Securing Your Linux Server in 10 Steps

Linux server security is an ongoing process that starts right from installation. Here are the 10 essential steps to protect your infrastructure.

1. Update the System

The first and most fundamental step is keeping your system up to date. Updates patch known vulnerabilities.

# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y

# RHEL/CentOS/Fedora
sudo dnf update -y

Set up automatic security updates:

# Install unattended-upgrades (Debian/Ubuntu)
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

2. Configure SSH Properly

SSH is often the first attack vector. Harden its configuration:

# /etc/ssh/sshd_config
Port 2222                          # Change the default port
PermitRootLogin no                 # Disable root login
PasswordAuthentication no          # Disable password authentication
PubkeyAuthentication yes           # Use SSH keys
MaxAuthTries 3                     # Limit authentication attempts
ClientAliveInterval 300            # Inactivity timeout
ClientAliveCountMax 2
AllowUsers deployer admin          # Restrict allowed users
Protocol 2                         # Force protocol 2

Restart the service:

sudo systemctl restart sshd

3. Configure the Firewall (UFW)

A properly configured firewall is essential:

# Install and configure UFW
sudo apt install ufw

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (on the new port)
sudo ufw allow 2222/tcp

# Allow HTTP/HTTPS if needed
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable
sudo ufw status verbose

4. Install and Configure Fail2Ban

Fail2Ban protects against brute-force attacks:

sudo apt install fail2ban

# Create a local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Recommended configuration:

# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
backend = systemd

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

5. User and Privilege Management

Never work as root. Create dedicated users:

# Create a user
sudo adduser deployer

# Add to the sudo group
sudo usermod -aG sudo deployer

# Configure passwordless sudo (optional, use with caution)
echo "deployer ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/deployer

6. Disable Unnecessary Services

Every active service is a potential attack surface:

# List running services
systemctl list-units --type=service --state=running

# Disable unnecessary services
sudo systemctl disable --now cups
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now rpcbind

7. Set Up Centralized Logging

Log monitoring is critical for detecting intrusions:

# Install rsyslog if needed
sudo apt install rsyslog

# Check that important logs are enabled
sudo journalctl -f  # Follow logs in real time

# Install logwatch for daily reports
sudo apt install logwatch

8. Encrypt Sensitive Data

Use LUKS to encrypt partitions containing sensitive data:

# Encrypt a partition
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 data_encrypted
sudo mkfs.ext4 /dev/mapper/data_encrypted

9. Configure Backups

Backups are your last resort in case of compromise:

# Backup with rsync
rsync -avz --delete /important/data/ backup@remote:/backups/

# Automate with cron
echo "0 2 * * * rsync -avz --delete /data/ backup@remote:/backups/" | crontab -

10. Audit Regularly

Use auditing tools to verify security:

# Install Lynis
sudo apt install lynis

# Run a full audit
sudo lynis audit system

# Check open ports
sudo ss -tulpn
sudo nmap -sV localhost

Conclusion

Security is an iterative process. These 10 steps form a solid foundation, but it’s essential to stay informed about new threats and regularly update your configurations. Don’t hesitate to automate these checks with scripts — check out our Scripts section for ready-to-use tools.