Ubuntu 24.04 LTS "Noble Numbat" is the latest long-term support release from Canonical, and it’s the most popular Linux distribution for servers worldwide. With 5 years of free support (extendable to 12 years with Ubuntu Pro), a massive package repository, and first-class cloud support, it’s the go-to choice for millions of sysadmins, DevOps engineers, and developers.
This guide covers everything you need to deploy and manage Ubuntu 24.04 LTS servers in production — from initial setup to advanced configuration.
Why LTS? Long Term Support releases receive security updates for 5 years (free) or up to 12 years with Ubuntu Pro. Interim releases (23.10, 24.10) only get 9 months of support. For servers, always use LTS.
What’s New in Ubuntu 24.04 LTS
| Feature | Details |
|---|---|
| Kernel | 6.8 (with HWE kernel upgrades) |
| Support Lifecycle | 5 years free (12 years with Pro) |
| Package Manager | APT 2.7 + Snap |
| Init System | systemd 255 |
| Default Filesystem | ext4 (ZFS optional) |
| Security | AppArmor 4.0, UFW, OpenSSL 3.2 |
| Python | Python 3.12 (default) |
| PHP | PHP 8.3 |
| Node.js | Node.js 18 LTS (via repo) / 20+ (via Snap/NVM) |
| Database | PostgreSQL 16, MySQL 8.0, MariaDB 10.11 |
| Web Server | Nginx 1.24, Apache 2.4 |
| Container Runtime | Docker (official repo), Podman, LXD |
| Netplan | Netplan 1.0 (YAML-based networking) |
| Cloud-init | cloud-init 24.x (automated provisioning) |
| Ubuntu Pro | Free for up to 5 machines |
Initial Server Setup
Step 1: First Login & System Update
# Update package lists and upgrade all packages
sudo apt update && sudo apt upgrade -y
# Install essential tools
sudo apt install -y vim curl wget git htop tmux ufw fail2ban \
software-properties-common apt-transport-https ca-certificates
# Set hostname
sudo hostnamectl set-hostname server01.example.com
# Set timezone
sudo timedatectl set-timezone Europe/Amsterdam
# Enable NTP
sudo timedatectl set-ntp true
# Check system info
lsb_release -a
uname -rStep 2: Create a Sudo User
# Create a new user
sudo adduser deploy
# Add to sudo group
sudo usermod -aG sudo deploy
# Set up SSH key authentication
sudo mkdir -p /home/deploy/.ssh
sudo cp ~/.ssh/authorized_keys /home/deploy/.ssh/
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keysStep 3: SSH Hardening
sudo vim /etc/ssh/sshd_config
# Recommended production settings:
Port 2222 # Change from default 22
PermitRootLogin no # Never allow root SSH
PasswordAuthentication no # Key-based only
PubkeyAuthentication yes # Enable public key auth
MaxAuthTries 3 # Limit failed attempts
ClientAliveInterval 300 # 5-minute keepalive
ClientAliveCountMax 2 # Disconnect after 2 misses
X11Forwarding no # Disable X11 forwarding
AllowUsers deploy # Whitelist users
# Restart SSH
sudo systemctl restart sshdUFW Firewall Configuration
Ubuntu uses UFW (Uncomplicated Firewall) — a user-friendly frontend for iptables/nftables:
# Enable UFW
sudo ufw enable
# Allow SSH (use custom port if changed)
sudo ufw allow 2222/tcp comment 'SSH'
# Allow web traffic
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
# Allow specific IP range
sudo ufw allow from 10.0.0.0/8 to any port 5432 comment 'PostgreSQL internal'
# Deny everything else (default)
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Check status
sudo ufw status verbose
# View numbered rules (for deletion)
sudo ufw status numberedUFW vs firewalld Comparison
| Feature | UFW (Ubuntu) | firewalld (RHEL/Rocky/Alma) |
|---|---|---|
| Syntax | ufw allow 80/tcp | firewall-cmd --add-port=80/tcp |
| Ease of use | Very easy | Moderate |
| Zones | No | Yes (zone-based) |
| Backend | iptables/nftables | nftables |
| Rich rules | Basic | Advanced |
AppArmor Security
Ubuntu uses AppArmor (instead of SELinux) for Mandatory Access Control. It confines programs to a limited set of resources:
# Check AppArmor status
sudo apparmor_status
# List enforced profiles
sudo aa-status
# Put a profile into complain mode (log violations but don't block)
sudo aa-complain /etc/apparmor.d/usr.sbin.nginx
# Enforce a profile
sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx
# Generate a new profile for an application
sudo aa-genprof /usr/sbin/my-app
# View AppArmor denials
sudo dmesg | grep -i apparmor
sudo journalctl -k | grep apparmorNginx + PHP 8.3 Web Server Stack
