A freshly installed Linux server is a blank slate—and also a potential attack surface. Before deploying applications or exposing services to the internet, system administrators should perform essential security steps to minimize vulnerabilities.
This article offers a practical, step-by-step checklist for hardening a Linux server after installation. Whether you’re working with Ubuntu, CentOS, Debian, or Red Hat, these practices apply universally and form the foundation of a secure system.
1. Create a New Sudo User
Never operate as root for daily tasks.
adduser adminuser
usermod -aG sudo adminuser
- Disable direct root SSH login once this is done.
- Always log in with your regular user and escalate only when needed.
2. Update the System Immediately
Fresh installs often ship with outdated packages. Run:
sudo apt update && sudo apt upgrade -y # Debian-based
sudo dnf update -y # RHEL-based
- Enable automatic security updates using
unattended-upgradesor similar tools.
3. Configure SSH for Security
OpenSSH is a critical attack vector. Secure it by:
- Editing
/etc/ssh/sshd_configto:- Disable root login:
PermitRootLogin no - Use key-based auth:
PasswordAuthentication no - Change default port (optional):
Port 2222
- Disable root login:
- Restart SSH and test before closing the original session.
Generate a key pair:
ssh-keygen -t ed25519
4. Enable and Configure a Firewall
Use ufw (Debian/Ubuntu) or firewalld (RedHat/CentOS):
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status
Define only necessary ports:
- SSH (custom port if changed)
- HTTP/HTTPS if hosting web services
- Database ports (if needed and secured)
5. Install Fail2Ban
Protect against brute-force attacks by banning IPs after failed login attempts.
sudo apt install fail2ban # Debian-based
sudo dnf install fail2ban # RedHat-based
sudo systemctl enable fail2ban --now
Review and adjust the config in /etc/fail2ban/jail.local.
6. Remove Unnecessary Packages and Services
Reduce attack surface by disabling what you don’t use.
sudo systemctl list-unit-files --type=service
sudo systemctl disable bluetooth.service
Remove preinstalled tools you don’t need:
sudo apt purge telnet ftp rsh -y
7. Configure Automatic Updates (Security-Only)
Set up unattended upgrades for security patches:
For Debian/Ubuntu:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
For RHEL-based systems:
Use dnf-automatic and enable security-only updates.
8. Harden File Permissions
Set default umask to 027 for new files. Ensure sensitive files are protected:
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
Audit permissions on:
/etc/shadow/etc/passwd- Custom scripts in
/usr/local/bin
9. Disable Unused Network Interfaces and Listening Ports
Use:
ss -tuln
Block unnecessary listeners. Review with:
netstat -tulpn | grep LISTEN
Disable any unneeded services and daemon ports.
10. Install Malware and Rootkit Scanners
Use tools like:
- ClamAV for malware scanning
- chkrootkit or rkhunter to detect rootkits
Run regularly or set automated cron jobs.
11. Configure Log Monitoring and Alerts
Enable auditd, logwatch, or a SIEM agent to:
- Monitor logins
- Detect config file changes
- Alert on sudo attempts or failed logins
Review /var/log/auth.log, syslog, or messages frequently.
12. Set Up Backups Early
Security includes resilience. Don’t wait for disaster:
- Automate backups with
rsync,BorgBackup, or similar - Store backups offsite
- Test recovery regularly
13. Enable AppArmor or SELinux
- Ubuntu/Debian: Use AppArmor profiles to confine services
- CentOS/RHEL: Enable and configure SELinux
While they may require tuning, they’re powerful tools for enforcing access controls.
Bonus: Secure Boot and BIOS
- Set BIOS passwords
- Disable booting from external media
- Use UEFI secure boot where possible
Physical access should always be part of your threat model.
Conclusion
Securing a Linux server after a fresh install is about reducing the default attack surface and building in layers of defense. While these steps won’t make your system invulnerable, they drastically reduce the likelihood of compromise—especially from automated or opportunistic attacks.
Hardening is not a one-time task—revisit your security regularly as configurations and usage evolve. Start secure, stay secure.
