What is server hardening and what is a step-by-step Linux server hardening checklist?
Server hardening is the process of reducing a server's attack surface by disabling unnecessary services, restricting access, applying security configurations, and installing protective software — transforming a default installation into a production-secure environment.
DETAILED EXPLANATION:
A freshly installed Linux server has a large attack surface: default passwords, unnecessary services running, permissive SSH settings, unpatched packages, and no intrusion detection. Hardening systematically closes these vulnerabilities following CIS (Center for Internet Security) Benchmarks and NIST guidelines.
The four pillars of server hardening:
1. Access Control: Who can log in, with what credentials, from where
2. Service Minimization: Disable everything not needed
3. Network Restrictions: Firewall rules limiting exposure
4. Monitoring & Detection: Logging, alerting, intrusion detection
WHEN TO USE:
- Immediately after provisioning any new server
- Before moving a development server to production
- After a security incident (re-hardening)
- Regular audits (quarterly hardening review)
COMPLETE HARDENING CHECKLIST WITH COMMANDS:
# 1. UPDATE SYSTEM
apt update && apt upgrade -y
apt install -y unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
# 2. CREATE NON-ROOT USER
adduser deploy
usermod -aG sudo deploy
# 3. SSH HARDENING (edit /etc/ssh/sshd_config)
Port 2222 # Change default port
PermitRootLogin no # Disable root SSH
PasswordAuthentication no # Force key-based auth only
MaxAuthTries 3 # Limit attempts
ClientAliveInterval 300 # Timeout idle sessions
AllowUsers deploy # Whitelist specific user
systemctl restart sshd
# 4. SSH KEY AUTHENTICATION
ssh-keygen -t ed25519 -C "server-access-key"
ssh-copy-id -p 2222 deploy@server-ip
# 5. FIREWALL SETUP (UFW)
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp # New SSH port
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
# 6. FAIL2BAN
apt install fail2ban
systemctl enable fail2ban
# 7. DISABLE UNUSED SERVICES
systemctl disable bluetooth
systemctl disable avahi-daemon
systemctl disable cups
# 8. KERNEL SECURITY PARAMETERS (/etc/sysctl.conf)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
kernel.randomize_va_space = 2 # ASLR
sysctl -p # Apply changes
# 9. AUDIT LOGGING
apt install auditd
systemctl enable auditd
auditctl -e 1 # Enable audit daemon
# 10. FILE INTEGRITY MONITORING
apt install aide
aide --init # Create baseline database
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Daily check via cron: aide --check
# 11. MALWARE SCANNING
apt install clamav
freshclam # Update signatures
clamscan -r /var/www --infected --remove
# 12. LOG MONITORING
apt install logwatch
# Daily email digest of security events
FLOW:
[ Default Server ] → Access Hardening → Service Minimization → Network Restrictions → Monitoring Setup → [ Hardened Production Server ]
KEY POINTS:
- CIS Benchmark provides scored hardening guides for Ubuntu/CentOS
- Document every change (change management) for audit trails
- Hardening is ongoing — re-audit quarterly
- Connect Quest provides pre-hardened VPS options — contact +91 2269711150
COMMON MISTAKES:
- Disabling SSH password auth BEFORE setting up key auth (lockout risk)
- Running hardening scripts without testing on staging first
- Not updating sysctl settings persistently (/etc/sysctl.conf vs sysctl -w)
QUICK FIX:
Locked out after hardening → Use VPS console (OOB access) to revert SSH config
DIFFICULTY: Advanced
RELATED: Fail2ban, DDoS Protection, SSH Security, VPS Security
DETAILED EXPLANATION:
A freshly installed Linux server has a large attack surface: default passwords, unnecessary services running, permissive SSH settings, unpatched packages, and no intrusion detection. Hardening systematically closes these vulnerabilities following CIS (Center for Internet Security) Benchmarks and NIST guidelines.
The four pillars of server hardening:
1. Access Control: Who can log in, with what credentials, from where
2. Service Minimization: Disable everything not needed
3. Network Restrictions: Firewall rules limiting exposure
4. Monitoring & Detection: Logging, alerting, intrusion detection
WHEN TO USE:
- Immediately after provisioning any new server
- Before moving a development server to production
- After a security incident (re-hardening)
- Regular audits (quarterly hardening review)
COMPLETE HARDENING CHECKLIST WITH COMMANDS:
# 1. UPDATE SYSTEM
apt update && apt upgrade -y
apt install -y unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
# 2. CREATE NON-ROOT USER
adduser deploy
usermod -aG sudo deploy
# 3. SSH HARDENING (edit /etc/ssh/sshd_config)
Port 2222 # Change default port
PermitRootLogin no # Disable root SSH
PasswordAuthentication no # Force key-based auth only
MaxAuthTries 3 # Limit attempts
ClientAliveInterval 300 # Timeout idle sessions
AllowUsers deploy # Whitelist specific user
systemctl restart sshd
# 4. SSH KEY AUTHENTICATION
ssh-keygen -t ed25519 -C "server-access-key"
ssh-copy-id -p 2222 deploy@server-ip
# 5. FIREWALL SETUP (UFW)
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp # New SSH port
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
# 6. FAIL2BAN
apt install fail2ban
systemctl enable fail2ban
# 7. DISABLE UNUSED SERVICES
systemctl disable bluetooth
systemctl disable avahi-daemon
systemctl disable cups
# 8. KERNEL SECURITY PARAMETERS (/etc/sysctl.conf)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
kernel.randomize_va_space = 2 # ASLR
sysctl -p # Apply changes
# 9. AUDIT LOGGING
apt install auditd
systemctl enable auditd
auditctl -e 1 # Enable audit daemon
# 10. FILE INTEGRITY MONITORING
apt install aide
aide --init # Create baseline database
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Daily check via cron: aide --check
# 11. MALWARE SCANNING
apt install clamav
freshclam # Update signatures
clamscan -r /var/www --infected --remove
# 12. LOG MONITORING
apt install logwatch
# Daily email digest of security events
FLOW:
[ Default Server ] → Access Hardening → Service Minimization → Network Restrictions → Monitoring Setup → [ Hardened Production Server ]
KEY POINTS:
- CIS Benchmark provides scored hardening guides for Ubuntu/CentOS
- Document every change (change management) for audit trails
- Hardening is ongoing — re-audit quarterly
- Connect Quest provides pre-hardened VPS options — contact +91 2269711150
COMMON MISTAKES:
- Disabling SSH password auth BEFORE setting up key auth (lockout risk)
- Running hardening scripts without testing on staging first
- Not updating sysctl settings persistently (/etc/sysctl.conf vs sysctl -w)
QUICK FIX:
Locked out after hardening → Use VPS console (OOB access) to revert SSH config
DIFFICULTY: Advanced
RELATED: Fail2ban, DDoS Protection, SSH Security, VPS Security