DEV.co
Open-Source Security · konstruktoid

hardening

A Shell script that hardens Ubuntu servers (22.04 and 24.04) by configuring kernel parameters, disabling unnecessary modules, setting up UFW firewall, and enforcing security policies. The authors explicitly note it is no longer actively maintained and recommend using their Ansible collection for idempotent, production deployments instead.

Source: GitHub — github.com/konstruktoid/hardening
1.7k
GitHub stars
402
Forks
Shell
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykonstruktoid/hardening
Ownerkonstruktoid
Primary languageShell
LicenseApache-2.0 — OSI-approved
Stars1.7k
Forks402
Open issues6
Latest releasev2.2.0 (2025-07-31)
Last updated2026-07-08
Sourcehttps://github.com/konstruktoid/hardening

What hardening is

Bash automation that applies hardening across kernel lockdown, netfilter conntrack, systemd configuration, PAM/login controls, auditd rules, and filesystem mount options. Functions disable kernel modules (USB, Bluetooth, filesystem drivers), configure sysctl parameters, manage SSH access controls, and enforce logging/journal retention. Not idempotent; intended as a one-time provisioning tool for golden image creation.

Quickstart

Get the hardening source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/konstruktoid/hardening.gitcd hardening# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Golden Image Hardening Reference

Use the script to harden a fresh Ubuntu 22.04 or 24.04 VM, then capture as a hardened base image. Deploy that image repeatedly for consistent, pre-hardened servers without re-running the script.

Security Compliance Baseline Verification

Review the script logic to understand recommended hardening steps (mount options, audit rules, module disabling) and validate your current Ubuntu deployments against those benchmarks.

Non-Production Lab & Testing Environments

Harden staging or development servers where idempotency and ongoing maintenance are not critical; script can be run once per environment refresh.

Implementation considerations

  • Script is NOT idempotent; only run once per system. Use a golden image strategy to avoid repeated execution.
  • Requires manual pre-execution review of code and ubuntu.cfg edits; no automated safety checks or dry-run mode documented.
  • Disables kernel modules (Bluetooth, USB storage, etc.) that may be needed; review module list and modify DISABLEMOD/DISABLENET functions before execution.
  • Expects specific partition layout (/boot, /home, /var/log, /var/log/audit, /var/tmp, /tmp) for mount option hardening; adapt fstab function if layout differs.
  • Requires manual CHANGEME variable in cfg or script will fail; no other built-in validation gates.

When to avoid it — and what to weigh

  • Production Systems Requiring Ongoing Management — Script is not idempotent and not actively maintained. For production, use the author's Ansible collection (konstruktoid/ansible-collection-hardening) or equivalent configuration management.
  • Systems With USB Storage or Bluetooth Hardware Requirements — Script disables usb-storage, Bluetooth, and other modules by default. Enabling them post-hardening requires manual intervention; USBGuard configuration is mentioned but not automated.
  • Need for Zero-Touch or Declarative Configuration — Script requires manual editing of ubuntu.cfg, manual verification before execution, and is designed for single-run provisioning. Not suited for declarative infrastructure-as-code workflows.
  • Heterogeneous Environments Beyond Ubuntu 22.04/24.04 — Script is Ubuntu-specific and tested only on Jammy and Noble releases. Adaptation required for other distributions or older/newer Ubuntu versions.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), an OSI-approved permissive license permitting commercial use, modification, and distribution with liability disclaimer.

Apache-2.0 is a permissive OSI license allowing commercial use and derivative works. However, no warranty or support is provided. The authors explicitly recommend Ansible collection for production hardening, implying the script is not intended for commercial support scenarios. Use for internal hardening reference or evaluation only; do not rely on script support or guarantees in commercial environments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceStale
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

Script implements defense-in-depth across kernel lockdown, module disabling, firewall configuration, audit logging, PAM controls, and mount hardening. Kernel lockdown, netfilter limits, and disabled drivers reduce attack surface. However: (1) script is not actively maintained, so newer CVEs or Ubuntu patches may not be reflected; (2) no supply chain verification beyond SLSA artifact mentioned; (3) audit rule sets (audit-base, audit-aggressive) are provided but not validated against current compliance frameworks; (4) script disables modules globally—verify no unintended side effects for your workload. Use as a reference; do not assume it meets your compliance or threat model without independent review.

Alternatives to consider

konstruktoid/ansible-collection-hardening

Same author, actively maintained alternative using Ansible. Idempotent, repeatable, production-ready. Recommended by the project itself for ongoing hardening workflows.

CIS Ubuntu Linux Hardening Benchmark (official)

Industry-standard compliance framework with detailed controls, testing methodology, and community support. Applicable across multiple tools (Ansible, Terraform, manual).

Canonical Ubuntu Pro + Landscape

Commercial hardening, compliance monitoring, and patch management from the Ubuntu vendor. Includes automated compliance scanning and authenticated support.

Software development agency

Build on hardening with DEV.co software developers

Use this script as a hardening blueprint for lab/golden image creation. For production systems, adopt the author's Ansible collection or CIS benchmarks with full configuration management.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

hardening FAQ

Can I run this script multiple times on the same system?
No. The README explicitly states the script is NOT idempotent. Running it twice may cause conflicts or unexpected behavior. Use the golden image approach: run once, capture image, deploy copies.
Is this suitable for production hardening?
Not directly. The README recommends the Ansible collection for production. This script is a reference tool or basis for a custom hardening process. For production, use configuration management (Ansible, Puppet, Terraform).
What if I need USB or Bluetooth support after hardening?
The script disables these modules in the DISABLEMOD and DISABLENET functions. Edit those functions before running, or manually re-enable and configure USBGuard post-execution.
Does this script update automatically when Ubuntu releases a new version?
No. The project is not actively maintained. Compatibility with future Ubuntu releases is not guaranteed. The README lists only Ubuntu 22.04 and 24.04 as tested versions.

Work with a software development agency

DEV.co helps companies turn open-source tools like hardening into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to Harden Ubuntu?

Use this script as a hardening blueprint for lab/golden image creation. For production systems, adopt the author's Ansible collection or CIS benchmarks with full configuration management.