hardening
A Shell script that hardens Ubuntu servers (22.04 and 24.04) by configuring kernel parameters, disabling unnecessary modules, setting up UFW firewall, and enforcing security policies. The authors explicitly note it is no longer actively maintained and recommend using their Ansible collection for idempotent, production deployments instead.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | konstruktoid/hardening |
| Owner | konstruktoid |
| Primary language | Shell |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.7k |
| Forks | 402 |
| Open issues | 6 |
| Latest release | v2.2.0 (2025-07-31) |
| Last updated | 2026-07-08 |
| Source | https://github.com/konstruktoid/hardening |
What hardening is
Bash automation that applies hardening across kernel lockdown, netfilter conntrack, systemd configuration, PAM/login controls, auditd rules, and filesystem mount options. Functions disable kernel modules (USB, Bluetooth, filesystem drivers), configure sysctl parameters, manage SSH access controls, and enforce logging/journal retention. Not idempotent; intended as a one-time provisioning tool for golden image creation.
Get the hardening source
Clone the repository and explore it locally.
git clone https://github.com/konstruktoid/hardening.gitcd hardening# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Script is NOT idempotent; only run once per system. Use a golden image strategy to avoid repeated execution.
- Requires manual pre-execution review of code and ubuntu.cfg edits; no automated safety checks or dry-run mode documented.
- Disables kernel modules (Bluetooth, USB storage, etc.) that may be needed; review module list and modify DISABLEMOD/DISABLENET functions before execution.
- Expects specific partition layout (/boot, /home, /var/log, /var/log/audit, /var/tmp, /tmp) for mount option hardening; adapt fstab function if layout differs.
- Requires manual CHANGEME variable in cfg or script will fail; no other built-in validation gates.
When to avoid it — and what to weigh
- Production Systems Requiring Ongoing Management — Script is not idempotent and not actively maintained. For production, use the author's Ansible collection (konstruktoid/ansible-collection-hardening) or equivalent configuration management.
- Systems With USB Storage or Bluetooth Hardware Requirements — Script disables usb-storage, Bluetooth, and other modules by default. Enabling them post-hardening requires manual intervention; USBGuard configuration is mentioned but not automated.
- Need for Zero-Touch or Declarative Configuration — Script requires manual editing of ubuntu.cfg, manual verification before execution, and is designed for single-run provisioning. Not suited for declarative infrastructure-as-code workflows.
- Heterogeneous Environments Beyond Ubuntu 22.04/24.04 — Script is Ubuntu-specific and tested only on Jammy and Noble releases. Adaptation required for other distributions or older/newer Ubuntu versions.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), an OSI-approved permissive license permitting commercial use, modification, and distribution with liability disclaimer.
Apache-2.0 is a permissive OSI license allowing commercial use and derivative works. However, no warranty or support is provided. The authors explicitly recommend Ansible collection for production hardening, implying the script is not intended for commercial support scenarios. Use for internal hardening reference or evaluation only; do not rely on script support or guarantees in commercial environments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Stale |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Possible |
| Assessment confidence | High |
Script implements defense-in-depth across kernel lockdown, module disabling, firewall configuration, audit logging, PAM controls, and mount hardening. Kernel lockdown, netfilter limits, and disabled drivers reduce attack surface. However: (1) script is not actively maintained, so newer CVEs or Ubuntu patches may not be reflected; (2) no supply chain verification beyond SLSA artifact mentioned; (3) audit rule sets (audit-base, audit-aggressive) are provided but not validated against current compliance frameworks; (4) script disables modules globally—verify no unintended side effects for your workload. Use as a reference; do not assume it meets your compliance or threat model without independent review.
Alternatives to consider
konstruktoid/ansible-collection-hardening
Same author, actively maintained alternative using Ansible. Idempotent, repeatable, production-ready. Recommended by the project itself for ongoing hardening workflows.
CIS Ubuntu Linux Hardening Benchmark (official)
Industry-standard compliance framework with detailed controls, testing methodology, and community support. Applicable across multiple tools (Ansible, Terraform, manual).
Canonical Ubuntu Pro + Landscape
Commercial hardening, compliance monitoring, and patch management from the Ubuntu vendor. Includes automated compliance scanning and authenticated support.
Build on hardening with DEV.co software developers
Use this script as a hardening blueprint for lab/golden image creation. For production systems, adopt the author's Ansible collection or CIS benchmarks with full configuration management.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
hardening FAQ
Can I run this script multiple times on the same system?
Is this suitable for production hardening?
What if I need USB or Bluetooth support after hardening?
Does this script update automatically when Ubuntu releases a new version?
Work with a software development agency
DEV.co helps companies turn open-source tools like hardening into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to Harden Ubuntu?
Use this script as a hardening blueprint for lab/golden image creation. For production systems, adopt the author's Ansible collection or CIS benchmarks with full configuration management.