Linux Hardening for Production Servers: The Complete Checklist
Harden your Linux production servers with this comprehensive guide. SSH security, firewall rules, kernel parameters, audit logging, automatic updates, and...
Why Server Hardening Matters
A default Linux installation is not secure enough for production. Default SSH settings allow password authentication, unnecessary services run, kernel parameters are permissive, and there is no intrusion detection.
Defense in depth: multiple security layers protect your infrastructure from threats.
At TechSaaS, every server we deploy goes through this hardening checklist before any workload runs on it.
SSH Hardening
SSH is the front door to your server. Lock it down first.
# /etc/ssh/sshd_config
# Disable password authentication (key only)
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
# Disable root login via SSH
PermitRootLogin no
# Use only SSH protocol 2
Protocol 2
# Limit SSH to specific users
AllowUsers deploy admin
# Change default port (optional, security through obscurity)
Port 2222
# Strict host key checking
StrictModes yes
# Disable empty passwords
PermitEmptyPasswords no
# Disable X11 forwarding
X11Forwarding no
# Set idle timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0
# Limit authentication attempts
MaxAuthTries 3
MaxSessions 5
# Use strong key exchange algorithms
KexAlgorithms [email protected],[email protected]
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
# Log more detail
LogLevel VERBOSE
# Apply SSH changes
sudo systemctl restart sshd
# Test before disconnecting (use a second terminal)
ssh -p 2222 deploy@your-server
Firewall Configuration
Use nftables (modern) or iptables (legacy) to restrict network access:
Get more insights on Security
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
# UFW (Uncomplicated Firewall) - simpler interface
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH
sudo ufw allow 2222/tcp comment 'SSH'
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
# Rate limit SSH connections
sudo ufw limit 2222/tcp
# Enable
sudo ufw enable
sudo ufw status verbose
nftables for advanced rules:
# /etc/nftables.conf
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow SSH with rate limiting
tcp dport 2222 ct state new limit rate 5/minute accept
# Allow HTTP/HTTPS
tcp dport { 80, 443 } accept
# Allow ICMP (ping)
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Log and drop everything else
log prefix "nftables-drop: " counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Kernel Hardening
Tune kernel parameters for security:
# /etc/sysctl.d/99-hardening.conf
# Disable IP forwarding (unless you are a router/NAT)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
# Disable ICMP redirects (prevent MITM)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
# Disable SUID core dumps
fs.suid_dumpable = 0
# Restrict kernel pointer exposure
kernel.kptr_restrict = 2
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Enable ASLR
kernel.randomize_va_space = 2
# Restrict ptrace (prevent process snooping)
kernel.yama.ptrace_scope = 2
# Harden BPF JIT
net.core.bpf_jit_harden = 2
# Restrict userns (prevent container escapes)
kernel.unprivileged_userns_clone = 0
# Apply
sudo sysctl --system
Encryption transforms readable plaintext into unreadable ciphertext, reversible only with the correct key.
Automatic Security Updates
Configure unattended security updates:
# Debian/Ubuntu
sudo apt install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades
# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"Debian:bookworm-security";
"Debian:bookworm-updates";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailReport "on-change";
# RHEL/CentOS
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer
Audit Logging with auditd
Track security-relevant events:
# Install auditd
sudo apt install auditd
# /etc/audit/rules.d/hardening.rules
# Monitor file access to sensitive files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/ssh/sshd_config -p wa -k sshd
# Monitor user/group modifications
-a always,exit -F arch=b64 -S execve -k exec
-a always,exit -F arch=b64 -S connect -k network
# Monitor Docker socket access
-w /var/run/docker.sock -p rwxa -k docker
# Monitor cron changes
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
# Make rules immutable (requires reboot to change)
-e 2
# Search audit logs
ausearch -k identity --start today
ausearch -k sudoers --start recent
aureport --summary
Intrusion Detection with AIDE
AIDE (Advanced Intrusion Detection Environment) monitors file integrity:
# Install AIDE
sudo apt install aide
# Initialize database
sudo aideinit
# Run integrity check
sudo aide --check
# After legitimate changes, update database
sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Free Resource
Infrastructure Security Audit Template
The exact audit template we use with clients: 60+ checks across network, identity, secrets management, and compliance.
Automate daily checks with cron:
# /etc/cron.daily/aide-check
#!/bin/bash
REPORT=$(aide --check 2>&1)
if [ $? -ne 0 ]; then
echo "AIDE detected changes on $(hostname):" | mail -s "AIDE Alert" [email protected]
echo "$REPORT" | mail -s "AIDE Report" [email protected]
fi
Fail2ban Configuration
Automatically ban IPs that show malicious signs:
# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
banaction = nftables
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
[nginx-botsearch]
enabled = true
port = 80,443
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 2
Server infrastructure: production and staging environments connected via VLAN with offsite backups.
Complete Hardening Checklist
| Item | Priority | Status |
|---|---|---|
| SSH key-only authentication | Critical | |
| Disable root SSH login | Critical | |
| Firewall (deny all, allow specific) | Critical | |
| Automatic security updates | Critical | |
| Strong SSH ciphers | High | |
| Kernel hardening (sysctl) | High | |
| Fail2ban / CrowdSec | High | |
| Audit logging (auditd) | High | |
| File integrity monitoring (AIDE) | Medium | |
| Disable unnecessary services | Medium | |
| Set file permissions (chmod 600 for secrets) | Medium | |
| Log rotation configured | Medium | |
| NTP time sync | Medium | |
| Disk encryption (LUKS) | Low-Medium | |
| AppArmor/SELinux profiles | Low |
At TechSaaS, our Proxmox server and CT 100 container both follow this hardening checklist. We use CrowdSec (modern, community-driven alternative to Fail2ban) for intrusion prevention, unattended upgrades for security patches, and strict SSH key-only access from our Mac via ed25519 keys.
Related Service
Security & Compliance
Zero-trust architecture, compliance automation, and incident response planning.
Need help with security?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.