Why Linux Needs Immediate Hardening?

The reason why Linux servers require immediate hardening is that countless probes (attack scripts) will target your default configuration almost immediately after launch. Some of the largest networks report millions of SSH brute force attempts per day, and many breaches exploit default security vulnerabilities in newly launched Linux configurations through root login.

This is because a new operating system focuses on convenience, not protection. This leaves many of your ports open, a lot of exploitable and unnecessary services running, as well as unprotected software packages, during the first hour online. This is when they strike.

The hardening reduces the risk by shrinking the attack surface by 99%, improving your server security by locking down user accounts and tightening file system permissions. This guide will teach you how to add layer after layer of protection, and the further you go, the better the Linux server hardening will be.

Here’s our plan for your protection:

  • Part 1 (0-5 Minutes): Handles security updates, firewall rules, SSH protocol hardening, and blocking failed login attempts.
  • Part 2 (5-10 Minutes): Covers your password management, reviews user accounts, and fixes potential permission problems.
  • Part 3 (10-15 Minutes): Handles Linux kernel tuning, audit trail checks, config file cleanup, and SELinux or AppArmor policies.

See Also: Linux vs. Windows Security

Backup Before You Start

If you’re a newbie, the chances of something going wrong are not slim, so protect your Linux server by creating a full backup before changing any configuration file.

Quick Tip: Store the snapshot on safe storage media in your data center to avoid losing sensitive data during system hardening tasks.

That’s it. Without further ado, let’s get into it!

Part 1: Critical Hardening

The first part of the Linux server hardening is the most important and can stop 80% of attacks. Here we will harden the SSH server, reduce open ports, and turn on automatic security updates so known security vulnerabilities in your operating system stay patched.

Also, we’ve made sure to explain in-depth what we’re doing, so you can follow even if you’re a beginner.

A decorative image showing a man working in a data center.

SSH Hardening: Lock Down Remote Access

This step locks down remote access so bots cannot brute force the root account or weak password accounts, and it helps encrypt data communication through a secure shell session.

First, we will back up the SSH config file, disable root login, set up a requirement for SSH keys, and limit failed login attempts.

Reminder: Always keep one SSH window open while you change settings, so you still have a way in if something goes wrong.

# Backup original SSH config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)

# Critical SSH hardening settings
sudo tee -a /etc/ssh/sshd_config << EOF

# ServerMania Recommended SSH Hardening
PermitRootLogin no                    # Disable root login
PasswordAuthentication no             # Force SSH keys only
PubkeyAuthentication yes              # Enable key-based auth
Port 2222                             # Change default port (optional)
Protocol 2                            # Use only SSH Protocol 2
MaxAuthTries 3                        # Limit authentication attempts
LoginGraceTime 30                     # Reduce login window
ClientAliveInterval 300               # Disconnect idle sessions
ClientAliveCountMax 2                 # Max client alive checks
AllowUsers yourusername               # Whitelist specific users
X11Forwarding no                      # Disable X11 forwarding
PermitEmptyPasswords no               # No empty passwords
UsePAM yes                            # Use PAM authentication
EOF

# Test configuration before restart
sudo sshd -t

# Restart SSH (keep backup session open!)
sudo systemctl restart sshd

Note: Don’t forget to replace <yourusername> with a real user that has sudo access!

Firewall Configuration: Control Network Exposure

This step protects network security by limiting which ports are reachable from the internet. You deny new inbound connections by default, then explicitly allow the SSH port and optional web server ports for HTTP and HTTPS. This immensely boosts your internet security.

On Ubuntu or Debian, UFW gives a simple interface for system hardening around network rules. You only need to install UFW, set default rules that deny incoming and allow outgoing network traffic, then open ports 2222, 80, and 443 based on the server’s functionality.

# Ubuntu / Debian firewall setup with UFW
sudo apt update && sudo apt install ufw -y

# Default deny incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port if changed)
sudo ufw allow 2222/tcp comment 'SSH'

# Allow web traffic if needed
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

# Enable firewall
sudo ufw --force enable

# Verify rules
sudo ufw status verbose

On CentOS, Red Hat Enterprise Linux, Rocky, and similar Linux distribution families, Firewalld is the default. You must enable the service so it loads on system startup, then set the default zone to drop for stricter server security. Then, open the custom SSH port and web server services, reload the rules, and then list them to confirm the config file state.

# CentOS / RHEL / Rocky firewall setup with Firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld

# Set default zone to drop unsolicited traffic
sudo firewall-cmd --set-default-zone=drop

# Allow SSH (change port if customized)
sudo firewall-cmd --permanent --zone=public --add-port=2222/tcp

# Allow web services if needed
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https

# Reload firewall to apply changes
sudo firewall-cmd --reload

# Verify configuration
sudo firewall-cmd --list-all

Automatic Security Updates: Patch While You Sleep

On Ubuntu & Debian, unattended-upgrades performs automatic patching for the -security repositories. You need to install the package, enable it, then write the config that focuses on the security repos only.

