Posted inSecurity

Hardening Linux Server: A Comprehensive Security Checklist for Beginners

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Introduction: Why is Linux Server Security Important?

Today, powerful and flexible Linux servers have become widespread. But with that power comes the responsibility to protect them from countless threats. An insecure server can easily become a target for malicious actors, leading to data loss, service disruption, or even being exploited for illegal activities.

I remember once, my personal server was continuously subjected to SSH brute-force attacks in the middle of the night. Upon receiving the alerts, I had to get up immediately to handle it, blocking suspicious IP addresses and strengthening the SSH configuration. From that experience, I learned a crucial lesson: always set up security from the start, don’t wait until ‘the barn is empty to start building a fence’. This article will provide you with a comprehensive security checklist to effectively ‘harden’ your Linux server.

Core Concept: What is Server Hardening?

Server hardening is the implementation of measures and configurations to shrink a system’s ‘attack surface’. The primary goal is to make the server more difficult to infiltrate and exploit.

Specifically, we will remove or disable unnecessary features, services, or configurations – those that are easily abused. At the same time, we will strengthen defensive measures for the remaining components. Simply put, hardening is like transforming your server from a ‘house with many open windows’ into a ‘fortress’, with only essential entrances carefully guarded.

Common threats we need to guard against include:

  • Brute-force attacks on services like SSH.
  • Exploiting unpatched security vulnerabilities in software.
  • Unauthorized access through unnecessary open network ports.
  • Malware or malicious code infections.
  • Configuration errors leading to information disclosure or privilege escalation.

Detailed Practice: Comprehensive Linux Server Security Checklist

1. Regularly Update the System

Don’t underestimate this step – it’s fundamental yet crucial. Developers constantly release security patches. Regularly updating your operating system and all software on the server will protect you from known vulnerabilities.

Solution:

Perform regular updates (daily or weekly). On Debian/Ubuntu, use the command:


sudo apt update
sudo apt upgrade -y
sudo apt autoremove -y

On CentOS/RHEL, use the command:


sudo dnf update -y
sudo dnf autoremove -y

After updating the kernel, you should restart the server to ensure the changes take effect:


sudo reboot

2. Secure SSH: The Critical Gateway

SSH (Secure Shell) is a key protocol for remote server management and also a ‘golden target’ for brute-force attacks. Correct SSH configuration will help you significantly reduce risks.

Solution:

Edit the SSH configuration file /etc/ssh/sshd_config. Always back up the file before editing:


sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano /etc/ssh/sshd_config

Change the following options:

  • Disable root login: Attackers often target the root account first during brute-force attempts. Turn this feature off.
    • 
PermitRootLogin no
  • Change the default SSH port (from 22 to another port): This is not an absolute security measure, but it will help avoid most automated port scanning attacks targeting port 22.
    • 
Port 2222 # Choose a random port other than 22, e.g., 2222
  • Use SSH key authentication instead of passwords: This is the strongest SSH security method. SSH keys are much longer and more complex than passwords, making them harder to brute-force.
    • 
PasswordAuthentication no
PubkeyAuthentication yes

    To generate an SSH key pair, use the ssh-keygen command on your local machine, then copy the public key (.pub) to the server using ssh-copy-id user@your_server_ip or manually copy it to the user’s ~/.ssh/authorized_keys file.

  • Install Fail2ban to prevent brute-force attacks: Fail2ban is an extremely useful tool. It monitors system logs and automatically blocks IP addresses with suspicious behavior, such as repeated failed SSH login attempts.
    • 
sudo apt install fail2ban -y # Debian/Ubuntu
# sudo dnf install fail2ban -y # CentOS/RHEL

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

    Create a local configuration file to customize Fail2ban without affecting the original configuration:

    
sudo nano /etc/fail2ban/jail.local

    Add the following content (adjust bantime and maxretry as you wish):

    
[sshd]
enabled = true
port = 2222 # Set the correct SSH port you changed
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h

After making changes, remember to restart the SSH service:


sudo systemctl restart sshd

And check Fail2ban status:


sudo fail2ban-client status sshd

3. Configure Firewall (UFW/Firewalld)

A firewall acts as the first line of defense, strictly controlling all incoming and outgoing network traffic on the server. The golden rule here is: only open ports that are truly necessary; close all others.

