Linux Server Security Hardening: Complete Checklist (2026)

Linux server security hardening is essential for protecting your infrastructure against evolving cyber threats. Whether you’re managing a single VPS or a complex server fleet, implementing proper security measures can mean the difference between a resilient system and a compromised network. This comprehensive checklist covers everything you need to secure your Linux servers in 2026.

Why Linux Server Security Hardening Matters

Server breaches can result in data theft, ransomware attacks, and significant financial losses. According to recent cybersecurity reports, over 60% of targeted attacks exploit basic misconfigurations that could be prevented with proper hardening. Linux server security hardening isn’t just about installing a firewall—it’s a systematic approach to minimizing attack surfaces and implementing defense in depth.

In this guide, we’ll walk through a practical, step-by-step checklist that covers SSH hardening, firewall configuration, intrusion detection, automatic updates, system auditing, and kernel-level security. By following these recommendations, you’ll significantly improve your server’s security posture and reduce the risk of successful attacks.

Linux server security hardening terminal commands — Essential security commands for Linux server hardening

SSH Hardening: Your First Line of Defense

Secure Shell (SSH) is the primary entry point for most Linux servers, making it a critical component of Linux server security hardening. Default SSH configurations often prioritize convenience over security, leaving your server vulnerable to brute-force attacks and unauthorized access.

1. Disable Root Login

Logging in as root via SSH is a significant security risk. Create a regular user account with sudo privileges and disable root login:

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Set these values:
PermitRootLogin no

2. Change the Default SSH Port

While security through obscurity isn’t a complete solution, changing the default SSH port (22) reduces automated scan traffic and brute-force attempts:

# In /etc/ssh/sshd_config
Port 2222  # Or any port between 1024-65535

3. Implement Key-Based Authentication

Password authentication is vulnerable to brute-force attacks. Switch to SSH keys for stronger security:

# Generate SSH key pair
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Disable password authentication in /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

4. Additional SSH Security Settings

Enhance SSH security with these additional configurations:

# /etc/ssh/sshd_config recommendations
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60
MaxSessions 2
Protocol 2
X11Forwarding no
AllowUsers specific_user1 specific_user2

After making changes, always test your SSH configuration before restarting the service:

sudo sshd -t
sudo systemctl restart sshd

Firewall Configuration with UFW and iptables

A properly configured firewall is fundamental to Linux server security hardening. The Uncomplicated Firewall (UFW) provides an intuitive interface for managing iptables rules on Ubuntu and Debian systems. For more granular control, you can work directly with iptables.

UFW Basic Configuration

# Install UFW if not present
sudo apt update && sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (adjust port if changed)
sudo ufw allow 2222/tcp  # If using custom port
# OR
sudo ufw allow ssh

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Advanced iptables Rules

For servers requiring more sophisticated protection, consider these iptables configurations:

# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Prevent SYN flood attacks
iptables -A INPUT -p tcp --syn -m limit --limit 2/second --limit-burst 6 -j ACCEPT

# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Rate limit ICMP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

For a comprehensive guide on UFW configuration, see our detailed tutorial on configuring UFW firewall on Ubuntu Server.

Intrusion Detection with fail2ban

fail2ban is an essential tool for Linux server security hardening that monitors log files and bans IP addresses showing malicious behavior. It automatically protects against brute-force attacks on SSH, web servers, and other services.

Installing and Configuring fail2ban

# Install fail2ban
sudo apt update && sudo apt install fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit jail.local
sudo nano /etc/fail2ban/jail.local

Recommended fail2ban Settings

[DEFAULT]
# Ban time: 1 hour
bantime = 3600

# Find time: 10 minutes
findtime = 600

# Max retry attempts
maxretry = 3

# Ban method
banaction = ufw

[sshd]
enabled = true
port = ssh,2222  # Include custom SSH port
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

[nginx-limit-req]
enabled = true
filter = nginx-limit-req
port = http,https
logpath = /var/log/nginx/error.log

# Start and enable fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd

Automatic Security Updates with unattended-upgrades

Unpatched vulnerabilities are a leading cause of server compromises. The unattended-upgrades package automatically installs security updates, ensuring your system stays protected without manual intervention.

Setting Up unattended-upgrades

# Install the package
sudo apt update && sudo apt install unattended-upgrades apt-listchanges

# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades

# Edit configuration
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Configuration Recommendations

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

// Auto-remove unused packages
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Auto-reboot if required
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

// Email notifications
Unattended-Upgrade::Mail "admin@yourdomain.com";
Unattended-Upgrade::MailReport "on-change";

System Auditing with auditd

The Linux Audit Framework (auditd) provides detailed logging of system calls and file access, enabling you to detect suspicious activity and investigate security incidents. It’s a crucial component of comprehensive Linux server security hardening.

