← Back
🖥️

Server Setup

Complete Ubuntu 24.04 Build & Hardening Guide

VMware Golden Image → Clone CIS Hardened Lynis 85/100
👑 Phase A — Golden Image (Run Once)

Start with a fresh Ubuntu 24.04 VM in VMware. Run the golden image script to install tools, import SSH keys, harden the base, and prepare the VM for template conversion. This only runs once.

1

Download & Run Golden Image Script

~10 minutes
bash
cd /tmp
curl -sO https://www.golu.net/scripts/Linux-Golden-template.sh
chmod +x Linux-Golden-template.sh
sudo bash Linux-Golden-template.sh
The script will prompt you for:
Enter GitHub username for SSH key import: — your GitHub handle
Enter primary username (e.g. ubuntu): — the user you SSH in with
2

Convert to Template

The script automatically shuts down the VM after completion. Then in VMware vCenter/vSphere:

1. Right-click the VM → Convert to Template
2. Or take a Snapshot for linked clones
3. Your golden image is ready — deploy new VMs from it
What happens on first boot of cloned VMs: SSH host keys auto-regenerate, new machine-id is created, new DHCP lease is obtained, your SSH keys from GitHub are preserved.
🚀 Phase B — Clone VM Setup (Run on Each New VM)

After deploying a new VM from the golden image template, SSH in and run these scripts to apply full CIS hardening, firewall, auto-updates, integrity monitoring, and Lynis fixes.

1

Download All Scripts

~10 seconds
bash
cd /tmp
curl -sO https://www.golu.net/scripts/cis-safefix-ubuntu24-docker-Part1.sh
curl -sO https://www.golu.net/scripts/cis-safefix-ubuntu24-docker-Part2.sh
curl -sO https://www.golu.net/scripts/cis-safefix-ubuntu24-docker-Part3.sh
curl -sO https://www.golu.net/scripts/ufw-firewall-setup.sh
curl -sO https://www.golu.net/scripts/auto-security-updates.sh
curl -sO https://www.golu.net/scripts/aide-cron-setup.sh
curl -sO https://www.golu.net/scripts/ssh-key-lynis-setup.sh
curl -sO https://www.golu.net/scripts/lynis-fixes.sh

# Make executable
chmod +x *.sh
2

CIS Hardening

~5 minutes

Run all three parts in order. Part 1 will prompt for your primary username.

bash
sudo bash cis-safefix-ubuntu24-docker-Part1.sh
sudo bash cis-safefix-ubuntu24-docker-Part2.sh
sudo bash cis-safefix-ubuntu24-docker-Part3.sh
Part 1 will ask: Enter primary username (e.g. ubuntu): — enter the user you SSH in with.
3

UFW Firewall

~30 seconds

Enables UFW with SSH (22), HTTP (80), HTTPS (443). Blocks everything else. Docker-safe.

bash
sudo bash ufw-firewall-setup.sh
4

Automatic Security Updates

~30 seconds

Configures unattended-upgrades for security patches. Auto-reboots at 3:00 AM if needed (only when no users are logged in).

bash
sudo bash auto-security-updates.sh
5

AIDE Integrity Monitoring

~2 minutes

Sets up daily file integrity checks and weekly baseline updates via cron.

bash
sudo bash aide-cron-setup.sh
6

SSH Key + Lynis Audit

~3 minutes

Imports your GitHub SSH public keys, disables password authentication, clones Lynis, and runs a full audit. Will prompt for your GitHub username.

bash
sudo bash ssh-key-lynis-setup.sh
Before closing your session: Open a new terminal and verify SSH key login works: ssh user@server-ip
7

Lynis Fixes

~1 minute

Addresses remaining Lynis suggestions: sysstat, debsums, banners, SSH tweaks, service hardening, sysctl.

bash
sudo bash lynis-fixes.sh
8

Reboot

required
bash
sudo reboot
9

Verify After Reboot

optional
bash
# Check SSH
sudo systemctl status ssh

# Check firewall
sudo ufw status verbose

# Check auditd
sudo systemctl status auditd
sudo auditctl -s

# Check AIDE
sudo aide --config=/etc/aide/aide.conf --check

# Check auto-updates
systemctl list-timers apt-*

# Check Lynis score
cd /opt/lynis && sudo ./lynis audit system

# Check network
ip a && ip route

What Runs Automatically

TimeTaskFrequency
3:00 AMSecurity patches auto-install, reboot if neededDaily
4:00 AMAIDE file integrity check → /var/log/aide/Daily
5:00 AMAIDE database baseline updateSunday
AlwaysUFW blocks all ports except 22, 80, 443Always
Alwaysauditd logs identity, permission, and exec changesAlways
AlwaysClamAV freshclam auto-updates virus definitionsAlways
⚙️ Optional
🌐

Set Static IP (When Needed)

bash
curl -sO https://www.golu.net/scripts/set-static-ip.sh && sudo bash set-static-ip.sh

One-Liner — Clone VM Setup

Downloads and runs all clone VM scripts sequentially. You'll be prompted for your username in CIS Part 1.

bash — full clone setup
cd /tmp && \
curl -sO https://www.golu.net/scripts/cis-safefix-ubuntu24-docker-Part1.sh && \
curl -sO https://www.golu.net/scripts/cis-safefix-ubuntu24-docker-Part2.sh && \
curl -sO https://www.golu.net/scripts/cis-safefix-ubuntu24-docker-Part3.sh && \
curl -sO https://www.golu.net/scripts/ufw-firewall-setup.sh && \
curl -sO https://www.golu.net/scripts/auto-security-updates.sh && \
curl -sO https://www.golu.net/scripts/aide-cron-setup.sh && \
curl -sO https://www.golu.net/scripts/ssh-key-lynis-setup.sh && \
curl -sO https://www.golu.net/scripts/lynis-fixes.sh && \
chmod +x *.sh && \
sudo bash cis-safefix-ubuntu24-docker-Part1.sh && \
sudo bash cis-safefix-ubuntu24-docker-Part2.sh && \
sudo bash cis-safefix-ubuntu24-docker-Part3.sh && \
sudo bash ufw-firewall-setup.sh && \
sudo bash auto-security-updates.sh && \
sudo bash aide-cron-setup.sh && \
sudo bash ssh-key-lynis-setup.sh && \
sudo bash lynis-fixes.sh && \
sudo reboot
Ubuntu 24.04 Server Setup Guide • CIS Hardened • Lynis 85/100 • Docker-Safe
golu.net