Linux Server Hardening 2026: CIS Benchmark on Ubuntu 24.04

Key Takeaways

• Lynis first: Run sudo lynis audit system immediately on any new server — it identifies every gap with specific remediation commands.
• sysctl before anything else: The kernel parameters are the fastest win — 20 lines in /etc/sysctl.d/99-hardening.conf and one sysctl -p covers most CIS Level 1 network hardening.
• Remove what you don’t need: Every running service is an attack surface. Identify and disable unnecessary services before deploying applications.
• Audit logging is mandatory: auditd records who ran what commands, when, and as which user — essential for incident response and compliance.

---

Introduction

Direct Answer: How do I harden an Ubuntu 24.04 server to CIS Benchmark Level 1 in 2026?

Five areas cover CIS Level 1: (1) Kernel hardening — create /etc/sysctl.d/99-hardening.conf with parameters including net.ipv4.tcp_syncookies=1, kernel.randomize_va_space=2, and net.ipv4.ip_forward=0, then sudo sysctl -p /etc/sysctl.d/99-hardening.conf; (2) Remove unnecessary services — sudo systemctl disable --now avahi-daemon cups rpcbind bluetooth 2>/dev/null and sudo apt-get purge -y avahi-daemon cups rpcbind; (3) Audit logging — sudo apt-get install auditd audispd-plugins && sudo systemctl enable --now auditd; (4) Login restrictions — configure /etc/security/pwquality.conf for password requirements and set TMOUT=300 in /etc/profile; (5) Run lynis — sudo lynis audit system generates a score and prioritised remediation list. A fresh Ubuntu 24.04 server typically scores 55–65/100; after this guide, 75–85/100.

---

Part 1: Install Lynis and Get Baseline Score

A baseline security audit shows where the system currently stands and what areas need attention. Lynis is the tool of choice for Ubuntu servers, and its hardening index gives you a measurable improvement target.

sudo apt-get install -y lynis

# Run initial audit (takes ~2 minutes)
sudo lynis audit system 2>/dev/null | tee /tmp/lynis-baseline.txt | grep -E "Hardening index|WARNING|SUGGESTION" | head -30

Expected output (fresh server):

Hardening index : 58 [############        ]

[!] WARNING: Found mail spool in world-writable directory
[!] WARNING: Some kernel hardening options are not set
  * SUGGESTION: Disable uncommon network protocols [NETW-3200]
  * SUGGESTION: Enable auditd for process accounting [ACCT-9628]
  * SUGGESTION: Configure minimum password strength rules [AUTH-9283]

Score: 58/100. Target after hardening: 78+/100.

---

Part 2: Kernel Parameter Hardening (sysctl)

Kernel parameters are the fastest, highest-impact hardening step. The settings below reduce network abuse, enforce address-space randomization, and lock down filesystem behavior at the operating system level.

sudo tee /etc/sysctl.d/99-cis-hardening.conf << 'EOF'
# ── Network Security ──────────────────────────────────────────────────────
# SYN flood protection
net.ipv4.tcp_syncookies = 1
# Disable IP forwarding (enable only on routers/VPN gateways)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Ignore ICMP broadcast packets
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable reverse path filtering (prevents IP spoofing)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Disable send redirects
net.ipv4.conf.all.send_redirects = 0
# Log suspicious martian packets
net.ipv4.conf.all.log_martians = 1

# ── Memory Security ───────────────────────────────────────────────────────
# Enable ASLR (Address Space Layout Randomisation) — prevents memory exploits
kernel.randomize_va_space = 2
# Restrict core dumps
fs.suid_dumpable = 0
kernel.core_pattern = |/bin/false
# Restrict ptrace (prevents process injection)
kernel.yama.ptrace_scope = 1
# Restrict kernel logs
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2

# ── Filesystem Security ───────────────────────────────────────────────────
# Prevent symlink and hardlink attacks
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_fifos = 1
fs.protected_regular = 2
EOF

# Apply immediately
sudo sysctl -p /etc/sysctl.d/99-cis-hardening.conf 2>&1 | grep -E "^net|^kernel|^fs" | head -20

# Verify key settings
sysctl net.ipv4.tcp_syncookies kernel.randomize_va_space net.ipv4.ip_forward

Expected output:

net.ipv4.tcp_syncookies = 1
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0

---

Part 3: Remove Unnecessary Services

Every active service expands the attack surface. Disable and purge services that are not required for a headless Ubuntu server to reduce risk and simplify the system profile.

