Okay, I’ve redone this entire post because I received negative feedback which is understandable as I didn’t put a whole lot of work into it but this is a script that I put together and have used for many years which I’m willing to share for anyone who’s interested in adding a little security to any Ubuntu installation that you may have.
Instead of posting the code here, I’ve opted to putting the code on Pastebin, you’ll find it here. It originally contained ppa’s which I’ve now taken out because those are personal anyway and it only decreases the security so I advise against adding them anyway if security is your objective.
If you’d like to know more about the decisions made in the script, I have added links to the Arch Wiki for pages that will explain everything and what it does, mostly all of what I do is through information provided by the people who wrote the Arch Wiki.
I by no means know iptables, I simply copy and pasted what I put in the script. I made custom commands for disabling IPv6 if you’re interested but I have not included them as that’s been giving me kernel problems anyway.
I will be adding more to it but I disable IPv6 because not every VPN supports it and you’ll end up leaking if you don’t disable it. I suppose using UFW is redundant but I put it in there anyway as a backup. I’ve had this script for years so it’s static and I can’t be sure what’s default now compared to the past. This is just how I set things up, I added the ppa’s because that is the software I use, I might as well throw it in there. And everything is explained via the Arch Wiki. Your router will block those ports anyway and you can remove those if you don’t need them open.
While attending to arguable minutiae like disabling IPv6, you missed the forest for the trees. You forgot the #1 most important change of all, the only truly meaningful one; installing the unattended-upgrades package and configuring it to automatically install security updates.
No. Everybody should autoinstall security updates on Linux. They don’t break your workflow or force you to reboot like on Windows, and updates tagged security should never change functionality, all they do is fix security issues, so they shouldn’t impact your services and applications.
When you actually get hacked in the real world, it’s due to one of two things. First is running obsolete software and second is a misconfiguration. This fixes one of those.