Best Practices for Hardening a Linux Server

Best Practices for Hardening a Linux Server
When it comes to server security, prevention is always better than cure. Whether you’re hosting a personal blog, a client website, or a critical business application, protecting your Linux server from unauthorized access and potential exploits is essential. Hardening your server is the process of reducing its attack surface to minimize vulnerabilities β and it’s a must for any responsible administrator.
In this blog post, we’ll walk through practical, tested Linux server hardening best practices to help you lock down your environment and stay ahead of cyber threats.
Why Linux Server Security Matters
Linux is widely known for its stability and security, but no system is secure by default. Out-of-the-box Linux configurations often leave ports open, use weak settings, or allow unnecessary services. This can open the door to:
- Unauthorized access
- Privilege escalation
- Data breaches
- Ransomware or malware infections
- DDoS attacks
With Vicservers, you get secure-by-default hosting infrastructure, but as a server owner or administrator, hardening your Linux system is your responsibility.
1. Keep Your System Updated
Always start with the basics:
sudo apt update && sudo apt upgrade -y # Ubuntu/Debian
sudo yum update -y # CentOS/RHEL
Enable automatic security updates:
sudo apt install unattended-upgrades
π Regular patching prevents known exploits from being used against your server.
2. Disable the Root Login
Root login is a major target for brute-force attacks. Disable it and create a limited user with sudo
privileges instead:
sudo adduser yourusername
sudo usermod -aG sudo yourusername
Edit SSH config:
sudo nano /etc/ssh/sshd_config
Find and change:
PermitRootLogin no
Then restart SSH:
sudo systemctl restart ssh
3. Use SSH Key Authentication
Password authentication is weaker than key-based login. Here’s how to set up SSH keys:
On your local machine:
ssh-keygen -t rsa -b 4096
ssh-copy-id yourusername@yourserver_ip
On the server, disable password logins:
sudo nano /etc/ssh/sshd_config
PasswordAuthentication no
Restart SSH.
4. Set Up a Firewall (UFW)
The Uncomplicated Firewall (UFW) is easy to use and powerful:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
Add more services as needed:
sudo ufw allow http
sudo ufw allow https
β Only open ports you absolutely need.
5. Remove Unused Services and Packages
Every installed package is a potential risk. Identify and remove what you donβt use:
sudo netstat -tulpn # Check listening ports
sudo systemctl list-units --type=service
Remove unnecessary services:
sudo apt purge apache2
sudo apt autoremove
6. Install and Configure Fail2Ban
Fail2Ban helps prevent brute-force attacks by blocking suspicious IPs:
sudo apt install fail2ban
Create a custom jail config:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then edit /etc/fail2ban/jail.local
and configure:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
Restart the service:
sudo systemctl restart fail2ban
7. Disable Unused Network Protocols
Turn off IPv6 if you donβt use it:
sudo nano /etc/sysctl.conf
Add:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Then apply:
sudo sysctl -p
Β 8. Configure AppArmor or SELinux
Both are mandatory access control systems that prevent unauthorized access to files and processes.
- AppArmor is easier and used in Ubuntu.
- SELinux is more complex but powerful (used in CentOS/RHEL).
Install AppArmor:
sudo apt install apparmor apparmor-profiles
sudo systemctl enable apparmor
9. Limit User Privileges
Never give full root access unless absolutely necessary. Use sudo
and create roles using /etc/sudoers
.
sudo visudo
Add rules like:
webadmin ALL=(ALL) /usr/bin/systemctl restart apache2
10. Automate Backups
Security also means recoverability. Automate your backups using:
rsync -av --delete /var/www/ user@backupserver:/backups/site/
Or use VicServersβ off-site backup services for peace of mind.
11. Monitor Logs and Access
Set up logwatch
or logrotate
to keep an eye on logs:
sudo apt install logwatch
sudo logwatch --detail High --mailto you@example.com --service sshd --range today
Check login attempts:
sudo cat /var/log/auth.log | grep "Failed password"
12. Use Strong Password Policies
Install libpam-pwquality for enforcing password strength:
sudo apt install libpam-pwquality
Edit /etc/pam.d/common-password
:
password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1
13. Enable Port Knocking (Optional)
This adds an extra layer by hiding the SSH port. It only opens when a specific “knock” sequence is sent.
Install knockd
:
sudo apt install knockd
Configure port sequences like:
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 15
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
14. Use Monitoring Tools
Use htop
, top
, or glances
to monitor server performance.
Install Glances:
sudo apt install glances
Also, tools like Netdata or Zabbix offer web dashboards for proactive monitoring.
β Quick Checklist for Hardening a Linux Server
Task | Status |
---|---|
Keep system up to date | β |
Disable root login | β |
Set up SSH keys | β |
Configure UFW firewall | β |
Remove unused services | β |
Install Fail2Ban | β |
Disable IPv6 | β |
Use AppArmor or SELinux | β |
Enforce password policies | β |
Set up backups | β |
Monitor logs | β |
Use secure DNS (optional) | β |
Final Thoughts
Server hardening isnβt a one-time task. Itβs an ongoing commitment to security, performance, and reliability. By following these best practices, you significantly reduce your risk exposure and ensure your systems are ready for real-world threats.
At VicServers, we prioritize security at every layer β from hardened infrastructure to 24/7 monitoring and support. Whether youβre managing a VPS, Dedicated Server, or Shared Hosting plan, our platform gives you the tools and guidance to succeed.
Ready to Take Your Hosting Further?
β
Secure Linux VPS hosting
β
Automated backups
β
24/7 support
β
DDoS protection and firewalls
π Get Started at Vicservers
Have questions or need help hardening your server? Reach out to our support team anytime.
Published by VicServers β Empowering Secure Hosting Across Africa