Installing auditd

# Install auditd
sudo apt update && sudo apt install auditd audispd-plugins

# Enable and start service
sudo systemctl enable auditd
sudo systemctl start auditd

Essential Audit Rules

Add these rules to /etc/audit/rules.d/audit.rules:

# Delete all existing rules
-D

# Set buffer size
-b 8192

# Monitor /etc/passwd for changes
-w /etc/passwd -p wa -k identity_changes
-w /etc/group -p wa -k identity_changes
-w /etc/shadow -p wa -k identity_changes
-w /etc/gshadow -p wa -k identity_changes

# Monitor sudoers configuration
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes

# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k ssh_config_changes

# Monitor user/group modifications
-a exit,always -F arch=b64 -S setuid -k privilege_escalation
-a exit,always -F arch=b64 -S setgid -k privilege_escalation

# Monitor file permission changes
-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -k permission_changes

# Monitor unauthorized access attempts
-a exit,always -F arch=b64 -S open -S openat -F exit=-EACCES -k unauthorized_access
-a exit,always -F arch=b64 -S open -S openat -F exit=-EPERM -k unauthorized_access

# Reload rules
sudo augenrules --load

# Check audit status
sudo auditctl -s

# Search audit logs
sudo ausearch -k identity_changes
sudo aureport --login --summary -i

Linux server security hardening padlock server protection — Multi-layered security approach for Linux servers

Kernel Hardening with sysctl

Kernel parameters control fundamental system behaviors that affect security. Proper sysctl configuration enhances Linux server security hardening at the deepest level, protecting against network attacks, information disclosure, and kernel-level exploits.

Network Security Hardening

Create /etc/sysctl.d/99-security.conf with these settings:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

Kernel Security Settings

# Disable IPv6 if not needed (uncomment if required)
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1

# Increase system file descriptor limit
fs.file-max = 65535

# Increase memory dump restrictions
fs.suid_dumpable = 0

# Restrict kernel pointer exposure
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1

# Restrict access to kernel logs
kernel.printk = 3 3 3 3

# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2

# Restrict ptrace scope
kernel.yama.ptrace_scope = 1

# Prevent core dumps
* soft core 0
* hard core 0

# Apply sysctl settings
sudo sysctl --system

# Verify specific setting
sysctl net.ipv4.tcp_syncookies

Additional Security Measures

File Integrity Monitoring

Install AIDE (Advanced Intrusion Detection Environment) to monitor file integrity:

# Install AIDE
sudo apt install aide aide-common

# Initialize database
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Check integrity
sudo aide --check

# Update database after legitimate changes
sudo aide --update

Secure User Management

# Set strong password policies
sudo apt install libpam-pwquality

# Edit /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
maxrepeat = 3

# Set password expiration
sudo nano /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   7

Disable Unnecessary Services

Reduce your attack surface by disabling services you don’t need:

# List active services
systemctl list-units --type=service --state=running

# Disable unused services (example)
sudo systemctl disable --now bluetooth
sudo systemctl disable --now cups
sudo systemctl disable --now avahi-daemon

For more information on managing services, check our guide on how to manage Systemd services on Linux.

Linux Server Security Hardening Checklist Summary

Use this quick reference to verify your Linux server security hardening implementation:

SSH Security: Disable root login, use key authentication, change default port, limit users
Firewall: Configure UFW/iptables with default-deny policy, allow only necessary ports
Intrusion Detection: Install and configure fail2ban with appropriate ban policies
Automatic Updates: Set up unattended-upgrades for security patches
System Auditing: Deploy auditd with comprehensive rules for critical files
Kernel Hardening: Apply sysctl settings for network security and ASLR
File Integrity: Install AIDE or similar monitoring tools
User Management: Enforce strong passwords and regular rotation
Service Minimization: Disable unnecessary services and close unused ports
Regular Backups: Implement automated backup solutions with encryption

Conclusion

Effective Linux server security hardening requires a multi-layered approach combining proper configuration, automated protection, and continuous monitoring. By implementing this checklist, you’ve significantly reduced your server’s attack surface and improved its resilience against common threats.

Remember that security is an ongoing process, not a one-time task. Regularly review your configurations, monitor logs for suspicious activity, and stay informed about new vulnerabilities affecting your software stack. For more security guides, visit our Linux Server Security Hardening Guide and other server administration tutorials.

Start implementing these Linux server security hardening measures today and protect your infrastructure from the ever-evolving threat landscape.

Mark

Hi, I’m Mark, the author of Clever IT Solutions: Mastering Technology for Success. I am passionate about empowering individuals to navigate the ever-changing world of information technology. With years of experience in the industry, I have honed my skills and knowledge to share with you. At Clever IT Solutions, we are dedicated to teaching you how to tackle any IT challenge, helping you stay ahead in today’s digital world. From troubleshooting common issues to mastering complex technologies, I am here to guide you every step of the way. Join me on this journey as we unlock the secrets to IT success.