Why Server Hardening Is Non-Negotiable

Every internet-facing server is probed by automated bots within minutes of going online. Default configurations are designed for ease of use, not security. Hardening means systematically closing attack surfaces before a bad actor finds them. This checklist covers the most impactful steps for any Linux distribution — Debian, Ubuntu, AlmaLinux, or Rocky Linux.

1. Keep the OS and Packages Updated

Unpatched software is the leading cause of server compromises. Run updates regularly and enable automatic security patches where practical. On Debian/Ubuntu: apt update && apt upgrade -y. On RHEL-based systems: dnf update -y.

2. Disable Root SSH Login

Set PermitRootLogin no in /etc/ssh/sshd_config. Always authenticate as a regular user and escalate with sudo. This adds a critical extra layer — attackers must now guess both a valid username and credentials.

3. Use SSH Key Authentication Only

Set PasswordAuthentication no in your SSH config after copying your public key to the server. Brute-force attacks against password logins are rendered useless when only cryptographic keys are accepted.

4. Change the Default SSH Port

Changing SSH from port 22 to a high, non-standard port (e.g., 2222 or 52244) dramatically reduces automated scan noise in your logs. It's security through obscurity — not a substitute for key auth — but a useful noise filter.

5. Configure a Host-Based Firewall

Use UFW (Ubuntu/Debian) or firewalld (RHEL-based) to enforce a default-deny policy. Only open ports you actively use. Audit open ports regularly with ss -tlnp.

6. Install and Configure Fail2Ban

Fail2Ban monitors log files and automatically bans IP addresses after a configurable number of failed login attempts. Install it with your package manager and enable the SSH jail at minimum:

[sshd]
enabled = true
maxretry = 5
bantime = 3600

7. Secure Shared Memory

Add this line to /etc/fstab to mount /run/shm with restrictive options, preventing programs from writing executable code to shared memory:

tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

8. Disable Unused Services and Daemons

List all running services with systemctl list-units --type=service --state=running. Disable anything you don't recognize or don't need. Every running service is a potential attack surface.

9. Configure SSL/TLS for All Public Services

Never serve traffic over plain HTTP or unencrypted protocols. Use Let's Encrypt (via Certbot) for free, auto-renewing TLS certificates. Ensure your web server redirects all HTTP traffic to HTTPS and uses modern cipher suites (TLS 1.2 minimum, TLS 1.3 preferred).

10. Set Up Log Monitoring and Alerting

Logs are useless if nobody reads them. Configure a log aggregation tool or at minimum set up logwatch to email you a daily digest. For production systems, consider shipping logs to a centralized SIEM or a service like Graylog or the ELK stack.

Bonus: Run a CIS Benchmark Audit

The Center for Internet Security publishes free benchmarks for every major Linux distribution. Tools like Lynis (apt install lynis && lynis audit system) automatically audit your server against hundreds of security controls and give you a prioritized remediation report.

Hardening Is an Ongoing Process

This checklist gets you to a solid security baseline — but hardening isn't a one-time event. Schedule regular audits, subscribe to security mailing lists for your OS, and review your firewall rules whenever you install new software.