Why Server Hardening Matters
Every Linux server connected to the internet faces constant attacks. Automated bots scan for vulnerabilities 24/7, looking for weak passwords, unpatched software, and misconfigured services. Without proper hardening, it's not if your server will be compromised, but when.
This guide provides a comprehensive security checklist to transform a default Linux installation into a hardened, production-ready system.
SSH Security
SSH is the primary access point for most servers—and the first target for attackers.
Key-Based Authentication
Disable password authentication entirely:
# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password
# Or even better:
PermitRootLogin noChange Default Port
Port 2222 # Use a non-standard portLimit User Access
AllowUsers admin deployer
AllowGroups sshusersAdditional SSH Hardening
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
PermitEmptyPasswords noFirewall Configuration
Block all unnecessary incoming traffic:
UFW (Ubuntu/Debian)
# Set default policies
ufw default deny incoming
ufw default allow outgoing
# Allow essential services
ufw allow 2222/tcp # SSH on custom port
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
# Enable firewall
ufw enableRate Limiting
# Limit SSH connection attempts
ufw limit 2222/tcpFail2Ban Installation
Automatically ban IPs that show malicious behavior:
apt install fail2ban
# Create local config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600Keep Systems Updated
Unpatched software is a major vulnerability:
# Enable automatic security updates (Ubuntu)
apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades
# Or create a cron job
0 4 * * * apt update && apt upgrade -yUser Account Security
Enforce Strong Passwords
# Install password quality checker
apt install libpam-pwquality
# Configure in /etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1Set Password Expiration
# /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14Audit User Accounts
# Find users with empty passwords
awk -F: '($2 == "") {print}' /etc/shadow
# Find users with UID 0 (root privileges)
awk -F: '($3 == "0") {print}' /etc/passwdFile System Security
Set Proper Permissions
# Restrict sensitive files
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /rootFind World-Writable Files
find / -type f -perm -o+w 2>/dev/nullFind SUID/SGID Binaries
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/nullDisable Unnecessary Services
# List running services
systemctl list-units --type=service --state=running
# Disable unused services
systemctl disable bluetooth
systemctl disable cups
systemctl disable avahi-daemonImplement Logging and Monitoring
Configure Centralized Logging
# Install and configure rsyslog or journald
# Forward logs to a central serverEnable Audit Logging
apt install auditd
# Add rules for sensitive file access
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changesNetwork Security
Disable IPv6 if Not Needed
# /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1Enable SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2Regular Security Audits
Use tools like:
- Lynis - Security auditing tool
- CIS Benchmarks - Industry-standard hardening guides
- OpenVAS - Vulnerability scanner
Conclusion
Server hardening is not a one-time task—it's an ongoing process. Regularly audit your systems, stay informed about new vulnerabilities, and continuously improve your security posture.
Our security eBooks provide in-depth coverage of each topic with hands-on labs to practice these techniques safely.