The daily timer keeps your operating system updated and improves your long-term system accounting around updates. This fits well with system auditing and audit trail practices for regulated environments.

# Ubuntu / Debian automatic security updates
sudo apt install unattended-upgrades apt-listchanges -y

# Enable automatic security upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Configure security focused unattended upgrades
sudo tee /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Automatic-Reboot "false";
EOF

# Enable daily upgrade timer
sudo systemctl enable apt-daily-upgrade.timer

On CentOS, Red Hat Enterprise, and Rocky, dnf-automatic or yum-cron performs similar work. You only need to install the tool, switch apply_updates to yes, and set upgrade_type to security so only security fixes apply. Here’s how:

# CentOS / RHEL / Rocky automatic security updates (RHEL 8+ / Rocky)
sudo dnf install dnf-automatic -y

# Configure automatic security-only updates
sudo sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
sudo sed -i 's/upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf

# Enable and start timer service
sudo systemctl enable --now dnf-automatic.timer

# CentOS 7 automatic updates with yum-cron
sudo yum install yum-cron -y
sudo systemctl enable --now yum-cron

That’s it, you’ve enabled automatic updates!

See Also: What Are The Best Linux Distros in 2025?

Part 2: Linux Security Hardening (In-Depth Protection)

This part is critical for enterprises looking to strengthen Linux server hardening, especially if dealing with sensitive information or critical data communication.

Here, we’ll teach you how to improve the protection against brute force attacks, unsafe defaults, and how to disable unused services across your Linux systems.

Here are our best security tips:

A decorative image showing a man working in a data center.

Fail2Ban: Stop Repeated Login Attacks

Fail2Ban will block attackers after a certain number of login failures. It will monitor your log files from the SSH server, it will identify potential suspicious activity, and will most certainly ban the source IP.

This vastly limits abuse that targets root access and empty password accounts!

Ubuntu or Debian:

# Install Fail2Ban
sudo apt install fail2ban -y

# Create local configuration
sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
destemail = your-email@example.com
sendername = Fail2Ban
action = %(action_mwl)s

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

[sshd-ddos]
enabled = true
port = 2222
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
EOF

# Start and enable Fail2Ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check status
sudo fail2ban-client status sshd

CentOS or RHEL, or Rocky:

# Install EPEL repository
sudo dnf install epel-release -y

# Install Fail2Ban
sudo dnf install fail2ban fail2ban-systemd -y

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Configure SSH protection
sudo tee -a /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 86400
findtime = 600
EOF

# Enable and start
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

User Account Security: Protect Legitimate Users Only

This is another critical step that will remove any unsafe user accounts and will vastly reinforce your password management by limiting sudo access to only trusted users. This access control technique will reduce the exposure to unauthorized users and boost your server security.

# Create non-root admin user
sudo adduser serveradmin
sudo usermod -aG sudo serveradmin        # Ubuntu/Debian
sudo usermod -aG wheel serveradmin       # CentOS/RHEL/Rocky

# Configure secure sudo
sudo visudo
# Add:
# Defaults timestamp_timeout=5

# Lock unused system accounts
for user in games news uucp proxy www-data backup list irc gnats; do
    sudo usermod -L $user 2>/dev/null
    sudo usermod -s /usr/sbin/nologin $user 2>/dev/null
done

# Password strength policies (Ubuntu/Debian)
sudo apt install libpam-pwquality -y
sudo tee -a /etc/security/pwquality.conf << 'EOF'
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
EOF

# Password aging rules
sudo sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
sudo sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs

Critical File System Permissions: Secure Sensitive Data

Another critical thing to do is to lock down the core file system entries, like /etc/passwd, /etc/shadow, and /boot/grub, so only authorized processes can access and read them.

Here’s how:

# Secure sensitive files
sudo chmod 644 /etc/passwd
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/group
sudo chmod 600 /etc/gshadow
sudo chmod 600 /boot/grub/grub.cfg 2>/dev/null
sudo chmod 600 /boot/grub2/grub.cfg 2>/dev/null

# Secure home directories
sudo chmod 750 /home/*

# Restrict cron access
sudo touch /etc/cron.allow
sudo chmod 600 /etc/cron.allow
sudo rm -f /etc/cron.deny

# Configure restrictive umask
sudo sed -i 's/UMASK\t\t022/UMASK\t\t027/' /etc/login.defs

# Disable unused filesystems
sudo tee -a /etc/modprobe.d/hardening.conf << 'EOF'
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install udf /bin/true
EOF

Remove Unnecessary Packages: OS Decluttering

To wrap up part #2, we need to remove all the unsafe or outdated software packages from the system that will additionally close any other network vulnerabilities, especially when running in the background.

In short, we will reduce the exposure created by old protocols like Telnet, RSH, and NIS.

