You may have good reasons to focus on developing your disrupting app. And you may well be a very talented developer. But like me, even after years of experience as a web engineer, comes a point where we have to admit we don't know that much about security.

Unless you only use fully managed solutions to host your web applications, your startup probably has a bunch of servers you have to monitor and maintain. And unless your company has the scale to pay for real DevOps, security engineers, audits or pentests, then quite frankly, we'll mainly focus on finishing the current sprint hoping to get some traction ;)

Today I got my first Ubuntu VPS from OVH, a fresh new image ready to host the next version of my website. And it's got me thinking: I do remember it's best practice to disable SSH login by password, what else should I do ? Do I need a firewall ? Surely I don't have time to fully audit this default Ubuntu image by myself...

In this article I'll show you how to harden a default Ubuntu Server 20.04 image using existing open-source tools:

  1. Inspec to identify security issues and misconfiguration
  2. Ansible to automatically harden your server
  3. The DevSec Hardening Framework which provides:
    - An Inspec profile
    - Ansible / Chef / Puppet recipes to enforce above Inspec profile

Quick SSH setup

Make sure your server is defined in ~/.ssh/config

Host servername
	HostName <your server ip address>
	User username
	Port 22

To ssh into the server with your ssh key without typing the password just run:

$ ssh-copy-id -i ~/.ssh/ servername

Using Inspec with linux-baseline profile

On the server:

# download and install Inspec
$ wget
$ sudo dpkg -i inspec_4.20.2-1_amd64.deb

# clone the linux-baseline profile
$ git clone

# run the Inspec profile
$ inspec exec linux-baseline

Inspec installation instructions

You should see a similar output:

Next thing will be to automatically apply better OS settings using Ansible and the recipes provided by the DevSec framework.

Using Ansible to harden the server

On your local machine:

# install Ansible
$ sudo apt update
$ sudo apt install software-properties-common
$ sudo apt-add-repository --yes --update ppa:ansible/ansible
$ sudo apt install ansible

# install the os and ssh hardening roles
$ ansible-galaxy install dev-sec.os-hardening
$ ansible-galaxy install dev-sec.ssh-hardening

Ansible installation instructions

We then need to write a playbook for each ansible role:

# ansible-os-hardening.yaml
- hosts: your-server
  become: true
    - dev-sec.os-hardening
# ansible-ssh-hardening.yaml 
- hosts: your-server
  become: true
    - dev-sec.ssh-hardening

Finally run these playbooks with the following commands:

$ ansible-playbook -K ansible-os-hardening.yaml
$ ansible-playbook -K ansible-ssh-hardening.yaml

Then, re-running inspec exec linux-baseline on the server should give a similar output:

Which is much better!

Final thoughts

Though I can't say I have audited the DevSec framework per-se, I hope you now have a better understanding on how you can automate your servers security to stay up-to-date whith industry best practices.

Depending on what you then run on your server, you may have to allow some ports on the Ubuntu firewall, ufw. Personally while testing CapRover I just had to run:

$ ufw allow 80,443,3000,996,7946,4789,2377/tcp; ufw allow 7946,4789,2377/udp;

Thanks for reading and take care !