Back to blog
LinuxSecurityInfrastructureDevOps

Linux Server Hardening: A Practical Security Checklist

A comprehensive security hardening guide for Linux servers — covering SSH configuration, firewall rules, user management, kernel parameters, and audit logging for production environments.

December 5, 2025·Phan Minh Anh

Why Harden Your Linux Servers?

A default Linux installation is not production-ready from a security perspective. This checklist covers the essential steps to reduce your attack surface significantly.

1. SSH Hardening

The most critical entry point. Edit /etc/ssh/sshd_config:

# Disable root login
PermitRootLogin no

# Disable password authentication — use keys only
PasswordAuthentication no
PubkeyAuthentication yes

# Change default port (security through obscurity, but reduces noise)
Port 2222

# Limit login attempts
MaxAuthTries 3
MaxSessions 5

# Disable unused features
X11Forwarding no
AllowAgentForwarding no

# Only allow specific users
AllowUsers deploy adminuser

Restart SSH after changes:

systemctl restart sshd

2. Firewall Configuration (UFW)

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow only what's needed
ufw allow 2222/tcp   # SSH (your custom port)
ufw allow 80/tcp     # HTTP
ufw allow 443/tcp    # HTTPS

# Enable firewall
ufw enable
ufw status verbose

3. User and Privilege Management

# Create a deploy user instead of using root
useradd -m -s /bin/bash deploy
usermod -aG sudo deploy

# Lock the root account
passwd -l root

# Configure sudo with specific command allowlist
visudo
# deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

4. Keep the System Updated

# Enable automatic security updates
apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades

# Edit /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";

5. Kernel Hardening (sysctl)

Add to /etc/sysctl.d/99-hardening.conf:

# Disable IP forwarding (unless this is a router)
net.ipv4.ip_forward = 0

# Prevent SYN flood attacks
net.ipv4.tcp_syncookies = 1

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Log martian packets
net.ipv4.conf.all.log_martians = 1

Apply: sysctl -p /etc/sysctl.d/99-hardening.conf

6. Audit Logging

apt install auditd

# Monitor sensitive file access
auditctl -w /etc/passwd -p wa -k identity
auditctl -w /etc/sudoers -p wa -k sudoers
auditctl -w /var/log/auth.log -p wa -k auth_log

Quick Security Scan

Run lynis audit system (from the lynis package) to get a comprehensive security score and remediation recommendations specific to your system configuration.

Summary Checklist

  • Disable root SSH login
  • Enforce SSH key authentication only
  • Configure UFW with minimal open ports
  • Enable automatic security updates
  • Apply kernel hardening parameters
  • Enable audit logging
  • Run Lynis and address HIGH severity findings