Published 2026-05-01 · 14 min read

Ubuntu 22.04 LTS hardening checklist — 12 SSH and TLS audits before April 2027

Ubuntu 22.04 LTS ("Jammy Jellyfish") is the most-deployed Ubuntu release in homelabs today. End-of-standard-support is April 2027 — five years after release, when universe-package security updates stop unless you've moved to Ubuntu Pro. This is the right window to audit your Jammy boxes and lock down the things that don't change between distros: SSH, TLS, package policy, exposed services. Twelve checks, exact commands, exact fixes. About 45 minutes per box if you're starting from a default install.

How to use this checklist

Each item is structured: what to check → command → what good looks like → fix line. Run them by hand on one box first to understand what each one means; once you trust the pattern, run them across the fleet. If you're scanning more than three boxes, Noxen automates every check below — agentless via SSH, no install on the targets.

The commands assume Ubuntu 22.04 with the default openssh-server, systemd, and iptables-persistent stack. Adjust paths if you've gone non-default.

1. Disable SSH password authentication

Why: brute-force SSH is the single highest-volume attack pattern on the internet. Public keys remove the entire attack class.

grep -E "^#?PasswordAuthentication" /etc/ssh/sshd_config

Good: PasswordAuthentication no, uncommented.
Fix: edit /etc/ssh/sshd_config, ensure PasswordAuthentication no, then sudo systemctl reload ssh. Test with a fresh SSH connection in a SECOND terminal before closing the first.

2. Restrict SSH to public-key authentication only

Why: belt-and-braces against ChallengeResponseAuthentication sneaking password-equivalent prompts past the PasswordAuthentication setting.

sudo sshd -T 2>/dev/null | grep -E "^(passwordauthentication|kbdinteractiveauthentication|challengeresponseauthentication|pubkeyauthentication)"

Good: passwordauthentication no, kbdinteractiveauthentication no, pubkeyauthentication yes.
Fix: in sshd_config, set KbdInteractiveAuthentication no and ChallengeResponseAuthentication no. Reload sshd.

3. Enforce strong SSH ciphers and MACs

Why: Ubuntu 22.04 ships OpenSSH 8.9 with sensible defaults, but custom sshd_config can re-enable legacy primitives. Audit before assuming.

sudo sshd -T | grep -E "^(ciphers|macs|kexalgorithms)"

Good: ciphers list contains only AEAD primitives (chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com); MACs use SHA-2 with -etm suffix; KEX includes curve25519-sha256 and at least one diffie-hellman-group16+ entry. No CBC, no SHA-1, no group14 KEX.
Fix: explicit allow-lists in sshd_config:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512

4. Patch SSH against regreSSHion (CVE-2024-6387)

Why: pre-auth RCE on glibc Linux, including Ubuntu 22.04. See the regreSSHion deep-dive for the full story.

dpkg-query -W -f='${Version}\n' openssh-server

Good: 1:8.9p1-3ubuntu0.10 or later on Ubuntu 22.04.
Fix: sudo apt update && sudo apt install --only-upgrade openssh-server.

5. Verify unattended-upgrades is enabled

Why: ~80% of homelab CVE exposure comes from packages that are simply behind on routine security updates. If this isn't on, you're carrying every weekend's CVE backlog into Monday.

cat /etc/apt/apt.conf.d/20auto-upgrades 2>/dev/null
grep -E "Unattended-Upgrade::Allowed-Origins" /etc/apt/apt.conf.d/50unattended-upgrades

Good: 20auto-upgrades sets both APT::Periodic::Update-Package-Lists "1"; and APT::Periodic::Unattended-Upgrade "1";. 50unattended-upgrades's allowed-origins includes ${distro_id}:${distro_codename}-security.
Fix: sudo apt install -y unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgrades, then verify the two files above.

6. Audit packages with backported but missing fixes

Why: this is where homelabs fall behind even with unattended-upgrades on — universe packages, manually installed PPAs, and snap-managed apps follow different update paths.

apt list --upgradable 2>/dev/null | grep -i security

Good: empty output (everything's current) OR a small list with explicit "I'm holding this back" reasoning.
Fix: sudo apt upgrade for the everything-current case, or apt-cache policy <package> to investigate held-back packages.

7. Check TLS configuration on exposed HTTPS services

Why: TLS 1.0/1.1 and weak cipher suites are retired across the IETF tracks but still default-on for many homelab services (Plex, Home Assistant, NAS web UIs).

nmap --script ssl-enum-ciphers -p 443 <host>

Good: only TLS 1.2 and 1.3 enabled; only forward-secrecy cipher suites (ECDHE-* or DHE-*); no NULL or EXPORT ciphers; A or A+ overall grade per nmap's heuristics.
Fix: per-service. For nginx, set ssl_protocols TLSv1.2 TLSv1.3; and ssl_ciphers to Mozilla's intermediate profile. For Apache, similar via SSLProtocol.

8. Audit listening ports

Why: every listening port is an attack surface. Most default Ubuntu installs have a few you didn't ask for (cups-browsed on 631, avahi-daemon on 5353, openvpn-bound IPs from a now-removed package).

sudo ss -tlnp

Good: every line maps to a service you consciously enabled. If you can't immediately name what owns a port, stop and investigate.
Fix: sudo systemctl disable --now <service> for the service binding the unwanted port. Repeat for each.