Solution:

Use UFW (Uncomplicated Firewall) on Ubuntu/Debian or Firewalld on CentOS/RHEL.

With UFW (Ubuntu/Debian):


sudo apt install ufw -y

sudo ufw enable # Enable firewall (be careful, make sure SSH port was opened beforehand)
sudo ufw default deny incoming # Deny all incoming connections by default
sudo ufw default allow outgoing # Allow all outgoing connections by default

# Allow necessary ports:
sudo ufw allow 2222/tcp # Changed SSH port
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS

sudo ufw status verbose # Check status

With Firewalld (CentOS/RHEL):


sudo dnf install firewalld -y

sudo systemctl enable firewalld
sudo systemctl start firewalld

sudo firewall-cmd --permanent --zone=public --add-port=2222/tcp # Changed SSH port
sudo firewall-cmd --permanent --zone=public --add-service=http # Port 80
sudo firewall-cmd --permanent --zone=public --add-service=https # Port 443

sudo firewall-cmd --reload # Apply changes
sudo firewall-cmd --list-all # Check status

4. User and Permission Management

Always adhere to the ‘Principle of Least Privilege‘ – this is key. Accordingly, each user and service should only be granted the necessary permissions to perform their tasks.

Solution:

  • Use non-root accounts for daily tasks: Only use sudo when administrative tasks need to be performed.
  • Delete unused accounts: Old, inactive accounts can become serious security vulnerabilities. Don’t let them persist.
    • 
sudo deluser --remove-home username
  • Set strong passwords: Require long passwords that combine uppercase and lowercase letters, numbers, and special characters. Additionally, users should be forced to change passwords periodically.
  • Properly configure file and directory permissions: Ensure sensitive configuration files are only readable by necessary users.
    • 
# Example: owner has read/write permissions, group has read, others have no permissions
sudo chmod 640 /etc/ssh/sshd_config

# Example: owner has read/write/execute permissions, group and others only have read/execute permissions
sudo chmod 755 /var/www/html

5. Disable Unnecessary Services

Every service running on a server carries the potential risk of exploitation by attackers. Disabling non-essential services will significantly reduce your attack surface.

Solution:

List all running services:


sudo systemctl list-units --type=service --state=running

Then, identify and stop/disable services you don’t need:


sudo systemctl stop <service_name>
sudo systemctl disable <service_name>

For example: If you are not using the server as an email host, you can disable Postfix or Sendmail. Similarly, if you are not using Samba, disable it.

6. Review and Monitor System Logs

System logs record all activities on the server, from logins and file access to system errors. Regularly checking logs helps you detect unusual behavior or signs of attack early on.

Solution:

Check login logs:


cat /var/log/auth.log | grep "Failed password" # Ubuntu/Debian
cat /var/log/secure | grep "Failed password" # CentOS/RHEL

View overview logs with journalctl:


sudo journalctl -xe # View recent system logs with error details
sudo journalctl -f # Monitor real-time logs

For large systems, you should consider using centralized log monitoring tools like ELK stack or Grafana Loki. They will make log management and analysis much easier.

7. Regularly Back Up Data

No matter how thoroughly your server is secured, risks always lurk. Regular data backups are the ultimate ‘lifeline’, helping you restore operations after any security incident or hardware failure.

Solution:

Set up automatic and regular backups. Use tools like rsync, tar, or cloud backup solutions. Store backups in a separate, secure location.


# Example of backing up web directory to another drive
sudo rsync -avz /var/www/html/ /mnt/backup_drive/web_backup_$(date +%Y%m%d)/

Remember, always test your data recovery process to ensure backups work smoothly when needed.

Conclusion

Linux server security is not a ‘one-and-done’ task. It’s a continuous journey that requires constant vigilance, knowledge updates, and adjustments over time. By following this comprehensive hardening checklist, you have equipped your server with the strongest layers of defense. Always consider information security a top priority. Proactively protecting your system will help you avoid countless unnecessary troubles and damages in the future.

Share:
Tags: