Security & Hardening

Essential Linux Security Hardening Checklist

August 12, 2025 182 views 3 min read

Introduction

Security should be a top priority when setting up any Linux server. This comprehensive checklist will help you secure your Linux system against common threats.

1. System Updates

Keep your system updated:

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
sudo apt autoremove

# CentOS/RHEL
sudo yum update -y
sudo yum autoremove

2. User Account Security

Disable Root Login

sudo nano /etc/ssh/sshd_config
# Set: PermitRootLogin no

Create Strong Passwords

sudo passwd username
# Use complex passwords with special characters

Setup Sudo Access

sudo usermod -aG sudo username
# Test with: sudo whoami

3. SSH Hardening

Change Default Port

sudo nano /etc/ssh/sshd_config
# Change: Port 22 to Port 2222

Disable Password Authentication

# Setup SSH keys first, then:
PasswordAuthentication no
PubkeyAuthentication yes

Configure SSH Keys

# Generate key pair (on client)
ssh-keygen -t rsa -b 4096

# Copy to server
ssh-copy-id -p 2222 username@server-ip

4. Firewall Configuration

UFW (Ubuntu)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp  # SSH
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw enable

iptables (CentOS/RHEL)

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables -A INPUT -j DROP

5. Install Security Tools

Fail2ban (Brute Force Protection)

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure Fail2ban

sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 2222

6. File System Security

Set Proper Permissions

# Web directories
sudo chmod 755 /var/www
sudo chmod 644 /var/www/html/*

# SSH directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Monitor File Changes

# Install AIDE
sudo apt install aide
sudo aideinit
sudo aide --check

7. Network Security

Disable Unused Services

# List running services
systemctl list-unit-files --state=enabled

# Disable unused services
sudo systemctl disable service-name
sudo systemctl stop service-name

Configure Network Parameters

sudo nano /etc/sysctl.conf

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 1

# Disable IP forwarding
net.ipv4.ip_forward = 0

8. Logging and Monitoring

Configure Rsyslog

sudo nano /etc/rsyslog.conf
# Enable logging for authentication attempts

Monitor Log Files

# Watch authentication logs
sudo tail -f /var/log/auth.log

# Check for failed login attempts
sudo grep "Failed password" /var/log/auth.log

9. Regular Security Maintenance

  • Review user accounts monthly
  • Update passwords regularly
  • Monitor system logs weekly
  • Backup important data
  • Test disaster recovery procedures

10. Additional Security Measures

  • Install antivirus (ClamAV)
  • Use intrusion detection system (OSSEC)
  • Implement log monitoring (ELK stack)
  • Regular security audits

Conclusion

Security is an ongoing process. Regularly review and update your security measures to protect against evolving threats.

Share this tutorial:
Twitter LinkedIn
Table of Contents
Related Tutorials
Complete Guide to Setting Up a Linux Server
278 views
Building a PHP MVC Framework from Scratch
220 views
MySQL Database Optimization Techniques
194 views
View All Tutorials