Deploying a Linux server is the first step. Securing it keeps your data safe. Server hardening reduces your system's vulnerabilities. It blocks paths that attackers use. Security is not a one-time checklist. It is a continuous practice of layered defense.
Here is a simple guide to hardening your server against modern-day threats.
Securing Access and Authentication
Secure Shell (SSH) is the main entry point for attackers. Securing your login process is your first line of defense.
Enforce SSH Key Authentication: Stop using passwords. Passwords are easy to guess. Use cryptographic keys instead. Keys use strong math. Generate a key pair on your computer. Use an RSA or Ed25519 key type. Send the public key to the server. Open the file /etc/ssh/sshd_config. Set PasswordAuthentication no. This action disables passwords completely.
Disable Root Login: Never log in directly as root. Log in as a normal user first. Use the sudo command for admin tasks. Open your sshd_config file again. Set PermitRootLogin no. This blocks the root user from SSH.
Set Up Two-Factor Authentication (2FA): Add a second layer of security. Use a time-based code module. Google Authenticator is a good tool. Connect it to SSH using PAM modules.
Change the Default SSH Port: Move away from port 22. Pick a random high port number. Choose a number between 49152 and 65535. This stops automated bot attacks. It keeps your logs clean.
Fortifying the Network Perimeter
A safe server only opens necessary ports. Every open port creates a security risk.
Configure a Strict Firewall: Block all incoming traffic by default. Only open specific needed ports. Open your custom SSH port. Open port 80 for HTTP web traffic. Open port 443 for HTTPS secure traffic. Use UFW for Ubuntu systems. Use Firewalld for CentOS systems.
Install Fail2Ban: Fail2Ban tracks your server logs. It looks for failed login attempts. It spots malicious activity quickly. It changes firewall rules automatically. It blocks bad IP addresses temporarily.
Disable Unused IPv6: Turn off IPv6 if you do not use it. Unused paths create hidden security gaps. Attackers can bypass IPv4 rules. Disabling it closes these gaps.
System Minimization and Updates
More software brings more security risks. Keeping your system small makes it safe.
Remove Unused Software: Delete all extra software packages. Do not install visual desktop screens. Do not install unneeded web servers. Remove unused FTP tools. Use apt autoremove on Ubuntu. Use dnf autoremove on CentOS. This cleans up leftover files.
Automate Security Updates: New software bugs appear daily. Set up automatic security updates. Use unattended-upgrades on Ubuntu systems. Use dnf-automatic on CentOS systems. This installs patches without your help.
Separate Your Disk Storage: Divide your hard drive into parts. Put /tmp on its own partition. Put /var on its own partition. Put /home on its own partition. Open the file /etc/fstab. Add the noexec option to stop programs from running there. Add the nosuid option to block unauthorized system access. Add the nodev option to block fake hardware devices.
Enforcing Access Controls
Standard file permissions are not always enough. You must restrict what your programs can do.
Enable SELinux or AppArmor: Turn on your security system software. Use AppArmor on Ubuntu systems. Use SELinux on CentOS systems. Set the system to enforcing mode. This locks applications into safe zones. A hacked program cannot steal your data. It protects your private SSH keys. It protects your system password files.
Audit Special File Permissions: Some files run with root power. These files use SUID or SGID settings. Attackers target these files often. Scan your server for these files. Run the command find / -perm /6000 -type f. Check this file list regularly. Remove the special power if unneeded.
Logging, Monitoring, and Intrusion Detection
You cannot secure an invisible system. Monitoring helps you catch hackers early.
Configure Centralized Logging: Send logs to an external server. Use rsyslog or syslog-ng for log shipping. If hackers get root access, they will first delete local files on your server.
Deploy File Intrusion Detection: Install a file tracking tool. Use AIDE for file checking. Use Tripwire as an alternative. This tool creates a cryptographic baseline of system files and sends alerts for unauthorized file changes.
Scan for Rootkits: Run regular malware scans. Use rkhunter to find hidden threats. Use chkrootkit to find local exploits. Set these scans to run automatically. This detects backdoor entry points.
Monitor System Activity: Track system calls in real-time. Install the auditd tracking tool. Watch all system file access closely. This records exact user movements. This creates a forensic data trail.
Conclusion
Linux server hardening is an ongoing operational commitment that transforms systems into resilient fortresses through strong authentication, reduced attack surfaces, and strict access controls. Effective security requires constant vigilance, including regular audits, updated security measures, and proactive monitoring.
