When it comes to Linux server security, default installations are rarely hardened against real-world threats. That’s where tools like Bastille come in. Bastille is a host hardening framework designed to audit and secure Unix-based systems by applying best-practice configurations and system lockdowns.

In this tutorial, we’ll walk you through how to install and use Bastille on Ubuntu 24.04 or newer to enhance the security of your server setup.

🛡️ What Is Bastille?

Bastille (also known as Bastille Linux) is an open-source security hardening tool that applies a collection of security policies to your system. Originally developed for Red Hat systems, it’s been adapted to work on various Linux distributions, including Ubuntu.

Note: This tool is not related to the BSD bastille container manager.

✅ Why Use Bastille on Ubuntu?

• Automates dozens of security hardening tasks
• Helps ensure compliance with best practices
• Reduces human error
• Logs every change for review

Examples of what Bastille can configure:

• Disabling unnecessary services
• Tightening permissions
• Configuring secure SSH defaults
• Restricting compilers
• Enabling logging and audit policies

🔧 Step 1: Update Your System

Before you install anything, make sure your system is up to date:

bashCopyEditsudo apt update && sudo apt upgrade -y

🧰 Step 2: Install Bastille on Ubuntu 24.04

Bastille isn’t included in default Ubuntu repositories. You’ll need to clone it from GitHub.

bashCopyEditsudo apt install git -y
git clone https://github.com/JonathanThorpe/Bastille-Linux.git
cd Bastille-Linux

Make the script executable:

bashCopyEditchmod +x bastille

🚀 Step 3: Run Bastille in Interactive Mode

Bastille offers an interactive wizard to guide you through security questions.

Start the wizard with:

bashCopyEditsudo ./bastille

You’ll be asked a series of Yes/No questions like:

• Do you want to disable unused network services?
• Should root login be disallowed over SSH?
• Would you like to set password aging policies?

Each step comes with context, so you can make informed decisions.

📜 Step 4: Review and Apply Changes

After the interactive session:

• Bastille writes all changes to /var/log/bastille/
• You can audit modifications before rebooting or continuing
• It’s best to back up your system or snapshot your VM before applying major changes

🔁 Step 5: Re-run Bastille as Needed

You can re-run Bastille at any time after system changes (e.g., new services installed).

To test in “simulation mode” without applying changes:

bashCopyEditsudo ./bastille -c

🔍 Best Practices When Using Bastille

• Review logs after every hardening session
• Always test on a staging system before applying to production
• Pair Bastille with tools like Fail2Ban, UFW, and ClamAV for layered security

🧠 What Bastille Won’t Do

• It’s not a firewall (use UFW or iptables for that)
• It doesn’t patch your packages (keep using apt update && upgrade)
• It’s not an antivirus

Bastille complements these other tools by enforcing system-level policy.

🛡️ Final Thoughts

Server hardening is a critical first step in securing your infrastructure. With Bastille, Ubuntu administrators gain a practical, automated way to apply common security best practices — reducing risk and improving overall server hygiene.

🌿 Go Beyond Defaults with Green Host

At GreenHost, we believe that security should be a foundation, not an afterthought. Our Ubuntu hosting environments are hardened out of the box, and we can help you implement tools like Bastille, Fail2Ban, and UFW for full-stack protection.