# What's currently running?
echo "=== RUNNING SERVICES ==="
systemctl list-units --type=service --state=running --no-pager --plain | \
  grep -v "^UNIT" | awk '{print $1}' | head -25

# Disable and remove services rarely needed on servers
DISABLE_SERVICES=(
    "avahi-daemon"    # mDNS/Zeroconf — not needed on servers
    "cups"            # Printing — never needed on a headless server
    "cups-browsed"    # Printer discovery — same
    "bluetooth"       # Bluetooth — not available on VPS
    "apport"          # Crash reporting to Canonical — privacy concern
    "whoopsie"        # Error reporting to Ubuntu
    "kerneloops"      # Kernel oops reporting
)

for svc in "${DISABLE_SERVICES[@]}"; do
    if systemctl is-active --quiet "$svc"; then
        sudo systemctl disable --now "$svc"
        echo "  Disabled: $svc"
    fi
done

# Purge packages
sudo apt-get purge -y avahi-daemon cups cups-browsed whoopsie apport 2>/dev/null
sudo apt-get autoremove -y

echo ""
echo "=== REMAINING SERVICES ==="
systemctl list-units --type=service --state=running --no-pager --plain | \
  grep -v "^UNIT" | awk '{print $1}'

---

Part 4: Audit Logging

Audit logs are critical for incident response and compliance. These commands install auditd and establish rules that record privileged changes, SSH configuration changes, and process accounting events.

sudo apt-get install -y auditd audispd-plugins
sudo systemctl enable --now auditd

# Configure audit rules (CIS Level 1 baseline)
sudo tee /etc/audit/rules.d/99-cis.rules << 'EOF'
# Delete existing rules
-D

# Buffer size
-b 8192

# Failure mode: 1=log, 2=panic on overflow
-f 1

# Monitor authentication events
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd

# Monitor system calls
-a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -k perm_mod

# Monitor privilege escalation
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /usr/bin/pkexec -p x -k priv_esc

# Make the rules immutable (requires reboot to change)
-e 2
EOF

sudo service auditd restart
sudo auditctl -l | head -10

Expected output:

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-a always,exit -F arch=b64 -S chmod,fchmod...

# Query audit log for specific events
sudo ausearch -k sudoers --start today | head -10
sudo ausearch -k identity --start today | head -10

---

Part 5: Login and Password Policy

Strong authentication settings protect against credential abuse. This section configures PAM password quality, account lockout, and session timeouts so the server rejects weak passwords and idle logins.

# Install PAM password quality module
sudo apt-get install -y libpam-pwquality

# Configure password requirements
sudo tee /etc/security/pwquality.conf << 'EOF'
minlen = 14         # Minimum 14 characters
dcredit = -1        # At least 1 digit
ucredit = -1        # At least 1 uppercase
ocredit = -1        # At least 1 special character
lcredit = -1        # At least 1 lowercase
maxrepeat = 3       # Max 3 consecutive identical characters
usercheck = 1       # Check username in password
enforcing = 1       # Enforce (don't just warn)
EOF

# Account lockout after failed attempts
sudo tee /etc/security/faillock.conf << 'EOF'
deny = 5            # Lock after 5 failed attempts
unlock_time = 900   # Locked for 15 minutes
fail_interval = 900 # Count failures within 15 minutes
EOF

# Session timeout
cat >> /etc/profile << 'EOF'
TMOUT=300          # Auto-logout after 5 minutes of inactivity
readonly TMOUT
export TMOUT
EOF

# Restrict su to wheel group
sudo tee /etc/pam.d/su << 'EOF'
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid group=sudo
auth include system-auth
account include system-auth
session include system-auth
EOF

---

Part 6: Final Lynis Audit

After making hardening changes, rerun Lynis to verify progress and identify any remaining gaps. This final check confirms the system is closer to CIS Level 1 compliance.

sudo lynis audit system 2>/dev/null | grep -E "Hardening index|WARNING" | head -20

Expected output (after hardening):

Hardening index : 79 [###############     ]

[!] WARNING: Found user with empty password (fewer than before)

Score improved from 58 to 79. Remaining warnings are typically environment-specific or require additional investigation.

