Security & Optimization

Best Practices for Hardening a Linux Server

Best Practices for Hardening a Linux Server

When it comes to server security, prevention is always better than cure. Whether you’re hosting a personal blog, a client website, or a critical business application, protecting your Linux server from unauthorized access and potential exploits is essential. Hardening your server is the process of reducing its attack surface to minimize vulnerabilities β€” and it’s a must for any responsible administrator.

In this blog post, we’ll walk through practical, tested Linux server hardening best practices to help you lock down your environment and stay ahead of cyber threats.

Why Linux Server Security Matters

Linux is widely known for its stability and security, but no system is secure by default. Out-of-the-box Linux configurations often leave ports open, use weak settings, or allow unnecessary services. This can open the door to:

  • Unauthorized access
  • Privilege escalation
  • Data breaches
  • Ransomware or malware infections
  • DDoS attacks

With Vicservers, you get secure-by-default hosting infrastructure, but as a server owner or administrator, hardening your Linux system is your responsibility.

1. Keep Your System Updated

Always start with the basics:

sudo apt update && sudo apt upgrade -y  # Ubuntu/Debian
sudo yum update -y                     # CentOS/RHEL

Enable automatic security updates:

sudo apt install unattended-upgrades

πŸ” Regular patching prevents known exploits from being used against your server.

2. Disable the Root Login

Root login is a major target for brute-force attacks. Disable it and create a limited user with sudo privileges instead:

sudo adduser yourusername
sudo usermod -aG sudo yourusername

Edit SSH config:

sudo nano /etc/ssh/sshd_config

Find and change:

PermitRootLogin no

Then restart SSH:

sudo systemctl restart ssh

3. Use SSH Key Authentication

Password authentication is weaker than key-based login. Here’s how to set up SSH keys:

On your local machine:

ssh-keygen -t rsa -b 4096
ssh-copy-id yourusername@yourserver_ip

On the server, disable password logins:

sudo nano /etc/ssh/sshd_config
PasswordAuthentication no

Restart SSH.

4. Set Up a Firewall (UFW)

The Uncomplicated Firewall (UFW) is easy to use and powerful:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable

Add more services as needed:

sudo ufw allow http
sudo ufw allow https

βœ… Only open ports you absolutely need.

5. Remove Unused Services and Packages

Every installed package is a potential risk. Identify and remove what you don’t use:

sudo netstat -tulpn  # Check listening ports
sudo systemctl list-units --type=service

Remove unnecessary services:

sudo apt purge apache2
sudo apt autoremove

6. Install and Configure Fail2Ban

Fail2Ban helps prevent brute-force attacks by blocking suspicious IPs:

sudo apt install fail2ban

Create a custom jail config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit /etc/fail2ban/jail.local and configure:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

Restart the service:

sudo systemctl restart fail2ban

7. Disable Unused Network Protocols

Turn off IPv6 if you don’t use it:

sudo nano /etc/sysctl.conf

Add:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Then apply:

sudo sysctl -p

Β 8. Configure AppArmor or SELinux

Both are mandatory access control systems that prevent unauthorized access to files and processes.

  • AppArmor is easier and used in Ubuntu.
  • SELinux is more complex but powerful (used in CentOS/RHEL).

Install AppArmor:

sudo apt install apparmor apparmor-profiles
sudo systemctl enable apparmor

9. Limit User Privileges

Never give full root access unless absolutely necessary. Use sudo and create roles using /etc/sudoers.

sudo visudo

Add rules like:

webadmin ALL=(ALL) /usr/bin/systemctl restart apache2

10. Automate Backups

Security also means recoverability. Automate your backups using:

rsync -av --delete /var/www/ user@backupserver:/backups/site/

Or use VicServers’ off-site backup services for peace of mind.

11. Monitor Logs and Access

Set up logwatch or logrotate to keep an eye on logs:

sudo apt install logwatch
sudo logwatch --detail High --mailto you@example.com --service sshd --range today

Check login attempts:

sudo cat /var/log/auth.log | grep "Failed password"

12. Use Strong Password Policies

Install libpam-pwquality for enforcing password strength:

sudo apt install libpam-pwquality

Edit /etc/pam.d/common-password:

password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1

13. Enable Port Knocking (Optional)

This adds an extra layer by hiding the SSH port. It only opens when a specific “knock” sequence is sent.

Install knockd:

sudo apt install knockd

Configure port sequences like:

[options]
    UseSyslog

[openSSH]
    sequence = 7000,8000,9000
    seq_timeout = 15
    command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

14. Use Monitoring Tools

Use htop, top, or glances to monitor server performance.

Install Glances:

sudo apt install glances

Also, tools like Netdata or Zabbix offer web dashboards for proactive monitoring.

βœ… Quick Checklist for Hardening a Linux Server

Task Status
Keep system up to date βœ…
Disable root login βœ…
Set up SSH keys βœ…
Configure UFW firewall βœ…
Remove unused services βœ…
Install Fail2Ban βœ…
Disable IPv6 βœ…
Use AppArmor or SELinux βœ…
Enforce password policies βœ…
Set up backups βœ…
Monitor logs βœ…
Use secure DNS (optional) βœ…

Final Thoughts

Server hardening isn’t a one-time task. It’s an ongoing commitment to security, performance, and reliability. By following these best practices, you significantly reduce your risk exposure and ensure your systems are ready for real-world threats.

At VicServers, we prioritize security at every layer β€” from hardened infrastructure to 24/7 monitoring and support. Whether you’re managing a VPS, Dedicated Server, or Shared Hosting plan, our platform gives you the tools and guidance to succeed.

Ready to Take Your Hosting Further?

βœ… Secure Linux VPS hosting
βœ… Automated backups
βœ… 24/7 support
βœ… DDoS protection and firewalls

πŸ‘‰ Get Started at Vicservers

Have questions or need help hardening your server? Reach out to our support team anytime.

Published by VicServers – Empowering Secure Hosting Across Africa

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button