Ubuntu Server hardening scripts for systemd systems with UFW, auditd, and kernel module controls
- Stars1.7k
- Forks406
- Open Issues7
Apache-2.0
- Shell
- Dockerfile
About konstruktoid Hardening
konstruktoid Hardening is a set of scripts that harden Ubuntu Server on systemd systems. It turns a fresh install into a locked-down baseline you can reuse as a reference image, applying secure defaults and disabling components that are not needed.
It configures UFW, auditd, sysctl, systemd, journald, resolved, logind, and timesyncd, and can disable selected kernel modules. SSH access, log rotation, and many other settings are exposed as editable values in a single ubuntu.cfg file, so the baseline is easy to tailor before applying.
It has been tested on Ubuntu 22.04 and 24.04, with a companion Ansible role for fleet rollouts and SLSA artifacts for checksum verification. Because it makes sweeping system changes, it is meant to be reviewed and tried in a non-production environment first.
Key features
- UFW rules for SSH access by admin IPs
- auditd rules and failure mode settings
- Disables selected network, filesystem, and device modules
- Configures systemd, journald, resolved, and logind defaults
- Editable Ubuntu hardening settings in ubuntu.cfg
Details
- On GitHub since
- 2015
- Platforms
- Ubuntu Server (systemd)
- Tested on
- Ubuntu 22.04 and 24.04
- Deployment
- self-hostable
- Also available as
- Ansible role
- License
- Apache-2.0