Ubuntu or Debian:

# List insecure packages
dpkg -l | grep -E 'telnet|rsh|nis|tftp|talk'

# Remove insecure services
sudo apt purge telnet rsh-client rsh-redone-client nis talk -y
sudo apt autoremove -y

CentOS or RHEL, or Rocky:

# Check for insecure packages
rpm -qa | grep -E 'telnet|rsh|nis|tftp|talk'

# Remove if present
sudo dnf remove telnet rsh nis tftp talk -y

See Also: Comparing CentOS vs. Ubuntu

Part 3: Advanced Hardening (Kernel & Logging)

The final part will help you strengthen the secure shell environment, improve your physical security, and tighten the controls that restrict access across your Linux server.

We’ll walk you through a few critical steps, involving hardening the Linux kernel, limiting risky external devices, enforcing rules to prevent non-root users from accessing sensitive data, and logging configs.

This is crucial even if you’re in an environment that uses strong passwords, two-factor authentication, full disk encryption, and strict handling of USB storage.

A decorative image showing a man working in a data center.

Kernel Security Parameters

These kernel rules lower exposure to spoofing, bad packets, and weak defaults. You also reduce risks tied to root password attacks and protect the memory layout. The config below is designed to keep the system tight even if an attacker guesses a user’s password.

# Backup existing configuration
sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup

# Apply kernel hardening
sudo tee /etc/sysctl.d/99-hardening.conf << 'EOF'
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

kernel.randomize_va_space = 2

kernel.core_uses_pid = 1
fs.suid_dumpable = 0

kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2

fs.inotify.max_user_watches = 524288
EOF

# Apply settings
sudo sysctl -p /etc/sysctl.d/99-hardening.conf

Note: These security policies protect memory space, limit spoofing, and reduce the effects of weak secure passwords or exposed users’ passwords.

SELinux Configuration for CentOS, RHEL, Rocky

The SELinux controls how processes behave and helps restrict access to sensitive paths. It lowers the impact from attacks that reach the system through any weak passwords or any unsafe external devices.

It’s like an intrusion detection system.

# Check SELinux status
sestatus

# Set SELinux to enforcing mode
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config

# Apply immediately
sudo setenforce 1

# Install SELinux tools
sudo dnf install policycoreutils-python-utils setroubleshoot-server -y

# Allow common services
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_can_network_connect_db on

# View SELinux denials
sudo ausearch -m avc -ts recent

AppArmor for Ubuntu and Debian

AppArmor controls which binaries can read files or interact with the network. This is very important, when a user’s password gets stolen, or an attacker is attempting to exploit physical data, like a USB.

# Check AppArmor status
sudo aa-status

# Install AppArmor utilities
sudo apt install apparmor-utils apparmor-profiles apparmor-profiles-extra -y

# Enable AppArmor
sudo systemctl enable apparmor
sudo systemctl start apparmor

# Enforce all profiles
sudo aa-enforce /etc/apparmor.d/*

# View status
sudo aa-status

Audit Logging with auditd

Auditd records any key actions that may require your attention!

You track access attempts, strong password changes, identity edits, and file modifications, which helps you configure logging that supports security reviews.

# Ubuntu / Debian
sudo apt install auditd audispd-plugins -y

# CentOS / RHEL / Rocky
sudo dnf install audit audit-libs -y

# Enable auditd
sudo systemctl enable auditd
sudo systemctl start auditd

# Add audit rules
sudo tee -a /etc/audit/rules.d/hardening.rules << 'EOF'
-w /var/log/faillog -p wa -k auth
-w /var/log/lastlog -p wa -k auth
-w /var/log/tallylog -p wa -k auth

-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

-w /etc/sudoers -p wa -k sudo_changes
-w /etc/sudoers.d/ -p wa -k sudo_changes

-w /home/*/.ssh/authorized_keys -p wa -k ssh_key_changes
-w /root/.ssh/authorized_keys -p wa -k ssh_key_changes
EOF

Note: This supports stronger checks for two-factor authentication, and attempts to disable unused devices or attach unsafe external devices.

Secure Your Linux Infrastructure With ServerMania

ServerMania provides a stable and security-focused environment for hardened Linux deployments. We support strict access control, reliable performance, and standardized configurations for production workloads for small businesses and enterprises alike.

Organizations that require full operational control use Linux server hosting through a dedicated server, while teams that prefer delegated maintenance select managed server hosting for continuous updates, monitoring, security management, and expert assistance.

Compare: Cloud Server vs Dedicated Server

Note: Our global data centers offer one of the best physical server security systems in the world!

A CTA image listing the ServerMania advantages.

How to Get Started?

  1. Explore our dedicated hosting solutions to select the configuration that fits your workload.
  2. Place an order, wait for deployment to complete, and follow this guide to harden your Linux.
  3. Contact our 24/7 customer service team for special inquiries or any custom requirements.

💬 If you have any questions, book a free consultation with a Linux deployment expert to evaluate your project and receive the best possible quote. We’re available right now.