Posted inFedora

Fedora Server: 6 Things to Do Right Away for a Clean and Secure Server

Fedora tutorial - IT technology blog
Fedora tutorial - IT technology blog

Fresh Fedora Server Install? Don’t Leave It Exposed to the Internet

Installing Fedora Server takes about 10 minutes, but getting it to run stably and securely takes more than that. A vanilla installation comes with fairly loose default settings. Open port 22 right now, and within minutes your system logs will be flooded with brute-force attacks from botnets.

After two years of running Fedora on both personal machines and servers, I’ve developed my own set of rules. Instead of leaving defaults as-is, I always fine-tune the system to keep it lean and well-defended. Here are the steps I take immediately after the terminal screen appears.

1. Speed Up DNF and Automate Updates

By default, Fedora’s DNF package manager is fairly slow due to limited download threads. A fresh install typically has around 300–500MB of pending updates. Speed it up by enabling parallel downloads.

echo "max_parallel_downloads=10" | sudo tee -a /etc/dnf/dnf.conf
sudo dnf upgrade -y

To avoid forgetting to apply security patches, install dnf-automatic. This tool silently applies critical updates at 3 AM without any manual intervention.

sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer

In /etc/dnf/automatic.conf, set upgrade_type = security. This ensures the server only applies security patches, preventing automatic software version upgrades that could break running services.

2. Harden SSH — Block 99% of Automated Bots

Hackers don’t sit around typing passwords at individual machines — they run scripts that scan millions of IPs on port 22. To get off their radar, change the rules of the game in /etc/ssh/sshd_config.

  • Change port 22: Pick a random port like 2468. This eliminates the vast majority of mass-scanning attacks.
  • Disable Root Login: Never allow direct root login. Use a regular user account and sudo instead.
  • Use SSH Keys: Disable password authentication entirely. Without a physical key file, no one can access the server.
# Edit the following lines in /etc/ssh/sshd_config
Port 2468
PermitRootLogin no
PasswordAuthentication no

Warning: Don’t close your current terminal just yet. Use ssh-copy-id to push your key to the server first — otherwise you’ll lock yourself out after restarting SSH.

3. Configure Firewalld with a “Block Everything” Policy

Fedora uses firewalld to manage network traffic. Instead of opening individual ports haphazardly, manage by service for better control. After changing the SSH port in the previous step, the first thing to do is register it with the firewall.

# Open the new SSH port and close the old one
sudo firewall-cmd --permanent --add-port=2468/tcp
sudo firewall-cmd --permanent --remove-service=ssh

# Only open web server ports if actually needed
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Use sudo firewall-cmd --list-all to verify. A secure server is one that only exposes exactly what it needs to serve.

4. Don’t Disable SELinux — Learn to Set Labels

Many online guides tell you to disable SELinux to avoid “Permission Denied” errors. That’s bad advice. SELinux is like a bodyguard standing watch over every file. Even if an attacker compromises a user account, they can’t modify system files if SELinux is blocking them.

If you install Nginx and get a 403 error, it’s most likely because the file context (label) is incorrect. Instead of disabling the protection, relabel the web directory:

sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/my_site(/.*)?"
sudo restorecon -Rv /var/www/my_site

If that feels overwhelming, install setroubleshoot-server. It will write out a full explanation in plain English describing why the error occurred and exactly which command to run to fix it.

5. Optimize RAM with zRAM — A Lifesaver for Small Servers

Fedora has a great built-in feature called zRAM. Instead of writing overflow data to disk (swap) and slowing everything down, it compresses that data directly in RAM. Compression ratios typically reach 2:1 or 3:1.

If your server only has 1GB or 2GB of RAM (typical of budget VPS plans), check your zRAM status with zramctl. You can increase the compressed capacity to run more Docker containers without expensive hardware upgrades.

6. Limit Log Size to Prevent Disk Full Errors

Fedora’s logging system (journald) can balloon to several gigabytes over a few months, causing the server to freeze when the root partition fills up. Keep it to a reasonable size, such as 200MB.

sudo vi /etc/systemd/journald.conf
# Find and edit the line: SystemMaxUse=200M
sudo systemctl restart systemd-journald

Similarly, limit the number of old kernels in /etc/dnf/dnf.conf with installonly_limit=2. This keeps the /boot partition from filling up.

Closing Thoughts

Server security isn’t a one-and-done task, but following this checklist correctly will let you sleep a little easier at night. Once the layers of defense — from SSH and Firewalld to SELinux — are properly locked down, your Fedora server is ready for real-world workloads without fear of common network attacks.

Share:
Tags: