl Tweaks for Performance
Edit /etc/sysctl.conf and add:
# Increase ports range
net.ipv4.ip_local_port_range = 1024 65535
# File handles and core dumps
fs.file-max = 2097152
fs.suid_dumpable = 0
# Connection backlog
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 262144
# Memory buffers
net.core.optmem_max = 25165824
# Send/receive buffers
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864Apply with:
sudo sysctl -pπ§ 5. Install and Use Tuned for System Tuning
Install Tuned:
sudo apt update
sudo apt install tunedList profiles:
sudo tuned-adm listShow active profile:
sudo tuned-adm activeSet profile to throughput-performance:
sudo tuned-adm profile throughput-performanceπ 6. Optimize File Access Times
Check current mount options:
cat /proc/mounts | grep /dev/vda1Edit /etc/fstab to add noatime for your root partition:
sudo nano /etc/fstabFind the root partition line and add noatime:
UUID=xxx-xxx-xxx / ext4 errors=remount-ro,noatime 0 1Reboot:
sudo rebootConfirm the noatime flag:
cat /proc/mounts | grep /dev/vda1You should see rw,noatime in the options.
π 7. Manage Swap Space
Create a 2GB swap file:
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfileVerify swap:
sudo nano /etc/fstabMake swap permanent:
sudo nano /etc/fstabAdd:
/swapfile swap swap defaults 0 0Adjust Swappiness and Cache Pressure
Add to /etc/sysctl.conf:
vm.swappiness = 5
vm.vfs_cache_pressure = 50Apply:
sudo sysctl -pβ Remove Swap File (if needed)
sudo swapoff -v /swapfile
sudo nano /etc/fstab
# Remove the swap entry line
sudo rm /swapfile
sudo rebootπ Increase Open File Limit on Ubuntu
To prevent errors from too many open files (especially for servers under heavy load), it’s important to raise the default open file limit in Ubuntu. Here’s how to do it:
π§ Step 1: Edit the Limits Configuration
cd /etc/security/
sudo cp limits.conf limits.conf.bak
sudo nano limits.confAdd the following lines at the end:
* soft nofile 999999
* hard nofile 999999
root soft nofile 999999
root hard nofile 999999This sets both soft and hard limits for all users (and specifically for root) to 999999 open files.
π Step 2: Enable PAM Support
To ensure these limits are applied during login sessions, update the PAM (Pluggable Authentication Module) configs:
sudo bash -c 'echo session required pam_limits.so >> /etc/pam.d/common-session'
sudo bash -c 'echo session required pam_limits.so >> /etc/pam.d/common-session-noninteractive'π Step 3: Reboot and Verify
Reboot your server:
sudo rebootAfter reboot, verify the limits:
ulimit -Hn # Hard limit
ulimit -Sn # Soft limitYou should see 999999 as the new limit for both.
