Linux Server Hardening Guide
Published
•3 min readServer hardening is the process of securing a Linux system by reducing vulnerabilities and strengthening configurations. Below is a step-by-step guide to hardening a Linux server.
1️⃣ Keep the System Updated
Always keep your system and installed packages up to date.
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo yum update -y # RHEL/CentOS
sudo dnf update -y # Fedora
Enable automatic security updates:
sudo apt install unattended-upgrades -y # Debian/Ubuntu
sudo yum install dnf-automatic -y # RHEL/CentOS
2️⃣ Secure SSH Access
Disable Root Login
Edit /etc/ssh/sshd_config and set:
PermitRootLogin no
PasswordAuthentication no
AllowUsers youruser
Restart SSH service:
sudo systemctl restart sshd
Change the SSH Port
(Avoid default 22)
Port 2222
Restart SSH:
sudo systemctl restart sshd
Use Key-Based Authentication Instead of Passwords
ssh-keygen -t rsa -b 4096
ssh-copy-id user@server-ip
3️⃣ Disable Unused Services & Ports
List Running Services
sudo systemctl list-units --type=service
Disable Unnecessary Services
sudo systemctl disable service-name --now
Check Open Ports
sudo netstat -tulpn | grep LISTEN
sudo ss -tulnp
Close Unused Ports Using Firewall
sudo ufw deny 23 # Deny Telnet
sudo ufw deny 21 # Deny FTP
4️⃣ Enable Firewall (UFW/Iptables)
UFW (for Ubuntu/Debian)
sudo ufw allow 2222/tcp # Allow SSH on new port
sudo ufw allow 80/tcp # Allow HTTP
sudo ufw allow 443/tcp # Allow HTTPS
sudo ufw enable
Firewalld (for RHEL/CentOS)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
5️⃣ Enable Fail2Ban (Prevent Brute Force Attacks)
Install Fail2Ban
sudo apt install fail2ban -y # Debian/Ubuntu
sudo yum install fail2ban -y # RHEL/CentOS
Enable & Start Fail2Ban
sudo systemctl enable fail2ban --now
Check If It's Working
sudo fail2ban-client status sshd
6️⃣ Configure Secure File Permissions
Remove World-Writable Files
find / -xdev -type f -perm -0002 -exec ls -l {} \;
Remove Unused Users & Groups
sudo userdel testuser
sudo groupdel testgroup
Restrict Root-Owned Files
sudo chown root:root /etc/shadow /etc/passwd /etc/gshadow /etc/group
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
7️⃣ Enable Logging & Monitoring
Enable Audit Logs
sudo apt install auditd -y # Debian/Ubuntu
sudo yum install audit -y # RHEL/CentOS
sudo systemctl enable auditd --now
View Audit Logs
sudo ausearch -m avc
sudo journalctl -xe
Monitor Login Attempts
sudo last -a
sudo cat /var/log/auth.log # Debian/Ubuntu
sudo cat /var/log/secure # RHEL/CentOS
8️⃣ Secure Kernel & System Hardening
Disable ICMP (Ping) Requests
echo "net.ipv4.icmp_echo_ignore_all = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Prevent IP Spoofing
echo "nospoof on" | sudo tee -a /etc/host.conf
Disable USB Storage (if not needed)
echo "blacklist usb-storage" | sudo tee -a /etc/modprobe.d/blacklist.conf
sudo modprobe -r usb-storage
9️⃣ Enable SELinux or AppArmor
Check SELinux Status
sestatus
Enable SELinux
sudo setenforce 1
Enable AppArmor (Ubuntu)
sudo aa-enforce /etc/apparmor.d/*
🔟 Automate Security Updates & Backups
Enable Automatic Updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
Set Up Regular Backups (Using rsync)
rsync -avz /etc /backup/