Why Server Hardening Is Non-Negotiable

Every internet-facing server is being scanned by automated bots within minutes of going live. Default configurations are well-known, and attackers exploit them routinely. Server hardening is the process of reducing your attack surface — eliminating unnecessary services, applying least-privilege principles, and locking down common entry points before someone else does it for you.

This guide covers the 10 most impactful hardening steps for a Linux server (applicable to Ubuntu, Debian, CentOS, and RHEL-based distributions).

1. Update Everything Immediately

Before anything else, patch the OS and all installed packages. Unpatched software is the leading cause of server compromises.

apt update && apt upgrade -y   # Debian/Ubuntu
dnf update -y                  # RHEL/CentOS/Fedora

Enable automatic security updates where appropriate, and establish a regular patching schedule.

2. Create a Non-Root User with Sudo Access

Logging in as root is dangerous — one wrong command can destroy your entire system with no confirmation. Create a dedicated admin user and disable direct root login.

3. Harden SSH Configuration

SSH is the most commonly attacked service on any Linux server. Apply these changes in /etc/ssh/sshd_config:

  • Change the default port from 22 (reduces automated scan noise)
  • Disable root login: PermitRootLogin no
  • Disable password authentication: PasswordAuthentication no
  • Use SSH key pairs instead of passwords
  • Limit login attempts: configure MaxAuthTries 3

4. Set Up a Firewall

Use UFW (Ubuntu) or firewalld (RHEL/CentOS) to allow only the ports your services actually need. Deny everything else by default. A typical web server only needs ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) open.

5. Install and Configure Fail2Ban

Fail2Ban monitors log files and automatically bans IP addresses after a defined number of failed login attempts. It's one of the simplest and most effective tools against brute-force attacks.

6. Disable Unused Services and Daemons

Every running service is a potential attack vector. Audit what's running and disable anything you don't need:

systemctl list-units --type=service --state=running

Common culprits to review: FTP, Telnet, CUPS (printing), Bluetooth, and unused web services.

7. Apply File System Permissions Correctly

Misconfigurations in file permissions are a classic privilege escalation path. Key principles:

  • Web root directories should not be world-writable
  • Sensitive configuration files (with passwords or keys) should be readable only by the owning user
  • Use find to audit world-writable files: find / -perm -002 -type f

8. Enable and Monitor System Logs

You can't detect an intrusion you're not watching for. Ensure logging daemons (rsyslog or journald) are running. Consider shipping logs to a centralized, off-server log management system so they can't be tampered with after a compromise.

9. Use an Intrusion Detection System (IDS)

Tools like AIDE (Advanced Intrusion Detection Environment) or Tripwire create a baseline of your file system and alert you when files are modified unexpectedly — a key indicator of compromise.

10. Keep Backups — And Test Them

Backups aren't strictly a hardening measure, but they're your last line of defense. Automate daily backups to an off-site or off-server location. Critically, regularly test your restores — a backup you've never restored is a backup you can't trust.

Hardening Is a Process, Not an Event

Security is never a one-time task. Set a schedule to review your configurations, rotate credentials, audit users, and apply patches. Each of these steps individually helps; together they create meaningful defense-in-depth.