Ubuntu 22.04 LTS Server Deployment - Stop Fucking Around and Do It Right

Before you even download that ISO, let's talk about what actually breaks in production. I've deployed hundreds of Ubuntu servers and the same shit goes wrong every time.

Hardware Compatibility Hell

First stupid mistake: not checking hardware compatibility. The Ubuntu certified hardware list exists for a reason. Your fancy new server might boot fine but good luck getting the RAID controller working without proprietary drivers.

Check this shit before you buy:

• Network cards (Intel good, Broadcom bad)
• RAID controllers (LSI works, fake RAID doesn't)
• Remote management (iDRAC/iLO compatibility - check vendor support sites)

I learned this after spending 6 hours debugging why a Dell server's network kept dropping packets. Turns out the Broadcom NIC needed firmware that Ubuntu doesn't ship. Check the linux-firmware package before deployment.

Installation Method - Stop Using Desktop ISOs

Download Ubuntu Server 22.04.5 LTS from the official releases page. Not the desktop version. Not some random derivative. The server ISO is 2GB smaller and doesn't have the GUI bullshit that breaks headless deployments. Verify the SHA256 checksums before installation.

For automated deployments, use cloud-init and autoinstall. This saves your sanity when you need to deploy 50 servers that are configured identically.

Autoinstall YAML template that actually works:

#cloud-config
autoinstall:
  version: 1
  locale: en_US
  keyboard:
    layout: us
  network:
    network:
      version: 2
      ethernets:
        eno1:
          dhcp4: false
          addresses: [192.168.1.100/24]
          gateway4: 192.168.1.1
          nameservers:
            addresses: [8.8.8.8, 1.1.1.1]
  storage:
    layout:
      name: lvm
  identity:
    hostname: production-server
    username: sysadmin
    password: '$6$rounds=4096$saltsalt$hash'
  ssh:
    install-server: true
    authorized-keys:
      - ssh-rsa YOUR_SSH_KEY_HERE
  packages:
    - openssh-server
    - fail2ban
    - ufw
    - htop
    - rsync

Partitioning That Won't Screw You

The default installer partitioning is garbage for servers. Here's what actually works:

• Root (/): 50GB minimum - Ubuntu fills up fast with logs and cache
• Swap: Match your RAM up to 32GB, then cap it
• Everything else: Separate /var, /tmp, and /home if you can
• Use LVM: You'll thank me when you need to resize partitions

The Ubuntu Server installer provides a text-based interface that guides you through partitioning, network configuration, and package selection.

The installer defaults to 10GB for root which fills up in 3 months. /var/log alone will eat 5GB if you don't configure log rotation properly.

Network Configuration - systemd-resolved Will Betray You

Ubuntu 22.04 uses systemd-resolved for DNS which breaks in creative ways. Disable it if you need reliable DNS:

systemctl disable systemd-resolved
systemctl stop systemd-resolved
rm /etc/resolv.conf
echo \"nameserver 8.8.8.8\" > /etc/resolv.conf

Static network config goes in /etc/netplan/01-network-manager-all.yaml:

network:
  version: 2
  ethernets:
    ens3:
      dhcp4: false
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 1.1.1.1]

Apply with netplan apply and pray it doesn't break SSH. Always test network changes with a console connection.

Security isn't optional on production servers. These are the basics that prevent script kiddies from turning your server into a Bitcoin miner. Follow the Ubuntu Security Guide and CIS Ubuntu 22.04 benchmarks.

SSH Configuration That Doesn't Suck

Edit /etc/ssh/sshd_config before you forget. Reference the SSH hardening guide and OpenSSH security best practices:

Port 2222
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers sysadmin deployer

Change the default port from 22. Yes, it's security through obscurity. No, it doesn't stop determined attackers. Yes, it stops 99% of the automated shit trying to brute force your server. Check SSH attack statistics.

Install fail2ban: apt install fail2ban. Default config is fine for SSH but check /var/log/fail2ban.log occasionally. Configure with the fail2ban documentation.

Firewall - UFW Because iptables is a Pain

ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp  # SSH on custom port
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS  
ufw enable

Don't enable UFW without allowing SSH first unless you enjoy walking to the datacenter. Read the UFW documentation and iptables primer to understand what you're doing.

Package Management - Stop Installing Random Shit

Remove packages you don't need. Check the Ubuntu package removal guide and system hardening checklist:

apt remove --purge snapd                    # If you hate snap
apt remove --purge popularity-contest       # Stops Ubuntu from spying
apt remove --purge landscape-client         # Canonical's management tool
apt autoremove --purge

Enable automatic security updates per Ubuntu's security update guide and unattended-upgrades documentation:

apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Edit /etc/apt/apt.conf.d/50unattended-upgrades to only install security updates:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

User Account Management

Never use the root account directly. Create a proper admin user:

adduser sysadmin
usermod -aG sudo sysadmin

Lock unused accounts:

usermod -L games
usermod -L news
usermod -L uucp

Check for accounts with empty passwords: awk -F: '($2==""){print $1}' /etc/shadow

File System Permissions

Mount /tmp with noexec to prevent script execution:

Add to /etc/fstab:

tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev,size=2G 0 0

Set proper umask for security: Add umask 027 to /etc/profile

Monitoring and Logging

Install basic monitoring tools:

apt install htop iotop nethogs rsyslog-gnutls

Configure rsyslog to not fill your disk:

Edit /etc/rsyslog.conf:

## Stop logging every fucking thing to syslog
*.*;mail.none;news.none;cron.none /var/log/syslog

Set up log rotation properly:

cat > /etc/logrotate.d/custom << EOF
/var/log/auth.log /var/log/syslog {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
}
EOF

Time Synchronization

Ubuntu uses systemd-timesyncd which is fine for basic setups:

timedatectl set-ntp true
timedatectl status

For critical systems, install chrony: apt install chrony

Kernel Parameters for Servers

Add to /etc/sysctl.conf:

## Prevent IP spoofing
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

## Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0

## Disable source routing
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0

## Log suspicious packets
net.ipv4.conf.all.log_martians=1

## Reduce swap usage
vm.swappiness=10

## Increase file descriptor limits
fs.file-max=2097152

Apply with sysctl -p.

Final Security Checklist

Before calling it done:

• SSH key authentication working
• Root login disabled
• Firewall configured and enabled
• Automatic security updates configured
• Unnecessary services disabled
• Log rotation configured
• Time synchronization working
• fail2ban monitoring SSH attempts

Test everything from a different machine before you walk away. I've locked myself out of servers by forgetting to test SSH keys with password auth disabled.

The UFW (Uncomplicated Firewall) status display shows active rules and listening ports, helping verify your security configuration.