9. Verify no admin surfaces on default ports

Why: homelab boxes accumulate admin panels — Pi-hole on 80, Portainer on 9000, Grafana on 3000, Plex on 32400 — and most ship with no auth or default credentials. See the admin-surface deep-dive for the catalogued list.

for p in 80 443 3000 5601 8080 8086 8123 8443 9000 9090 19999; do
  curl -sk -o /dev/null -w "$p %{http_code}\n" --max-time 3 "https://localhost:$p" 2>/dev/null
done

Good: every responsive port either returns 401/302-to-login OR is bound to a LAN-only interface. No admin UI returning 200 anonymously.
Fix: enable auth in each service's config; bind management ports to 127.0.0.1 or a private VLAN; front sensitive admin UIs with a Tailscale or WireGuard relay.

10. Check for default-credential admin services

Why: this is the single highest-impact homelab hardening step nobody does. Default admin/admin on a forwarded port is the textbook way to lose a box.

Noxen explicitly does not test default credentials — the flag-only philosophy is to surface the surface and let the operator validate. The audit you should do yourself: walk the listening- port list from check #8, open each admin panel in a browser, and confirm you'd be locked out without your stored password.

Good: every admin panel rejects empty / common credentials.
Fix: rotate any panel's default credentials now, before going further. If you can't remember changing it, you didn't.

11. Verify ufw / iptables rules match the ports list

Why: a firewall that allows everything is psychologically reassuring and operationally useless.

sudo ufw status verbose

Good: default policy is deny (incoming) and allow (outgoing), with explicit allow rules only for ports check #8 confirmed are intentional.
Fix: enable ufw if disabled (sudo ufw enable), set ufw default deny incoming, then add explicit allow rules per service: sudo ufw allow 22/tcp etc. Test from a SECOND box before closing the SSH session.

12. Confirm CVE feed coverage and run a baseline scan

Why: the previous 11 checks address configuration. This one addresses package-version drift — "what packages have known CVEs that aren't fixed yet?".

You can do this manually by running dpkg -l, exporting it to a file, and grepping NVD's daily feed for matches — that's roughly an evening per box. The realistic automated answer for a homelab is Noxen: SSH-based agentless inventory plus a daily-refreshed signed CVE feed plus distro-aware version comparison (so Ubuntu's backports get credited correctly). The Ubuntu CVE feed page shows what the matcher pulls live; the first-scan guide gets you to a finding inventory in under five minutes.

The April 2027 deadline and what comes after

Ubuntu 22.04 hits end-of-standard-support on 2027-04-30. After that:

• Main repository packages get security updates only via Ubuntu Pro (free for up to 5 personal machines, paid above that).
• Universe repository packages stop receiving community-backed security updates entirely. This includes most of the homelab-relevant tooling — Home Assistant, Plex's deb builds, anything from a third-party PPA.
• Kernel updates continue under Pro through Extended Security Maintenance.

Practically, homelabbers have three choices when April 2027 arrives:

1. Enable Ubuntu Pro on every Jammy box. Five machines free; covers main + universe security updates through 2032. Probably the right answer for most homelabs.
2. Upgrade to Ubuntu 24.04 LTS ("Noble Numbat"). Two-year-old release at that point, well-shaken, supported through April 2029. The do-release-upgrade path is well-trodden but takes ~30 min per box and breaks non-trivially-configured services about 5% of the time — plan a maintenance window.
3. Migrate off Ubuntu. Debian stable (currently bookworm) is the closest behavioural relative; Rocky/AlmaLinux for RHEL family; NixOS if you're feeling ambitious. Big change for a homelab that's grown organically over years.

Whichever path you pick, the 12 checks above carry forward — none of them are 22.04-specific in spirit. The exact commands change a bit on Debian (use apt equivalents) and change more on the RHEL family (dnf, firewall-cmd, different cipher policy mechanisms). The shape of the audit stays the same.

What Noxen automates from this checklist

Roughly nine of the twelve checks above are part of Noxen's default scan profile:

• SSH config audit (1, 2, 3) — Noxen reads /etc/ssh/sshd_config via the SSH probe and flags weak ciphers/MACs/KEX, password auth on, weak host key types.
• SSH CVEs (4) — package-version match against the CVE feed covers regreSSHion and every other openssh-server CVE.
• Unattended-upgrades + outdated packages (5, 6) — package-version audit + a "missing security update" check per host.
• TLS audit (7) — every responsive HTTPS port gets a TLS handshake probe and certificate-validity check.
• Listening ports + admin surfaces (8, 9) — TCP port scan + admin-surface fingerprint catalogue (~70 services known and growing).
• UFW / iptables (11) — firewall rules read and surfaced in the report.
• Baseline scan (12) — the whole point. See first-scan guide.

What Noxen doesn't automate: default-credential testing (#10) and TLS certificate trust-chain verification beyond the basics. Both are operator-driven by design — see why we flag rather than authenticate.

Further reading

• Ubuntu Security Notices — official feed, what the unattended-upgrades pipeline subscribes to.
• Mozilla SSL Configuration Generator — the canonical source for TLS cipher allow-lists per service.
• Internal: regreSSHion deep-dive, admin-surface attack vector, SSH key hygiene, 30-minute homelab security baseline.

Run all 12 checks across your fleet automatically. Noxen scans every Linux/BSD/macOS host you own over SSH (no agents) and surfaces SSH config, TLS, package-version, and admin-surface findings in a single report. Pricing & download.