Linux Secure Ops is a working notebook for sysadmins who run Debian and Ubuntu boxes in the wild and want to keep them out of the news. We publish reproducible hardening playbooks, post-incident write-ups, and benchmark-aligned configs we actually use on our own fleet — not warmed-over checklists scraped from a 2019 blog. Every command has been pasted into a real shell, every sysctl tweak measured, every IDS rule load-tested before it hits the page.
The Ubuntu 24.04 Hardening Playbook
Noble Numbat changed enough defaults that the old 16.04/20.04 hardening guides now produce broken servers. AppArmor 4, unprivileged user namespaces restrictions, and the new Livepatch client all need fresh treatment. Our playbook walks the full CIS Ubuntu 24.04 Benchmark Level 1 and Level 2 controls, then layers on what CIS leaves out — disabling kernel.unprivileged_bpf_disabled, scoping systemd-resolved, and locking down cloud-init on imaged hosts.
We pay particular attention to the controls that break things quietly: USBGuard policies that lock out KVM consoles, nftables rulesets that survive a netplan reapply, and SSH MaxStartups values that won't lock you out during an Ansible run across 200 hosts. Where a control is theatre, we say so.
Modern Intrusion Detection: CrowdSec, Fail2Ban, and Wazuh
The intrusion-detection landscape in 2026 looks nothing like it did five years ago. CrowdSec has matured into a credible Fail2Ban replacement with a community blocklist, Wazuh 4.9 ships a usable agent for Debian-family hosts, and nftables sets make dynamic blocking far cheaper than the iptables hash-tables of old. We benchmark these tools head-to-head on a real SSH-and-Nginx edge node, measure false-positive rates against actual traffic, and show the exact bouncer wiring for Caddy, HAProxy, and bare nftables.
We also cover what nobody likes to admit: most small fleets don't need a SIEM, they need a journald pipeline into Loki with three good alert rules. We share those rules.
Sysctl Tuning and Lynis Audit Workflows
A clean Lynis hardening index above 90 is achievable on stock Ubuntu in an afternoon if you know which warnings to trust. We catalogue every sysctl we set — what it actually does at the kernel level (with links to kernel.org sysctl docs), what breaks when you set it wrong, and which ones are placebo. The same treatment applies to auditd rule sets, PAM stacks, and the perpetually misunderstood /etc/login.defs.
Browse our latest articles below for the current week's deep dives, incident retros, and config snippets you can paste into a terminal tonight.