This guide walks through a clean install of Ubuntu 24.04 LTS Server on bare metal or a hypervisor, with a hardened baseline ready for production workloads. We have used this exact recipe on more than 80 production servers across KSA and the GCC.
1. Verify your installation media
Download the latest 24.04 LTS server ISO from releases.ubuntu.com/24.04/ and always verify the SHA256 before writing it to USB or attaching it to a VM:
sha256sum ubuntu-24.04-live-server-amd64.iso
# Expected: matches the SHA256SUMS file from the mirror
Skipping this step is how supply-chain attacks land in production. Two minutes of hashing has saved us from a malicious mirror twice in the past three years.
2. Partition layout that ages well
Reject the "use entire disk with LVM" default. Instead choose Custom storage layout and create:
/boot— 1 GiB ext4/boot/efi— 512 MiB FAT32 (only on UEFI machines)- An LVM volume group filling the rest of the disk, then inside it:
lv-root— 30 GiB ext4 mounted at/lv-var— 20 GiB ext4 mounted at/varlv-log— 10 GiB ext4 mounted at/var/loglv-home— 20 GiB ext4 mounted at/home- Leave 30–40% of the VG unallocated so you can grow whichever LV blows up first
A runaway log file or container layer that fills /var will no longer take the box down with / on the same filesystem.
3. First-boot hardening
Right after the installer reboots, before you do anything else:
sudo apt update && sudo apt upgrade -y
sudo apt install -y unattended-upgrades ufw fail2ban auditd
sudo systemctl enable --now unattended-upgrades fail2ban auditd
# Lock down SSH
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
# Default-deny firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw --force enable
Tip: never disable
PasswordAuthenticationbefore you have proven your SSH key works on a separate terminal session. Lock yourself out once, you will not do it twice.
4. Time, hostname, locale
Drift in clocks breaks Kerberos, TLS certificate validation, log correlation and accounting. Set NTP up first:
sudo timedatectl set-timezone Asia/Riyadh
sudo timedatectl set-ntp true
timedatectl status
For Arabic locales add ar_SA.UTF-8 and en_SA.UTF-8 via sudo dpkg-reconfigure locales.
5. Final checks
Before you hand the machine over:
| Check | Command | Expected |
| --- | --- | --- |
| Kernel patched | uname -r | 6.8.x or newer |
| Reboots required | cat /var/run/reboot-required | No file (or expected) |
| Disk health | sudo smartctl -H /dev/sda | PASSED |
| Memory | free -h | Swap < 5% used |
| Open ports | sudo ss -tulpn | Only what you intend |
That is your baseline. Save the partition table and /etc/ssh/sshd_config to your config repo before you install a single application — when something goes sideways at month six, you will want to know exactly what shipped on day zero.
Comments
0 total · 0 threads