Linux Server Hardening Checklist: 25 Essential Security Steps for 2026

A freshly installed Linux server is not secure. The default configuration prioritizes accessibility and ease of use — not security. Every unpatched vulnerability, default credential, open port, and misconfigured service is an invitation to attackers. Within minutes of connecting a new server to the internet, automated bots will begin probing it for weaknesses.

This checklist covers the 25 most critical hardening steps for Linux servers, organized from most urgent to most advanced. Each step includes the specific commands to implement it and an explanation of why it matters.

Step 1-5: Immediate Actions After Server Creation

Step 1: Update the system. Before doing anything else, install all available security patches. Run apt update && apt upgrade -y on Debian/Ubuntu or dnf update -y on RHEL/Fedora. Unpatched vulnerabilities are the number one way servers get compromised.

Step 2: Create a non-root user with sudo access. Never use the root account for daily operations. Create a personal user account with sudo privileges and disable direct root login. This limits damage from compromised credentials and provides an audit trail of who did what.

Step 3: Configure SSH key authentication and disable password login. Generate an SSH key pair on your local machine and add the public key to the server. Then disable password authentication in /etc/ssh/sshd_config by setting PasswordAuthentication no and PermitRootLogin no. SSH keys are virtually immune to brute-force attacks, while passwords are not.

Step 4: Change the SSH port. Moving SSH from port 22 to a non-standard port (like 2222 or higher) does not provide real security against targeted attacks, but it eliminates 99 percent of automated brute-force attempts, dramatically reducing log noise and attack surface.

Step 5: Enable and configure the firewall. Use UFW (Uncomplicated Firewall) on Ubuntu or firewalld on RHEL-based systems. Start by denying all incoming connections by default, then explicitly allow only the ports your services need. At minimum, allow your SSH port and any web server ports (80, 443). Block everything else.

Step 6-10: Authentication and Access Control

Step 6: Install and configure Fail2Ban. Fail2Ban monitors log files for failed authentication attempts and automatically bans offending IP addresses. Configure it for SSH (ban after 3 failed attempts for 1 hour), and add jails for any other exposed services (web server, mail server, database).

Step 7: Set password policies. Even with SSH key authentication, set strong password policies for sudo access. Require minimum 12 characters, enforce complexity requirements, and set password expiration policies. Configure PAM (Pluggable Authentication Modules) to enforce these policies system-wide.

Step 8: Implement two-factor authentication for SSH. Add Google Authenticator PAM module for an additional layer of SSH security. This requires both an SSH key and a time-based one-time password for login — even if an attacker steals your private key, they cannot access the server without the second factor.

Step 9: Review and restrict user accounts. Audit all user accounts. Remove unnecessary accounts. Ensure no accounts have empty passwords. Lock accounts that do not need interactive login. Review sudoers file and restrict sudo access to only the users who genuinely need it.

Step 10: Disable unused services. List all running services with systemctl list-units --type=service --state=running and disable any that are not needed. Every running service is a potential attack surface. Common services to disable on servers that do not need them: avahi-daemon, cups, bluetooth, nfs, rpcbind.

Step 11-15: Network Security

Step 11: Disable IPv6 if not used. If your server does not use IPv6, disable it to reduce your attack surface. IPv6 can bypass IPv4-only firewall rules and provide unmonitored network access.

Step 12: Configure kernel network security parameters. Harden the network stack by enabling SYN flood protection, disabling ICMP redirects, enabling source address verification (reverse path filtering), and disabling IP source routing. These settings prevent common network-level attacks.

Step 13: Configure DNS resolvers. Use trusted DNS resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, or your organization's internal DNS) rather than your hosting provider's default resolvers. Consider using DNS over TLS to prevent DNS spoofing and eavesdropping.

Step 14: Implement port knocking or SPA (Single Packet Authorization). For maximum SSH security, implement port knocking — the SSH port stays closed until a specific sequence of connection attempts to other ports is detected. This makes your SSH service invisible to port scanners.

Step 15: Set up a VPN for remote management. Instead of exposing management services to the internet, require VPN access for administration. WireGuard is the modern choice — simple, fast, and cryptographically sound. All management traffic travels through the encrypted VPN tunnel.

Step 16-20: Monitoring and Auditing

Step 16: Configure system logging. Ensure all system logs are being collected and stored securely. Configure log rotation to prevent disk space exhaustion. Forward logs to a centralized logging system where they cannot be tampered with by an attacker who gains server access.

Step 17: Set up file integrity monitoring. Install AIDE (Advanced Intrusion Detection Environment) or OSSEC to monitor critical system files for unauthorized changes. If an attacker modifies system binaries, configuration files, or installs rootkits, file integrity monitoring will detect it.

Step 18: Enable process accounting. Enable process accounting to log every command executed on the server. This provides a forensic trail in case of compromise — you can determine exactly what commands were run, by which user, and when.

Step 19: Configure automatic security updates. Enable unattended-upgrades on Ubuntu/Debian to automatically install security patches. For critical production servers, configure automatic installation of security updates only (not feature updates) to balance security with stability.

Step 20: Set up monitoring and alerting. Install a monitoring agent (Prometheus node_exporter, Datadog agent, or Zabbix agent) to track server health metrics. Set up alerts for unusual activity: high CPU usage outside normal patterns, unexpected network traffic, disk space running low, and failed login attempts.

Step 21-25: Advanced Hardening

Step 21: Implement AppArmor or SELinux. Mandatory Access Control systems restrict what programs can do, even if they are compromised. AppArmor (default on Ubuntu) and SELinux (default on RHEL) confine processes to only the files, ports, and capabilities they need.

Step 22: Harden the kernel. Disable kernel module loading if not needed, set restrictive permissions on kernel log access, and enable address space layout randomization (ASLR). These measures make it harder for attackers to exploit kernel vulnerabilities.

Step 23: Configure secure /tmp and /var/tmp. Mount temporary directories with noexec, nosuid, and nodev flags. This prevents attackers from executing malicious scripts from temporary directories, a common attack technique.

Step 24: Implement network intrusion detection. Install Suricata or Snort to monitor network traffic for known attack patterns and suspicious activity. Configure rules for your specific services and network environment.

Step 25: Create and test a disaster recovery plan. Document your server configuration (ideally as infrastructure as code). Create regular backups and test restoration. Have a runbook for rebuilding the server from scratch. Know how long recovery takes and plan accordingly.

Maintaining Your Hardened Server

Security hardening is not a one-time task. Schedule monthly security audits to verify your hardening measures are still in place. Review logs weekly for suspicious activity. Apply security patches within 48 hours of release. Conduct quarterly penetration tests to identify weaknesses. And keep your disaster recovery documentation updated as your server configuration changes.

ZeonEdge provides server hardening, security audits, and managed Linux server administration for businesses that need enterprise-grade security. Learn more about our server management services.