Security & Monitoring Featured

Linux Server Hardening Cheatsheet

Complete guide to Linux server hardening including SSH security, firewall configuration, user management, password policies, SELinux/AppArmor, system updates, monitoring, and security best practices for production servers.

#linux #security #hardening #ssh #firewall #sysadmin #selinux

Align your hardening plan with the bigger picture—start on our home base and watch real-world workload trends on the performance dashboard to understand how security baselines affect VPS uptime.

Choosing infrastructure for secure deployments? Compare candidates in the benchmark library, build shortlists with the VPS comparison tool, and review each vendor’s policies through our provider directory.

Sign In to Download

Free account required

Security Best Practices

Server hardening is critical for protecting your production systems. These steps should be implemented carefully and tested in a staging environment first.

  • • Always backup your system before making security changes
  • • Test each hardening step in a non-production environment first
  • • Keep documentation of all security configurations
  • • Regularly audit and update security measures

Security Checklist

1. SSH Security Configuration 2. User Management & Sudo 3. Firewall Configuration 4. Fail2ban Installation 5. Disable Unnecessary Services 6. SELinux/AppArmor 7. System Updates 8. Password Policies 9. Hardware Security 10. SUID/SGID Binaries 11. Logging & Auditing 12. Backup Strategy 13. Network Monitoring 14. Disk Partitions

1. SSH Security Configuration

Secure your SSH server to prevent unauthorized access and brute force attacks.

Disable Root Login

Edit SSH configuration file:

$ sudo nano /etc/ssh/sshd_config

Set the following parameters:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no

Restart SSH service:

$ sudo systemctl restart sshd

Change Default SSH Port

Change from port 22 to reduce automated attacks:

Port 2222

Set Up SSH Key Authentication

Generate SSH key pair on your local machine:

$ ssh-keygen -t ed25519 -C "[email protected]"

Copy public key to server:

$ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server_ip

Pair these controls with our port scanner and SSH inspection tools to validate exposure, and keep ingress policies consistent using the IP command cheat sheet for rapid interface checks.

2. User Management & Sudo Access

Create non-root users with sudo privileges for administrative tasks.

Create a New User

$ sudo adduser username

Add User to Sudo Group

# Ubuntu/Debian
$ sudo usermod -aG sudo username

# CentOS/RHEL
$ sudo usermod -aG wheel username

Configure Sudo Timeout

Edit sudoers file:

$ sudo visudo

Add timeout (5 minutes):

Defaults timestamp_timeout=5

Disable Unused Accounts

$ sudo usermod -L username  # Lock account
$ sudo usermod -s /sbin/nologin username  # Disable login

Keep privilege hygiene measurable by tracking audit events in the Linux boot process guide, and monitor user growth with insights from the performance dashboard to ensure scale doesn’t undermine role separation.

3. Firewall Configuration

Set up a firewall to control incoming and outgoing network traffic.

UFW (Ubuntu/Debian)

Install UFW:

$ sudo apt install ufw

Set default policies:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allow SSH (change port if needed): 

$ sudo ufw allow 22/tcp
$ sudo ufw allow 2222/tcp  # If you changed SSH port

Allow other services:

$ sudo ufw allow 80/tcp    # HTTP
$ sudo ufw allow 443/tcp   # HTTPS

Enable firewall:

$ sudo ufw enable

Check status:

$ sudo ufw status verbose

Firewalld (CentOS/RHEL)

Install firewalld:

$ sudo yum install firewalld

Start and enable:

$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

Allow services:

$ sudo firewall-cmd --permanent --add-service=ssh
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload

Map rule changes against your service catalog with the Linux networking cheatsheet, and test exposure from multiple regions using data in our VPS benchmarks to catch latency or routing surprises during rollouts.

4. Install and Configure Fail2ban

Fail2ban protects against brute force attacks by banning IPs with too many failed login attempts.

Install Fail2ban

# Ubuntu/Debian
$ sudo apt install fail2ban

# CentOS/RHEL
$ sudo yum install fail2ban

Configure Fail2ban for SSH

Create local configuration file:

$ sudo nano /etc/fail2ban/jail.local

Add SSH protection:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

Start Fail2ban Service

$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban

Check Fail2ban Status

$ sudo fail2ban-client status
$ sudo fail2ban-client status sshd

5. Disable Unnecessary Services

Reduce attack surface by disabling unused services and daemons.

List All Running Services

$ sudo systemctl list-units --type=service --state=running

Disable Unused Services

$ sudo systemctl stop service_name
$ sudo systemctl disable service_name

Common Services to Disable

# Disable Bluetooth (if not needed)
$ sudo systemctl disable bluetooth.service

# Disable CUPS (printing service)
$ sudo systemctl disable cups.service

# Disable Avahi (network service discovery)
$ sudo systemctl disable avahi-daemon.service
Warning: Only disable services you're certain are not needed. Research each service before disabling to avoid breaking system functionality.

