🎁 New User? Get 20% off your first purchase with code NEWUSER20 Register Now →
Menu

Categories

Security & Hardening

Linux Server Hardening Checklist: 50+ Security Steps (2026)

Dorian Thorne | April 11, 2026 | 25 min read
sql
Linux Server Hardening Checklist: 50+ Security Steps (2026)

Server hardening is the process of reducing the attack surface of your Linux systems by eliminating unnecessary services, enforcing strict access controls, and implementing defense-in-depth security measures. This comprehensive checklist covers every critical hardening step for production Linux servers in 2026.

Initial System Setup

1. Update and Patch Everything

# Update package lists and upgrade all packages
sudo apt update && sudo apt full-upgrade -y

# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Check for kernel updates requiring reboot
if [ -f /var/run/reboot-required ]; then
    echo "REBOOT REQUIRED"
fi

2. Remove Unnecessary Packages

# List installed packages
dpkg --list | grep -i "telnet\|ftp\|rsh\|nis\|talk\|finger"

# Remove insecure services
sudo apt purge telnetd ftpd rsh-server nis talk talkd finger

# Remove unused packages
sudo apt autoremove --purge

3. Disable Unnecessary Services

# List all enabled services
systemctl list-unit-files --type=service --state=enabled

# Disable services not needed
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now cups
sudo systemctl disable --now bluetooth
sudo systemctl mask ctrl-alt-del.target

SSH Hardening

4-15. SSH Configuration Best Practices

# /etc/ssh/sshd_config - Hardened configuration

# Protocol and Authentication
Protocol 2
PermitRootLogin no
MaxAuthTries 3
MaxSessions 5
LoginGraceTime 30
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

# Access Control
AllowUsers deploy admin
AllowGroups sshusers
DenyUsers root

# Network
Port 2222
AddressFamily inet
ListenAddress 0.0.0.0
TCPKeepAlive no
ClientAliveInterval 300
ClientAliveCountMax 2

# Security
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
GatewayPorts no
PrintMotd no
PrintLastLog yes
Banner /etc/issue.net
PermitUserEnvironment no
UsePAM yes
StrictModes yes

# Crypto
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256

# Logging
LogLevel VERBOSE
SyslogFacility AUTH

Kernel Security

16-25. Kernel Hardening Parameters

# /etc/sysctl.d/99-hardening.conf

# Network security
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1

# IPv6 (disable if not needed)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Kernel hardening
kernel.randomize_va_space = 2
kernel.exec-shield = 1
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
kernel.yama.ptrace_scope = 1
kernel.unprivileged_bpf_disabled = 1
kernel.sysrq = 0

# Filesystem protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
# Apply changes
sudo sysctl --system

User and Authentication Security

26-35. User Management Hardening

# Set password policy
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
difok = 4
maxrepeat = 3
gecoscheck = 1

# Set password aging
# /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14

# Lock inactive accounts
useradd -D -f 30

# Find accounts with no password
awk -F: "(\$2 == \"\" ) { print \$1 }" /etc/shadow

# Find accounts with UID 0 (besides root)
awk -F: "(\$3 == 0) { print \$1 }" /etc/passwd

# Secure home directories
chmod 700 /home/*

# Set proper umask
echo "umask 027" >> /etc/profile

Filesystem Security

36-42. Filesystem Hardening

# Secure mount options in /etc/fstab
# /tmp - noexec,nosuid,nodev
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev,size=2G 0 0

# /var/tmp - bind mount with restrictions
/tmp /var/tmp none bind 0 0

# /dev/shm - noexec,nosuid,nodev
tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0

# Find world-writable files
find / -xdev -type f -perm -0002 -exec ls -l {} \;

# Find SUID/SGID files
find / -xdev -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

# Find files with no owner
find / -xdev -nouser -o -nogroup 2>/dev/null

Network Security

43-48. Network Hardening

# Install and configure UFW
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp comment "SSH"
sudo ufw allow 80/tcp comment "HTTP"
sudo ufw allow 443/tcp comment "HTTPS"
sudo ufw enable

# Install Fail2ban
sudo apt install fail2ban
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
action = %(action_mwl)s

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 86400
EOF
sudo systemctl enable --now fail2ban

Logging and Auditing

49-55. Audit Configuration

# Install auditd
sudo apt install auditd audispd-plugins

# Key audit rules
auditctl -w /etc/passwd -p wa -k identity
auditctl -w /etc/shadow -p wa -k identity
auditctl -w /etc/group -p wa -k identity
auditctl -w /etc/sudoers -p wa -k actions
auditctl -w /var/log/ -p wa -k log_tampering
auditctl -a exit,always -F arch=b64 -S execve -k command_execution

# Enable log forwarding to remote syslog
echo "*.* @@logserver.internal:514" >> /etc/rsyslog.d/50-remote.conf
systemctl restart rsyslog

Recommended Reading

Master Linux security with these comprehensive guides:

Conclusion

Server hardening is not a one-time task — it requires continuous monitoring, regular auditing, and keeping up with new threats. Use this checklist as your baseline, run through it for every new server deployment, and schedule quarterly reviews of your security posture.

Download our Linux Server Hardening Cheat Sheet for a printable version of this checklist.

Share this article:
Dorian Thorne
About the Author

Dorian Thorne

Cloud Infrastructure, Cloud Architecture, Infrastructure Automation, Technical Documentation

Dorian Thorne is a cloud infrastructure specialist and technical author focused on the design, deployment, and operation of scalable cloud-based systems.

He has extensive experience working with cloud platforms and modern infrastructure practices, including virtualized environments, cloud networking, identity and acces...

Cloud Computing Cloud Networking Identity and Access Management Infrastructure as Code System Reliability
View all books

Related Articles

Stay Updated

Subscribe to our newsletter for the latest tutorials, tips, and exclusive offers.