IntermediateSECURITY5 min read30 views
Linux Server Hardening Checklist
Essential security hardening steps for any Linux server. Covers SSH hardening, firewall setup, automatic updates, fail2ban, user management, and audit logging.
A
Published 65d ago
Sign in to vote & bookmark💬 0 comments
Linux Server Hardening Checklist
Every Linux server exposed to the internet needs proper hardening. This checklist covers the essential steps to secure your server against common attacks.
Step 1: Update Everything
sudo apt update && sudo apt upgrade -y
sudo apt autoremove -yEnable automatic security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgradesStep 2: Harden SSH
Edit /etc/ssh/sshd_config:
# Disable root login
PermitRootLogin noDisable password authentication (use keys only)
PasswordAuthentication noChange default port (optional but reduces noise)
Port 2222Limit SSH to specific users
AllowUsers yourusernameSet idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2Disable X11 forwarding
X11Forwarding nosudo systemctl restart sshdImportant: Make sure you have key-based access working BEFORE disabling passwords.
Step 3: Configure UFW Firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # SSH (or 22 if using default port)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
sudo ufw status verboseStep 4: Install Fail2Ban
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo fail2ban-client status sshdStep 5: User Management
# Create a non-root user
sudo adduser deployer
sudo usermod -aG sudo deployerSet strong password policy
sudo apt install libpam-pwqualityEdit /etc/security/pwquality.conf:
minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1Step 6: Disable Unnecessary Services
# List running services
sudo systemctl list-units --type=service --state=runningDisable what you don't need
sudo systemctl disable cups
sudo systemctl disable avahi-daemon
sudo systemctl disable bluetoothStep 7: Set Up Audit Logging
sudo apt install auditd
sudo systemctl enable auditdMonitor important files
sudo auditctl -w /etc/passwd -p wa -k user_changes
sudo auditctl -w /etc/shadow -p wa -k password_changes
sudo auditctl -w /etc/ssh/sshd_config -p wa -k ssh_configView audit logs
sudo ausearch -k user_changesStep 8: Configure File Permissions
# Secure critical files
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /rootFind world-writable files
find / -type f -perm -o+w -not -path "/proc/" -not -path "/sys/" 2>/dev/nullFind SUID binaries
find / -perm -4000 -type f 2>/dev/nullStep 9: Set Up Log Monitoring
# Install logwatch for daily summaries
sudo apt install logwatch
sudo logwatch --detail High --mailto [email protected] --service All --range todayQuick Verification
# Check open ports
sudo ss -tulnpCheck failed login attempts
sudo journalctl -u sshd | grep "Failed"Check fail2ban status
sudo fail2ban-client statusReview firewall rules
sudo ufw status numberedConclusion
These steps significantly reduce your attack surface. Security is ongoing — set up regular audits, keep systems updated, and monitor your logs. No server is "set and forget."