---

Hardening Verification Checklist

The final step is verification: run a small checklist script to confirm the key kernel and audit settings are active. This makes the hardening changes easy to validate after any reboot or configuration update.

echo "=== CIS LEVEL 1 VERIFICATION ==="

checks=(
    "net.ipv4.tcp_syncookies:1:SYN flood protection"
    "kernel.randomize_va_space:2:ASLR enabled"
    "net.ipv4.ip_forward:0:IP forwarding disabled"
    "fs.protected_symlinks:1:Symlink protection"
    "kernel.dmesg_restrict:1:dmesg restricted"
)

for check in "${checks[@]}"; do
    param="${check%%:*}"
    expected="${check#*:}"; expected="${expected%%:*}"
    desc="${check##*:}"
    actual=$(sysctl -n "$param" 2>/dev/null)
    [ "$actual" = "$expected" ] && echo "  ✓ $desc ($param=$actual)" || echo "  ✗ $desc ($param=$actual, expected $expected)"
done

echo ""
echo "[ Auditd running ]"
systemctl is-active auditd && echo "  ✓ auditd active" || echo "  ✗ auditd not running"

echo ""
echo "[ Unnecessary services disabled ]"
for svc in avahi-daemon cups bluetooth; do
    systemctl is-active --quiet "$svc" && echo "  ✗ $svc still running" || echo "  ✓ $svc disabled"
done

Expected output:

=== CIS LEVEL 1 VERIFICATION ===
  ✓ SYN flood protection (net.ipv4.tcp_syncookies=1)
  ✓ ASLR enabled (kernel.randomize_va_space=2)
  ✓ IP forwarding disabled (net.ipv4.ip_forward=0)
  ✓ Symlink protection (fs.protected_symlinks=1)
  ✓ dmesg restricted (kernel.dmesg_restrict=1)

[ Auditd running ]
  ✓ auditd active

[ Unnecessary services disabled ]
  ✓ avahi-daemon disabled
  ✓ cups disabled
  ✓ bluetooth disabled

---

Conclusion

Ubuntu 24.04 is hardened to CIS Level 1: kernel parameters block network exploits and memory attacks, unnecessary services removed, audit logging captures privileged actions, and password policy enforces complexity. Lynis score improved from ~58 to ~79/100.

Run sudo lynis audit system quarterly and after any major configuration change. See SSH Hardening Guide 2026 for the SSH layer, and UFW Firewall Tutorial 2026 for the network perimeter.

---

People Also Ask

These are the common security hardening questions that come up when implementing CIS Benchmark controls on Ubuntu servers.

What is the difference between CIS Level 1 and Level 2?

CIS Level 1 is the baseline — settings that are broadly applicable to most servers with minimal functional impact. Level 2 adds more aggressive hardening that may break functionality: disabling USB storage, restricting kernel module loading, enabling mandatory access control (AppArmor in strict mode). For most web servers, application servers, and database servers, Level 1 is the correct target. Level 2 is appropriate for high-security environments (financial, healthcare, government) where the extra functional restrictions are acceptable trade-offs.

Does CIS hardening break any common applications?

Some settings require care. net.ipv4.ip_forward=0 must remain 0 unless the server is a router or VPN gateway — if you’re running WireGuard or Docker networking, set it to 1 and accept that deviation from the benchmark. kernel.yama.ptrace_scope=1 can break some debugging tools and Java applications using JVM attach mechanisms — set to 0 for development servers. Document every deviation from the benchmark with a business justification.

---

Further Reading

• Ubuntu 24.04 LTS Server Setup Checklist — initial server setup before hardening
• SSH Hardening Guide 2026 — SSH layer hardening
• UFW Firewall Tutorial 2026 — network perimeter to complement kernel hardening
• k3s Security Hardening Guide 2026 — Kubernetes layer security on top of this

External Resources

• CIS Ubuntu Linux 24.04 Benchmark — official benchmark guidance and secure configuration details
• Ubuntu Security Guide — Canonical’s server security practices and updates

Tested on: Ubuntu 24.04 LTS (Hetzner CX22). lynis 3.1.2, auditd 3.1.2. Last verified: April 30, 2026.