Linux server security is less about a static checklist and more about a dynamic, ongoing process of understanding your attack surface and systematically reducing it.
Let’s see what a hardened Linux server looks like in action. Imagine we’re setting up a new web server.
First, we need to restrict SSH access. Instead of allowing root logins and password authentication from anywhere, we’ll disable root login entirely and enforce key-based authentication.
# Edit /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Then, we’ll change the default SSH port from 22 to something less common, like 2222. This isn’t foolproof security, but it drastically reduces automated bot scans.
# Edit /etc/ssh/sshd_config
Port 2222
After making these changes, reload the SSH service:
sudo systemctl reload sshd
Now, let’s talk about the firewall. ufw (Uncomplicated Firewall) is a great starting point. We want to deny all incoming traffic by default and only allow specific ports.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp # Our new SSH port
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
This ensures that only explicitly allowed services can be reached from the outside.
The system’s software needs to be kept up-to-date. Unpatched vulnerabilities are a primary entry point for attackers. We’ll set up automatic security updates.
# For Debian/Ubuntu systems
sudo apt update
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
This will automatically install security patches as they become available.
User management is critical. We should avoid using the root account for daily tasks. Instead, create a regular user and use sudo for administrative privileges.
# Create a new user
sudo adduser newadmin
# Add the user to the sudo group
sudo usermod -aG sudo newadmin
When you log in as newadmin, you can run commands as root with sudo. This provides an audit trail and limits the scope of accidental damage.
We also want to limit what sudo can do, using visudo. For instance, restricting a user to only restarting a specific service.
# Run visudo
sudo visudo
Add a line like this:
newadmin ALL=(ALL) /usr/sbin/systemctl restart apache2.service
This allows newadmin to restart only the Apache web server, not execute arbitrary root commands.
Logging and monitoring are essential for detecting intrusions. We’ll ensure rsyslog is configured to send logs to a remote, secure server.
# Edit /etc/rsyslog.conf or a file in /etc/rsyslog.d/
# For TCP:
*.* @@remote-log-server.example.com:514
# For UDP:
*.* @remote-log-server.example.com:514
And then reload rsyslog:
sudo systemctl reload rsyslog
This centralizes logs, making them harder for an attacker to tamper with if they gain access to the server itself.
One thing most people don’t realize is the impact of file permissions on security. While chmod and chown are fundamental, understanding the principle of least privilege extends to every file and directory. For instance, web server configuration files should not be world-writable, and user home directories should typically be 750 or 700 to prevent other users on the system from accessing their files, even if they aren’t root.
The next step after hardening the core system is to secure the applications running on it, such as web servers, databases, and mail services, each with their own specific security considerations and tuning.