Your Linux Server Has a Lynis Score of 68. Here's How to Fix It.
I ran Lynis on a fresh Ubuntu 24.04 server running Docker, Caddy, and a PKI stack. Score: 68/100 with 45 suggestions. Fifteen minutes later: 77/100. Here are the 10 changes that made the difference.
$ sudo lynis audit system --quick
Hardening index : 68 [############# ]
Tests performed : 268
Warnings: 1 | Suggestions: 45
The 10 Fixes
1. Enable auditd — audit logging for compliance
sudo apt install auditd && sudo systemctl enable --now auditd
2. Install file integrity monitoring (AIDE)
sudo apt install aide && sudo aideinit
3. Install rootkit scanner
sudo apt install rkhunter && sudo rkhunter --propupd
4. Harden SSH — 8 settings in one drop-in file
# /etc/ssh/sshd_config.d/99-hardening.conf
AllowTcpForwarding no
ClientAliveCountMax 2
ClientAliveInterval 300
LogLevel VERBOSE
MaxSessions 2
AllowUsers ubuntu
X11Forwarding no
Compression no
5. Enable process accounting
sudo apt install acct && sudo systemctl enable --now acct
6. Disable unused network protocols
# /etc/modprobe.d/disable-unused-protocols.conf
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
7. Add legal banners
# /etc/issue and /etc/issue.net
AUTHORIZED ACCESS ONLY. All activities monitored and logged.
8. Harden kernel (sysctl)
# /etc/sysctl.d/99-hardening.conf
kernel.sysrq = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
9. Restrict compiler access
sudo chmod o-rx /usr/bin/gcc* /usr/bin/g++* /usr/bin/cc
10. Fix time synchronization
sudo systemctl restart systemd-timesyncd
$ sudo lynis audit system --quick
Hardening index : 77 [############### ]
Tests performed : 268
Warnings: 0 | Suggestions: 33
68 → 77 with zero downtime. The remaining 33 suggestions are mostly partition layout changes and package cleanup — diminishing returns for a VPS.
Start with sudo apt install lynis && sudo lynis audit system and see where you stand.