CIS Ubuntu 24.04 Benchmark on Anubiz VPS
The CIS Benchmark is the industry baseline for hardening Ubuntu. Applying it to your Anubiz VPS takes a fresh cloud image to Level 1 compliance which is sufficient for most non-regulated workloads. This guide is opinionated about which controls you actually need on a single-purpose offshore VPS and which CIS controls (filesystem partitioning, GUI hardening) you can skip. Walkthrough uses the OpenSCAP scanner and the upstream CIS controls.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Scope: Level 1 Server
Skip workstation controls. Skip aide-everywhere - too noisy on a dev VPS. Apply: sshd, sysctl network, sudo policy, audit, account password policy.
Step 1: sysctl Hardening
Drop a /etc/sysctl.d/99-cis.conf: disable IP forwarding (unless VPN), source routing, ICMP redirects accept, log martians, enable RFC1337, syncookies. sysctl --system.
Step 2: sshd Config
CIS-aligned /etc/ssh/sshd_config.d/cis.conf: Protocol 2 (default), MaxAuthTries 4, LoginGraceTime 30, ClientAliveInterval 300, ClientAliveCountMax 0, PermitEmptyPasswords no, IgnoreRhosts yes, X11Forwarding no.
Step 3: Auditd
apt install auditd. Drop /etc/audit/rules.d/cis.rules with the CIS-recommended set covering /etc/passwd, /etc/shadow, sudoers, time changes, network env. service auditd restart.
Step 4: Password Policy
pam_pwquality: minlen 14, dcredit -1, ucredit -1, ocredit -1, lcredit -1. faillock for 5 attempts. PASS_MAX_DAYS 365.
Step 5: Scoring with OpenSCAP
apt install openscap-scanner ssg-debian. Run oscap xccdf eval --profile cis_level1_server ssg-ubuntu2404-ds.xml. Score should be 80%+ after the previous steps.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.