6. Enable SELinux or AppArmor

Mandatory Access Control (MAC) systems provide an additional security layer.

SELinux (CentOS/RHEL/Fedora)

Check SELinux status:

$ sestatus

Set SELinux to enforcing mode:

$ sudo setenforce 1

Make it persistent (edit /etc/selinux/config):

SELINUX=enforcing

View SELinux denials:

$ sudo ausearch -m avc -ts recent

AppArmor (Ubuntu/Debian)

Check AppArmor status:

$ sudo apparmor_status

Enable AppArmor profile:

$ sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd

Reload profiles:

$ sudo systemctl reload apparmor

7. Keep Kernel and Packages Updated

Regular updates are critical for security patches and bug fixes.

Ubuntu/Debian

$ sudo apt update
$ sudo apt upgrade -y
$ sudo apt dist-upgrade -y
$ sudo apt autoremove -y

CentOS/RHEL

$ sudo yum update -y
$ sudo yum upgrade -y

Enable Automatic Security Updates

Ubuntu/Debian:

$ sudo apt install unattended-upgrades
$ sudo dpkg-reconfigure --priority=low unattended-upgrades

CentOS/RHEL:

$ sudo yum install yum-cron
$ sudo systemctl enable yum-cron
$ sudo systemctl start yum-cron

Check Kernel Version

$ uname -r

8. Enforce Strong Password Policies

Implement password complexity requirements and aging policies.

Install PAM Password Quality Module 

# Ubuntu/Debian
$ sudo apt install libpam-pwquality

# CentOS/RHEL
$ sudo yum install libpwquality

Configure Password Requirements

Edit /etc/security/pwquality.conf:

minlen = 12          # Minimum password length
minclass = 3         # Minimum character classes (upper, lower, digit, special)
maxrepeat = 2        # Maximum repeated characters
dcredit = -1         # Require at least one digit
ucredit = -1         # Require at least one uppercase
lcredit = -1         # Require at least one lowercase
ocredit = -1         # Require at least one special character

Set Password Aging

Edit /etc/login.defs:

PASS_MAX_DAYS   90    # Maximum password age
PASS_MIN_DAYS   7     # Minimum days between password changes
PASS_WARN_AGE   14    # Warning days before password expires

Apply to existing user:

$ sudo chage -M 90 -m 7 -W 14 username

Restrict Password Reuse

Edit /etc/pam.d/common-password (Ubuntu) or /etc/pam.d/system-auth (CentOS):

password sufficient pam_unix.so remember=5

This prevents reusing the last 5 passwords.

Lock Account After Failed Attempts

Edit /etc/pam.d/common-auth:

auth required pam_tally2.so deny=5 onerr=fail unlock_time=1800

Locks account for 30 minutes after 5 failed attempts.

9. Disable USB and Thunderbolt Devices

Prevent unauthorized physical access and data exfiltration through USB devices.

Disable USB Storage

Create blacklist file:

$ sudo nano /etc/modprobe.d/blacklist-usb-storage.conf

Add the following line:

blacklist usb-storage

Update initramfs:

$ sudo update-initramfs -u

Disable Thunderbolt

Create blacklist file:

$ sudo nano /etc/modprobe.d/blacklist-thunderbolt.conf

Add:

blacklist thunderbolt
Note: Only implement these restrictions if your server doesn't require USB or Thunderbolt devices for legitimate purposes.

10. Disable Unwanted SUID and SGID Binaries

SUID/SGID files can be security risks. Audit and remove unnecessary ones.

Find SUID Files

$ sudo find / -perm /4000 -type f 2>/dev/null

Find SGID Files

$ sudo find / -perm /2000 -type f 2>/dev/null

Remove SUID/SGID Bit

# Remove SUID
$ sudo chmod u-s /path/to/file

# Remove SGID
$ sudo chmod g-s /path/to/file

Save SUID/SGID List for Monitoring 

$ sudo find / -perm /6000 -type f 2>/dev/null > /root/suid-sgid-files.txt
Critical: Be extremely careful when removing SUID/SGID bits. Some system binaries require these permissions to function properly. Research each file before removing permissions.

11. Logging and Auditing

Comprehensive logging helps detect security incidents and troubleshoot issues.

