The Scenario
A SA tech consultancy maintains a fleet of Ubuntu LTS servers (web, application, database) hosted with a local provider. After a competitor was compromised via a default SSH configuration and an exposed admin port, the CTO asks for a hardening checklist that every server must meet before going live.
The Brief
Produce a hardening checklist for Ubuntu Server LTS (24.04). Cover OS, network, application, and operational hardening with specific commands or configuration snippets.
Deliverables
- An OS hardening section covering: user accounts (no root SSH, sudoers discipline), SSH (key-only, port, MaxAuthTries, allowed users), unattended-upgrades, fail2ban, auditd, and firewall (UFW) rules
- A network hardening section covering: which ports are open by default and why, internal-only versus public services, IP whitelisting for admin paths, and reverse proxy posture
- An application hardening section covering: nginx/apache headers, TLS configuration, file permissions, and the principle of running services as non-root
- A monitoring and operational section covering: log shipping, integrity checks (AIDE), patch cadence, and the runbook for a suspected compromise
Submission Guidance
Hardening checklists are weak when they cite controls without the actual config. Include concrete snippets (sshd_config lines, UFW commands, nginx headers) so a junior engineer can apply them without searching.
Submit Your Work
Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.