A default Linux install is convenient, not secure. Hardening is the process of reducing a server’s attack surface and tightening its configuration so that the inevitable probing from the internet finds nothing easy to exploit. This guide covers the hardening steps that matter most in 2026, in a sensible order of priority.
TL;DR
- SSH is your biggest exposed surface: use key-based authentication, disable root login and passwords, and rate-limit connections
- Run a default-deny firewall and shut down every service and port you do not need
- Keep the system patched automatically, and apply kernel and account hardening
- Use SELinux or AppArmor, enable audit logging, and measure yourself against the CIS Benchmark for your distribution
1. Lock Down SSH
SSH is how you administer the server and how attackers try to get in. Harden it first.
- Use key-based authentication and disable password authentication entirely (
PasswordAuthentication no). - Disable direct root login (
PermitRootLogin no); log in as a normal user and usesudo. - Restrict which users can log in over SSH.
- Rate-limit and throttle repeated failed attempts (for example with
fail2ban) to blunt brute-force attacks. - Keep SSH on a maintained version and disable weak ciphers and legacy protocols.
2. Run a Default-Deny Firewall
- Configure the firewall (
nftables,ufw,firewalld, or CSF) to deny by default and allow only the ports you actually serve. - Expose the minimum: typically SSH (restricted), HTTP, and HTTPS for a web server, and nothing else.
- Restrict management ports to known source addresses or a VPN where possible.
3. Minimise the Attack Surface
- Uninstall or disable services and daemons you do not use. Every listening service is a potential entry point.
- Audit open ports (
ss -tulpn) and confirm each one is intentional. - Remove unnecessary packages and compilers from production hosts.
4. Keep the System Patched
- Enable automatic security updates (
unattended-upgradeson Debian/Ubuntu,dnf-automaticon RHEL-family systems). - Track end-of-life dates for your distribution and upgrade before support ends. Running an unsupported OS is a standing risk.
5. Harden Accounts and Access
- Enforce strong password and account policies, and remove unused accounts.
- Use
sudowith least privilege rather than shared root access, and log sudo usage. - Set sensible
umaskdefaults and lock down permissions on sensitive files. - Consider two-factor authentication for administrative access.
6. Apply Kernel and Network Hardening
- Tune
sysctlsettings to reduce network-level risk (for example disabling IP source routing and ICMP redirects, and enabling reverse-path filtering). - Restrict access to kernel logs and pointers, and enable available exploit mitigations.
- Disable unused kernel modules and filesystems.
7. Enable Mandatory Access Control
- Keep SELinux (RHEL-family) or AppArmor (Debian/Ubuntu) enabled and in enforcing mode.
- Resist the temptation to disable it to “make things work”; write or adjust policy instead. MAC contains the damage when a service is compromised.
8. Logging, Auditing and File Integrity
- Enable the Linux audit daemon (
auditd) to record security-relevant events. - Centralise logs off the host so an attacker cannot simply erase them.
- Deploy file-integrity monitoring (for example AIDE) to detect unexpected changes to system files.
- Review logs regularly, or feed them into monitoring and alerting.
9. Measure Against the CIS Benchmark
The Center for Internet Security (CIS) publishes detailed, distribution-specific hardening benchmarks. Use the CIS Benchmark for your OS as an objective checklist and gap analysis; it turns “we think it’s hardened” into a measurable baseline you can audit against over time.
Key Takeaways
- Start with SSH: keys only, no root login, rate limiting.
- Default-deny firewall and remove every service you do not need.
- Automate patching and apply account, kernel, and MAC (SELinux/AppArmor) hardening.
- Enable audit logging and file integrity, and benchmark against CIS to make hardening measurable.
Get Expert Linux Server Hardening
Hardening a single server by hand is achievable; doing it consistently across an estate, without breaking applications, is where expertise pays off. The Linux server hardening service covers SSH lockdown, firewall architecture, kernel tuning, SELinux/AppArmor policy, CIS gap analysis, and a maintenance runbook. For a firewall-focused walkthrough, the older but still useful guide to securing Linux servers with CSF covers ConfigServer Security & Firewall in depth.
Frequently Asked Questions (FAQ)
What is the most important Linux hardening step? Locking down SSH: use key-based authentication, disable password login and direct root login, and rate-limit failed attempts. SSH is the most commonly attacked entry point on an internet-facing server.
Should I disable SELinux or AppArmor to fix a problem? No. Disabling mandatory access control removes a major layer of containment. Adjust or write policy to allow the legitimate behaviour instead. Keeping it in enforcing mode limits the damage if a service is compromised.
What is the CIS Benchmark? A detailed, distribution-specific hardening standard published by the Center for Internet Security. It gives you an objective checklist to configure against and to audit your servers over time, turning hardening into something measurable.
Do I still need a firewall if my host has a network firewall? Yes, use both. A host-based, default-deny firewall protects the server even if network controls are misconfigured or bypassed, and it enforces the principle of exposing only the ports you actually serve.
How often should a hardened server be reviewed? Regularly, because configuration drifts and new vulnerabilities appear. Re-check against your CIS baseline after significant changes and on a periodic schedule, and keep automatic security updates enabled in between.
Comments