Skip to main content

Linux Security Hardening

Security is not an afterthought. Here are the essential steps to secure a Linux server.

1. SSH Hardening

SSH is the front door to your server. Lock it down.

Disable Root Login

Never allow direct root login. Log in as a user and use sudo. Edit /etc/ssh/sshd_config: 
PermitRootLogin no

Use SSH Keys (Disable Passwords)

Passwords can be brute-forced. Keys are cryptographic.
  1. Generate Key (On your local machine): ssh-keygen -t ed25519
  2. Copy ID: ssh-copy-id user@server_ip
  3. Disable Password Auth (On server): Edit /etc/ssh/sshd_config: 
    PasswordAuthentication no
  4. Restart SSH: sudo systemctl restart ssh

2. Firewall (UFW)

Uncomplicated Firewall (UFW) is the easiest way to manage iptables. 
# 1. Set defaults (Deny incoming, Allow outgoing)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 2. Allow SSH (CRITICAL: Do this before enabling!)
sudo ufw allow ssh
# OR specific port
sudo ufw allow 2222/tcp

# 3. Allow Web Traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# 4. Enable Firewall
sudo ufw enable

# 5. Check Status
sudo ufw status

3. Fail2Ban

Automatically ban IPs that show malicious signs (e.g., too many failed password attempts). 
sudo apt install fail2ban
Configure /etc/fail2ban/jail.local: 
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600 # Ban for 1 hour

4. File Permissions

Ensure sensitive files are not world-readable. 
# SSH Keys (Must be 600)
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

# Web Configs (Should be root owned)
sudo chown root:root /etc/nginx/nginx.conf

Key Takeaways

  • Never use passwords for SSH; use Keys.
  • Always run a firewall (UFW).
  • Disable root login.
  • Use Fail2Ban to stop brute-force attacks.
  • Keep your system updated (apt update && apt upgrade).
Next: Docker Crash Course →