A clean install of Ubuntu Server 24.04 LTS Noble Numbat sets the tone for every workload that follows. The recipe below is the same one we use for production hosts across KSA — partition layout, SSH lockdown, baseline observability — all reproducible in under thirty minutes per box.
Prerequisites
- A bare-metal server, NUC, or hypervisor VM with at least 2 vCPU, 4 GB RAM, and 40 GB disk.
- A bootable USB drive (≥ 4 GB) or an attached ISO.
- IPMI / iLO / DRAC console access for headless installs.
- A workstation with
sshand a generated Ed25519 key pair.
Step 1: Download and verify the ISO
Always pull the ISO from the official mirror and verify SHA-256 before writing it to media. A two-minute hash check has prevented at least one supply-chain incident on our bench.
cd ~/Downloads
curl -fLO https://releases.ubuntu.com/24.04/ubuntu-24.04-live-server-amd64.iso
curl -fLO https://releases.ubuntu.com/24.04/SHA256SUMS
sha256sum -c SHA256SUMS --ignore-missing
A line ending in OK is the only acceptable result. If you see FAILED, throw the ISO away and re-download from a different mirror.
Step 2: Write the USB and boot
On Linux, write the ISO with dd (replace /dev/sdX with your USB device — the wrong letter wipes the wrong disk):
sudo dd if=ubuntu-24.04-live-server-amd64.iso of=/dev/sdX bs=4M status=progress conv=fsync
sync
On Windows or macOS, use Rufus or balenaEtcher instead — dd mistakes are unforgiving.
Step 3: Pick a partition layout that ages well
Reject the installer default of "use entire disk with LVM." Instead choose Custom storage layout and create:
| Mount point | Size | FS | Purpose |
| --- | --- | --- | --- |
| /boot/efi | 512 MiB | FAT32 | UEFI bootloader (skip on legacy BIOS) |
| /boot | 1 GiB | ext4 | Kernel + initrd |
| / | 30 GiB | ext4 (LVM) | Root |
| /var | 20 GiB | ext4 (LVM) | Logs, packages, container layers |
| /var/log | 10 GiB | ext4 (LVM) | Isolated journald + syslog |
| /home | 20 GiB | ext4 (LVM) | User data |
Leave 30–40 percent of the volume group unallocated. When /var blows up at month six, you grow the LV with one command instead of evacuating the host.
Step 4: Network, hostname, and timezone
In the installer's network panel set a static IPv4 (or DHCP reservation), an authoritative DNS resolver such as 1.1.1.1 and 8.8.8.8, and a fully qualified hostname (hostname.dc.example.sa). Set the timezone in the language step to Asia/Riyadh.
Step 5: SSH key and first-boot hardening
In the SSH Setup screen, paste your Ed25519 public key from your workstation. Do not enable password login. After the installer reboots, run:
sudo apt update && sudo apt upgrade -y
sudo apt install -y unattended-upgrades ufw fail2ban auditd htop
sudo systemctl enable --now unattended-upgrades fail2ban auditd
# Lock SSH down
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
# Default-deny firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw --force enable
Step 6: Pre-flight checklist
Before handing the box over, verify:
uname -r # 6.8.x or newer
sudo ss -tulpn # only intended listeners
free -h # swap under 5 %
sudo smartctl -H /dev/sda # PASSED
timedatectl status # NTP synchronized: yes
cat /var/run/reboot-required # No file
Conclusion
You now have a hardened Ubuntu 24.04 LTS baseline that will outlast the application running on top of it. Commit the partition map and /etc/ssh/sshd_config to your config repo on day zero — at month eighteen you will be glad to know what shipped.
Next steps
- Apply the SSH and firewall hardening recipe for a deeper lockdown.
- Stand up the LAMP stack or Docker for your workloads.
- Schedule the unattended-upgrade and patch policy before the first kernel CVE drops.
Comments
3 total · 2 threads