Install auditd

# Ubuntu/Debian
$ sudo apt install auditd

# CentOS/RHEL
$ sudo yum install audit

Enable and Start auditd

$ sudo systemctl enable auditd
$ sudo systemctl start auditd

Monitor Authentication Logs

# Ubuntu/Debian
$ sudo tail -f /var/log/auth.log

# CentOS/RHEL
$ sudo tail -f /var/log/secure

Configure Log Rotation

Edit /etc/logrotate.d/rsyslog:

/var/log/syslog
{
    rotate 7
    daily
    missingok
    notifempty
    compress
    delaycompress
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

Search Audit Logs

# Search for failed login attempts
$ sudo ausearch -m USER_LOGIN -sv no

# Search for user additions
$ sudo ausearch -m ADD_USER

# View recent audit events
$ sudo ausearch -ts recent

Centralize review with the monitoring toolset, benchmark anomaly impact on the performance dashboard, and reinforce incident drills with guidance from the ethical hacking roadmap.

Monitor File Changes

Add audit rule to monitor /etc/passwd:

$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes

12. Perform Regular Backups

Regular backups are essential for disaster recovery and data protection.

Create Backup with rsync

$ sudo rsync -avz /source/directory/ /backup/destination/

Automated Backup Script

Create backup script:

#!/bin/bash
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backup/server_backup_$DATE"
SOURCE_DIRS="/etc /home /var/www"

mkdir -p $BACKUP_DIR
for dir in $SOURCE_DIRS; do
    rsync -avz $dir $BACKUP_DIR/
done

# Compress backup
tar -czf $BACKUP_DIR.tar.gz $BACKUP_DIR
rm -rf $BACKUP_DIR

# Remove backups older than 30 days
find /backup/ -name "*.tar.gz" -mtime +30 -delete

Schedule Automated Backups

Add to crontab (daily at 2 AM):

$ sudo crontab -e
0 2 * * * /root/backup.sh > /var/log/backup.log 2>&1

Verify Backup Integrity

$ tar -tzf backup.tar.gz | head
Best Practice: Store backups off-site or on a different server. Test backup restoration regularly to ensure they work when needed.

13. Monitor Listening Network Ports

Regularly monitor open ports to detect unauthorized services.

List All Listening Ports

$ sudo ss -tulpn

List Listening TCP Ports

$ sudo netstat -tulpn | grep LISTEN

Check Specific Port

$ sudo lsof -i :80
$ sudo lsof -i :443

Monitor Active Connections

$ sudo netstat -anp | grep ESTABLISHED

Scan Open Ports with nmap

$ sudo nmap -sT -O localhost

Create Baseline Port List

$ sudo ss -tulpn > /root/port-baseline.txt

Visualize exposure trends with the network diagnostics suite, and sanity-check upstream diversity by comparing providers in the VPS comparison tool before shifting hardened workloads between regions.

14. Separate Disk Partitions

Use separate partitions to contain security breaches and prevent DoS attacks through disk filling.

Recommended Partition Scheme

/boot Boot files (500MB - 1GB)
/ Root filesystem (20-50GB)
/home User home directories (variable size)
/var Variable data, logs (20-50GB)
/tmp Temporary files (5-10GB)
swap Swap space (1-2x RAM)

View Current Partitions

$ df -h
$ lsblk

Mount Options for Security

Edit /etc/fstab with secure mount options: 

# /tmp with noexec, nosuid, nodev
/dev/sda2 /tmp ext4 defaults,noexec,nosuid,nodev 0 2

# /var with nosuid
/dev/sda3 /var ext4 defaults,nosuid 0 2

# /home with nosuid, nodev
/dev/sda4 /home ext4 defaults,nosuid,nodev 0 2

Remount with New Options

$ sudo mount -o remount /tmp
Mount Options Explained:
noexec - Prevent execution of binaries
nosuid - Ignore SUID and SGID bits
nodev - Ignore device files
Note: Partition setup is typically done during OS installation. Changing partitions on a live system requires advanced knowledge and can result in data loss.

Need deeper planning tips? Review the Linux filesystem cheatsheet and coordinate partition maintenance with the boot process guide so recovery workflows stay aligned with your backup cadence.

Security Best Practices Summary

Essential

  • ✓ Use SSH keys, disable password auth
  • ✓ Keep system and packages updated
  • ✓ Configure firewall (UFW/firewalld)
  • ✓ Set up fail2ban
  • ✓ Regular backups

Advanced

  • ✓ Enable SELinux/AppArmor
  • ✓ Configure audit logging
  • ✓ Monitor network ports
  • ✓ Review SUID/SGID files
  • ✓ Separate disk partitions
Back to Cheatsheets

Secure Your VPS Infrastructure

Find the most secure and reliable VPS providers. Compare performance benchmarks and security features to choose the best hosting for your hardened server.

View VPS Benchmarks More Cheatsheets

Curious how we evaluate providers? Learn about the team on the About page, and let us know your hardening wins through the contact form. Handling sensitive telemetry? Review the safeguards outlined in our privacy policy before collecting logs.

Keep visibility high with real-time metrics from the performance dashboard, and expand your playbook with complementary guides like the Linux networking cheatsheet and the ethical hacking roadmap.