Automating Server Hardening on Ubuntu 16.04: A Guide for Nordic Systems
The waiting game is over. Ubuntu 16.04 LTS "Xenial Xerus" officially dropped yesterday. For those of us managing infrastructure across Oslo and the broader Nordic region, this isn't just an OS update—it's a deadline.
With the European Parliament officially adopting the General Data Protection Regulation (GDPR) just last week, the days of lax security policies are numbered. Datatilsynet (The Norwegian Data Protection Authority) will be watching closely as these regulations roll out. If you are still manually editing /etc/ssh/sshd_config on every node, you are already behind. You need automation, and you need a verifiable audit trail.
I have spent the last 48 hours benchmarking the new LTS kernel on our CoolVDS KVM infrastructure. The systemd integration is tighter, and the Snap package manager is interesting, but our focus today is purely on security: hardening a fresh instance to meet strict compliance standards without wasting hours on manual configuration.
The "Zero-Trust" Baseline
Security starts before you even install your application. On a fresh VPS, the default attack surface is often too wide. Whether you are hosting a Magento shop or a heavily regulated financial application, the baseline is identical: lock it down, then open up only what is necessary.
We are going to use Ansible 2.0 (released earlier this year) to enforce this state. Shell scripts are brittle; idempotent playbooks are the only way to manage scale. Here is the manual logic we are converting to code.
1. SSH Hardening
Root login via password is the single most common vector for brute-force attacks. In OpenSSH 7.2 (standard in 16.04), we want to disable password authentication entirely and restrict root.
Pro Tip: Never use a shared root account. Create a user with sudo privileges for each admin. This provides an audit trail in /var/log/auth.log of who ran the sudo command.
# /etc/ssh/sshd_config relevant settings
Port 22
Protocol 2
PermitRootLogin prohibit-password
PasswordAuthentication no
ChallengeResponseAuthentication no
X11Forwarding no
UsePAM yes2. The Firewall (UFW)
Ubuntu's Uncomplicated Firewall (UFW) is a frontend for iptables. It is robust and perfect for single-node setups. By default, we deny everything.
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https
ufw enableAutomating with Ansible
Manual commands don't scale. If you spin up five CoolVDS instances for a load-balanced cluster, you can't SSH into each one to type `ufw enable`. Here is a streamlined Ansible playbook to handle the hardening process on a fresh Xenial Xerus install.
Create a file named harden.yml:
---
- hosts: webservers
become: yes
vars:
ssh_port: 22
tasks:
- name: Ensure UFW is installed
apt: name=ufw state=present update_cache=yes
- name: Deny all incoming by default
ufw: policy=deny direction=incoming
- name: Allow SSH
ufw: rule=allow port={{ ssh_port }} proto=tcp
- name: Enable UFW
ufw: state=enabled
- name: Secure SSH configuration
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin prohibit-password' }
notify: restart ssh
handlers:
- name: restart ssh
service: name=ssh state=restartedRun this against your inventory file. It takes about 30 seconds to secure a fleet. This consistency is crucial when you need to prove to auditors that all your servers are compliant, not just the ones you remembered to patch.
Verification: The SCAP Standard
Hardening is useless if you cannot prove it. This is where OpenSCAP comes in. It is an open-source tool that scans your system against a specific profile (like PCI-DSS or STIG). Ubuntu 16.04 includes updated SCAP definitions.
Install the scanner:
sudo apt-get install libopenscap8 python-openscap scap-workbenchTo run a vulnerability scan against the standard profile and generate an HTML report:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common \
--results result.xml \
--report report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xmlOpen report.html in your browser. You will likely see a score of around 60-70%. Your goal is to tweak your Ansible playbooks until that score hits green. This document is gold when dealing with compliance inquiries.
Infrastructure Matters: The KVM Advantage
Software configuration can only do so much. The underlying architecture of your VPS defines the hard limits of your security.
Many budget providers in Europe still rely on OpenVZ or LXC containers. While efficient, these technologies share a single kernel between all tenants on the host node. If a kernel exploit is discovered (like the recent heavy hitters), a compromise in a neighbor's container could theoretically bleed into yours.
At CoolVDS, we exclusively use KVM (Kernel-based Virtual Machine). Each VPS runs its own isolated kernel. This provides a hard hardware virtualization barrier. From a compliance perspective—especially regarding data sovereignty in Norway—this isolation is often a requirement, not a luxury.
Furthermore, because we run on enterprise NVMe storage arrays, the I/O overhead of this virtualization is negligible. You get the security of a dedicated server with the flexibility of the cloud.
The Let's Encrypt Revolution
Finally, no security post is complete in 2016 without mentioning Let's Encrypt. It just left beta earlier this month (April 12th). The era of paying expensive fees for basic SSL certificates is over.
On Ubuntu 16.04, you can pull the client (formerly letsencrypt-auto, now transitioning to standard packages) directly. Securing your Nginx server is now a single command:
# Install the client
sudo apt-get install letsencrypt
# obtain cert standalone
letsencrypt certonly --standalone -d example.com -d www.example.comCombine this with a cron job to auto-renew, and you have permanently solved the "expired certificate" downtime risk.
Next Steps
The regulatory landscape in Europe is shifting. Ubuntu 16.04 gives us the tools to adapt, but it is up to us to implement them. Do not wait for a breach or an audit letter to take action.
Spin up a KVM instance on CoolVDS today. Our Oslo-based datacenter ensures your data stays within Norwegian legal jurisdiction, and our NVMe storage ensures your security scans finish before you can grab a coffee.