Linux Server Hardening: The Essential Security Measures

A freshly installed Linux server is not automatically secure. Default configurations are optimized for compatibility, not security. SSH with password login, open ports, no firewall, outdated packages — each of these is a potential entry point. Server hardening systematically closes these gaps. The following measures apply to Debian and Ubuntu but can be adapted to any Linux distribution.

1. Secure SSH

SSH is the most common attack vector on Linux servers. An SSH service reachable from the internet is attacked automatically within minutes.

Disable Password Login

Only allow SSH key authentication (/etc/ssh/sshd_config):

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM no

Prohibit Root Login

PermitRootLogin no

Instead, use a regular user with sudo privileges.

Change SSH Port (Optional)

Port 2222

Doesn’t change security but reduces automated brute-force attempts by >95%. Script kiddies primarily scan port 22.

Additional SSH Hardening

MaxAuthTries 3
LoginGraceTime 30
AllowUsers admin deploy
ClientAliveInterval 300
ClientAliveCountMax 2

After changes: systemctl restart sshd

2. Configure Firewall

Every server should run a local firewall — even if a network firewall (OPNsense) sits upstream. Defense in depth.

UFW (Uncomplicated Firewall)

# Block everything, only allow explicitly permitted traffic
ufw default deny incoming
ufw default allow outgoing

# Allow SSH
ufw allow 2222/tcp

# Web server (if needed)
ufw allow 80/tcp
ufw allow 443/tcp

# Enable
ufw enable

Alternative: nftables

For more complex rulesets, nftables (successor to iptables) offers more flexibility:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        iif lo accept
        ct state established,related accept
        tcp dport 2222 accept
        tcp dport { 80, 443 } accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    chain output {
        type filter hook output priority 0; policy accept;
    }
}

3. Automatic Security Updates

Unpatched software is the most common entry point. Security updates should be installed automatically.

unattended-upgrades (Debian/Ubuntu)

apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades

Ensure in /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "admin@example.com";

Important: Set Automatic-Reboot to false — kernel updates require a reboot that should be coordinated during operations. Non-kernel updates take effect immediately.

4. Users and Permissions

Principle of Least Privilege

• No service should run as root (exception: services needing privileged ports <1024 — use cap_net_bind_service instead)
• Every service gets its own user (www-data, postgres, prometheus)
• sudo access only for administrators, not for service accounts

Configure sudo

# Add user to sudo group
usermod -aG sudo admin

# Shorten sudo timeout (default: 15 min)
# In /etc/sudoers.d/timeout:
Defaults timestamp_timeout=5

Disable Unnecessary Users

Default installations often contain users that aren’t needed:

# Set shell to nologin
usermod -s /usr/sbin/nologin games
usermod -s /usr/sbin/nologin news
usermod -s /usr/sbin/nologin uucp

5. Minimize Services

Every running service increases the attack surface. Only install and enable what’s needed.

# Show all running services
systemctl list-units --type=service --state=running

# Disable unnecessary services
systemctl disable --now cups
systemctl disable --now avahi-daemon
systemctl disable --now bluetooth

Typically unnecessary on servers: cups (printing), avahi-daemon (mDNS/Bonjour), bluetooth, ModemManager.

6. Kernel Hardening with sysctl

Kernel parameters in /etc/sysctl.d/99-hardening.conf:

# SYN flood protection
net.ipv4.tcp_syncookies = 1

# Reject ICMP redirects (prevents MITM)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# IP forwarding only if needed (router/gateway)
net.ipv4.ip_forward = 0

# Reverse path filter (anti-spoofing)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Hide kernel addresses in /proc
kernel.kptr_restrict = 2

# dmesg only for root
kernel.dmesg_restrict = 1

# Disable core dumps
fs.suid_dumpable = 0

Apply: sysctl --system

7. Secure the Filesystem

Temporary Directories

Mount /tmp and /var/tmp with noexec — prevents malware execution from temporary directories:

In /etc/fstab:

tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0

Protect Important Directories

# Restrict cron access
chmod 700 /etc/cron.d
chmod 700 /etc/cron.daily
chmod 700 /etc/cron.hourly

# Protect SSH configuration
chmod 600 /etc/ssh/sshd_config
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

8. Logging and Auditing

Persistent Logs with journald

Ensure logs are persistent:

# /etc/systemd/journald.conf
Storage=persistent
MaxRetentionSec=90day

auditd for Critical Actions

apt install auditd

# Example rules in /etc/audit/rules.d/hardening.rules:
# Monitor SSH config changes
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor user/group management
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
# Monitor sudo usage
-w /var/log/auth.log -p wa -k auth_log

Log Forwarding

Forward logs to a central syslog server or SIEM:

• Prevents an attacker from manipulating local logs
• Enables correlation across multiple servers
• DATAZONE Control can aggregate logs centrally

9. fail2ban Against Brute Force

fail2ban monitors log files and bans IP addresses after too many failed login attempts:

apt install fail2ban

Configuration in /etc/fail2ban/jail.local:

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 2222

After 3 failed SSH logins within 10 minutes, the IP is banned for 1 hour.

10. Encryption

Disk Encryption with LUKS

For servers with physical access risk (colocation, remote sites):

# Encrypt partition (during installation or afterwards)
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 crypt-root

TLS for All Services

Every network service should communicate encrypted:

• Web server: HTTPS with Let’s Encrypt
• Database: Enforce TLS connections
• Email: STARTTLS / SMTPS
• Monitoring: HTTPS for dashboards

Hardening Checklist

Measure	Priority	Status
SSH: Key-only, no root login	Critical	☐
Local firewall (ufw/nftables)	Critical	☐
Automatic security updates	Critical	☐
Disable unnecessary services	High	☐
Minimize user permissions	High	☐
sysctl kernel hardening	High	☐
fail2ban for SSH	High	☐
Mount /tmp with noexec	Medium	☐
auditd for change monitoring	Medium	☐
Disk encryption (LUKS)	Medium	☐

Frequently Asked Questions

Is SSH key authentication sufficient as the only measure?

No — SSH keys only secure access, not the server itself. A compromised service (web server, database) can compromise the server without SSH access. All measures together form a defense-in-depth concept.

Which measure has the greatest effect?

SSH hardening and automatic updates together eliminate >90% of the most common attack vectors. These two measures should be implemented first on every server.

How do I check if my server is hardened?

Tools like Lynis (apt install lynis && lynis audit system) analyse the server configuration and provide specific recommendations. CIS benchmarks offer detailed checklists for each distribution.

Can DATAZONE Control automate hardening?

Yes — via script execution, DATAZONE Control can roll out hardening measures to all managed servers simultaneously and regularly check compliance status.

---

Want to professionally secure your Linux servers? Contact us — we conduct a security audit and implement the appropriate hardening measures.