Linux Server Hardening: A Practical Security Guide

Introduction

A freshly provisioned Linux server is vulnerable by default. Before putting any service into production, you need to harden it against common attack vectors. This guide covers the essential security measures every sysadmin should implement.

1. SSH Hardening

SSH is the most common attack vector. Secure it immediately: ```bash # Edit /etc/ssh/sshd_config Port 2222 # Change from default 22 PermitRootLogin no # Disable root login PasswordAuthentication no # Key-based auth only PubkeyAuthentication yes AllowUsers deploy admin # Whitelist specific users MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 0 # Restart SSH sudo systemctl restart sshd ```

2. Firewall Configuration with UFW

Set up a strict firewall: ```bash # Default policies ufw default deny incoming ufw default allow outgoing # Allow specific services ufw allow 2222/tcp comment 'SSH' ufw allow 80/tcp comment 'HTTP' ufw allow 443/tcp comment 'HTTPS' # Rate limiting for SSH ufw limit 2222/tcp # Enable ufw --force enable ufw status verbose ```

3. Install and Configure Fail2ban

Fail2ban blocks IPs after repeated failed login attempts: ```bash apt install fail2ban -y cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] bantime = 3600 findtime = 600 maxretry = 5 [sshd] enabled = true port = 2222 maxretry = 3 [nginx-http-auth] enabled = true EOF systemctl enable fail2ban systemctl start fail2ban ```

4. Automatic Security Updates

Keep the system patched automatically: ```bash apt install unattended-upgrades -y dpkg-reconfigure -plow unattended-upgrades # Verify config cat /etc/apt/apt.conf.d/20auto-upgrades # Should show: # APT::Periodic::Update-Package-Lists "1"; # APT::Periodic::Unattended-Upgrade "1"; ```

5. Audit System with Auditd

Monitor critical system calls: ```bash apt install auditd -y # Watch key files auditctl -w /etc/passwd -p wa -k passwd_changes auditctl -w /etc/shadow -p wa -k shadow_changes auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config auditctl -l # List all rules ```

6. File Integrity with AIDE

Detect unauthorized file changes: ```bash apt install aide -y # Initialize database sudo aideinit sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db # Check integrity sudo aide --check # Add to cron for daily checks echo "0 3 * * * /usr/bin/aide --check" | crontab - ```

7. Kernel Hardening with sysctl

Harden network stack and kernel parameters: ```bash cat >> /etc/sysctl.d/99-hardening.conf << 'EOF' # IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # Enable SYN flood protection net.ipv4.tcp_syncookies = 1 # Log suspicious packets net.ipv4.conf.all.log_martians = 1 EOF sysctl -p /etc/sysctl.d/99-hardening.conf ```

8. Regular Security Checklist

Set up a recurring schedule: daily: check failed auth logs, weekly: run AIDE check, review audit logs, monthly: full vulnerability scan with Lynis (`lynis audit system`), quarterly: review user accounts and permissions.

Conclusion

Security is a process, not a one-time setup. The measures above will protect against 95% of automated attacks. For production systems, also consider SELinux/AppArmor, intrusion detection with Wazuh, and regular penetration testing.