# Install Nginx
sudo apt install -y nginx
sudo systemctl enable nginx
# Install PHP 8.3 and extensions
sudo apt install -y php8.3-fpm php8.3-cli php8.3-common \
php8.3-mysql php8.3-pgsql php8.3-mbstring php8.3-xml \
php8.3-curl php8.3-zip php8.3-gd php8.3-intl php8.3-opcache \
php8.3-redis php8.3-imagick
# Configure PHP-FPM
sudo vim /etc/php/8.3/fpm/pool.d/www.conf
# Set: pm = dynamic
# Set: pm.max_children = 50
# Set: pm.start_servers = 5
# Set: pm.min_spare_servers = 5
# Set: pm.max_spare_servers = 35
# PHP performance tuning
sudo vim /etc/php/8.3/fpm/php.ini
# memory_limit = 256M
# upload_max_filesize = 64M
# post_max_size = 64M
# max_execution_time = 30
# opcache.enable = 1
# opcache.memory_consumption = 256
# opcache.max_accelerated_files = 20000
# Restart PHP-FPM
sudo systemctl restart php8.3-fpmNginx Server Block with SSL (Let’s Encrypt)
# Install Certbot
sudo apt install -y certbot python3-certbot-nginx
# Create server block
sudo vim /etc/nginx/sites-available/example.com
server {
listen 80;
server_name example.com www.example.com;
root /var/www/example.com/public;
index index.php index.html;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(ht|git|env) {
deny all;
}
}
# Enable site
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
# Get SSL certificate
sudo certbot --nginx -d example.com -d www.example.comDatabase Setup
PostgreSQL 16
# Install PostgreSQL 16
sudo apt install -y postgresql postgresql-contrib
# Check status
sudo systemctl status postgresql
# Switch to postgres user and create database
sudo -u postgres psql
-- Inside psql:
CREATE USER appuser WITH PASSWORD 'strong_password';
CREATE DATABASE myapp OWNER appuser;
GRANT ALL PRIVILEGES ON DATABASE myapp TO appuser;
\q
# Configure remote access (if needed)
sudo vim /etc/postgresql/16/main/pg_hba.conf
# Add: host myapp appuser 10.0.0.0/8 scram-sha-256
sudo vim /etc/postgresql/16/main/postgresql.conf
# Set: listen_addresses = '*'
sudo systemctl restart postgresqlMySQL 8.0
# Install MySQL
sudo apt install -y mysql-server
# Secure installation
sudo mysql_secure_installation
# Create database and user
sudo mysql
CREATE DATABASE myapp CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'strong_password';
GRANT ALL PRIVILEGES ON myapp.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;Docker on Ubuntu 24.04
Ubuntu has the best Docker support of any Linux distribution:
# Install Docker from official repository
sudo apt install -y ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) \
signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io \
docker-buildx-plugin docker-compose-plugin
# Add user to docker group (no sudo needed)
sudo usermod -aG docker $USER
# Enable Docker at boot
sudo systemctl enable docker
# Test
docker run hello-world
docker compose versionSnap Packages: Love Them or Hate Them
Ubuntu 24.04 uses Snap for some core packages. Here’s what you need to know:
| Aspect | Pros | Cons |
|---|---|---|
| Auto-updates | Always up-to-date | Unexpected updates in production |
| Sandboxing | Better security isolation | Filesystem access restrictions |
| Startup time | — | Slower first launch |
| Disk space | — | Larger footprint (bundled deps) |
| Availability | Huge Snap Store catalog | — |
# List installed snaps
snap list
# Control auto-refresh schedule (production servers)
sudo snap set system refresh.timer=sat,04:00
# Hold a specific snap from updating
sudo snap refresh --hold=72h lxd
# Install a snap
sudo snap install node --classic --channel=20
# Remove a snap
sudo snap remove firefoxAutomatic Security Updates
# Install unattended-upgrades (usually pre-installed)
sudo apt install -y unattended-upgrades
# Configure
sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
# Enable security updates:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
# Auto-reboot if needed:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
# Enable the service
sudo dpkg-reconfigure -plow unattended-upgrades
# Verify it's working
sudo unattended-upgrades --dry-run --debugUbuntu Pro: Free for Up to 5 Machines
Ubuntu Pro is free for personal and small-scale commercial use (up to 5 machines). It provides expanded security updates for the entire Ubuntu package archive — not just main.
# Attach to Ubuntu Pro (get free token from ubuntu.com/pro)
sudo pro attach YOUR_TOKEN
# Check status
sudo pro status
# What Pro gives you:
# - ESM-infra: Extended security updates for main packages (12 years)
# - ESM-apps: Security updates for Universe packages
# - Livepatch: Kernel security patches without reboot
# - FIPS 140-3: Certified cryptographic modules
# - CIS hardening: Automated security benchmarksPerformance Tuning
# Kernel parameters for web servers
sudo vim /etc/sysctl.d/99-performance.conf
# Network tuning
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 1024 65535
# File descriptors
fs.file-max = 2097152
fs.inotify.max_user_watches = 524288
# Virtual memory
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2
# Apply
sudo sysctl --system
# Increase open file limits
sudo vim /etc/security/limits.d/99-nofile.conf
* soft nofile 65535
* hard nofile 65535
root soft nofile 65535
root hard nofile 65535Essential Administration Commands
| Task | Command |
|---|---|
| System info | lsb_release -a |
| Update & upgrade | sudo apt update && sudo apt upgrade -y |
| Search packages | apt search keyword |
| Install package | sudo apt install package-name |
| Remove + purge | sudo apt purge package-name |
| Clean unused | sudo apt autoremove --purge |
| Service management | sudo systemctl status/start/stop/enable service |
| Failed services | systemctl --failed |
| View logs | journalctl -xe |
| Disk usage | df -hT |
| Memory usage | free -h |
| Active connections | ss -tulnp |
| Firewall status | sudo ufw status verbose |
| AppArmor status | sudo aa-status |
| User management | sudo adduser newuser && sudo usermod -aG sudo newuser |
| Reboot history | last reboot |
Sysadmin Salary with Ubuntu/Debian Expertise (EU, 2026)
| Level | Salary Range | Key Skills |
|---|---|---|
| Junior Sysadmin | €30,000 - €40,000 | APT, UFW, systemd, basic Nginx |
| Mid-Level Sysadmin | €42,000 - €58,000 | + Docker, CI/CD, monitoring, automation |
| Senior Sysadmin | €58,000 - €82,000 | + K8s, Terraform, architecture, HA |
| DevOps / Cloud Engineer | €65,000 - €100,000 | Ubuntu + AWS/GCP + IaC |
Ubuntu dominates cloud deployments. Combining Ubuntu expertise with cloud skills (AWS, GCP, Azure) significantly boosts earning potential.
Essential Books for Ubuntu Server Administrators:
- Ubuntu 24.04 LTS Server Administration — €12.90
- Ubuntu Server Administration — €12.90
- Debian System Administration — €12.90
- Linux Security Hardening — €14.90
- SELinux & AppArmor Guide — €16.90
- NGINX Fundamentals — €21.90
- Docker Fundamentals — €23.90
- systemd: Service Management — €21.90
- Linux System Administration Masterclass — €16.90
- Linux Firewall Configuration — €12.90
Further Reading on Dargslan
- AlmaLinux vs Ubuntu Server 2026: Which Linux Distro?
- Rocky Linux 9: The Complete Guide for System Administrators
- How to Set Up a Production-Ready Linux Web Server
- Linux Server Hardening: The Complete Security Checklist
- Docker vs Kubernetes: What’s the Difference?
- How to Migrate from CentOS to AlmaLinux
Final Verdict
Ubuntu 24.04 LTS is the gold standard for server deployments. The largest community, freshest packages, best cloud support, and 12 years of security updates with Pro. Whether you’re running a single VPS or orchestrating hundreds of cloud instances, Ubuntu delivers.
New to Ubuntu servers? Start with our Ubuntu 24.04 LTS Server Administration book — it covers everything in this guide and more, with hands-on exercises.
Already experienced? Pair Ubuntu with Docker and Kubernetes to build scalable, production-grade infrastructure. Your Ubuntu skills are the foundation everything else builds on.
Master Ubuntu Server Administration
The complete guide to running Ubuntu in production:
Get Ubuntu 24.04 LTS Server Administration →
