Server Hardening Checklist for Linux
Harden Linux servers against common attack vectors. Cover SSH security, firewall rules, automatic updates, user management, and audit logging.
Why Server Hardening Matters
A newly provisioned Linux server is not secure by default. It has open ports, default configurations, and no intrusion detection. Every internet-facing server is continuously scanned by automated bots looking for weak SSH passwords, open databases, and unpatched vulnerabilities.
Hardening reduces the attack surface to the minimum required for the server's purpose.
SSH Security
SSH is the primary management interface and the most targeted service:
# /etc/ssh/sshd_config
# Disable password authentication (use keys only)
PasswordAuthentication no
PubkeyAuthentication yes
# Disable root login
PermitRootLogin no
# Limit to specific users
AllowUsers deploy admin
# Change default port (security through obscurity, but reduces noise)
Port 2222
# Limit authentication attempts
MaxAuthTries 3
LoginGraceTime 30
# Disable unused features
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
After editing, restart SSH: sudo systemctl restart sshd. Keep your existing session open until you verify the new configuration works.
Firewall (UFW / nftables)
Only allow the ports your services need:
# UFW (Uncomplicated Firewall)
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your custom port if changed)
sudo ufw allow 2222/tcp
# Allow web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable
sudo ufw enable
sudo ufw status verbose
Automatic Security Updates
Configure unattended upgrades for security patches:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "[email protected]";
Automatic security updates patch known vulnerabilities without manual intervention. Reboot manually after kernel updates during a maintenance window.
User Management
# Create a deploy user with sudo access
sudo adduser deploy
sudo usermod -aG sudo deploy
# Disable unused accounts
sudo usermod -L olduser
sudo userdel -r tempuser
# Set password policy
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
Use sudo for all privileged operations. Never run services as root. Each application should run under its own dedicated user with minimal permissions.
File System Security
# Set correct permissions on sensitive files
chmod 600 /etc/ssh/sshd_config
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
# Find world-writable files (potential vulnerability)
find / -xdev -type f -perm -0002 -ls
# Find SUID/SGID binaries (privilege escalation risk)
find / -xdev -type f \( -perm -4000 -o -perm -2000 \) -ls
# Disable unnecessary SUID bits
chmod u-s /usr/bin/unnecessary-binary
Audit Logging
# Install auditd
sudo apt install auditd
# Key audit rules (/etc/audit/rules.d/audit.rules)
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /var/log/ -p wa -k log_tampering
# Monitor sudo usage
-w /var/log/auth.log -p wa -k auth_log
# Search audit logs
ausearch -k identity --start today
aureport --summary
Quick Hardening Summary
| Priority | Action | Impact |
|---|---|---|
| Critical | SSH key-only auth, disable root login | Prevents brute force |
| Critical | Firewall — deny all, allow specific | Reduces attack surface |
| High | Automatic security updates | Patches known vulnerabilities |
| High | fail2ban for SSH | Blocks repeated failures |
| Medium | Audit logging | Detects intrusions |
| Medium | Disable unused services | Fewer entry points |