Linux is widely regarded as more secure than Windows out of the box — but “more secure by default” doesn’t mean “secure enough.” Whether you’re running a home server, a VPS, or a desktop, these foundational hardening steps will significantly reduce your attack surface.
Why Linux Security Still Matters
Linux runs the majority of the world’s servers, cloud infrastructure, and embedded devices. That makes it a high-value target. Default Linux installations are designed for compatibility, not maximum security — and that gap is where attackers operate.
1. Keep the System Updated
# Debian/Ubuntu:
sudo apt update && sudo apt upgrade -y
# Enable unattended security updates:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Select "Yes" when asked to enable automatic updates
# RHEL/CentOS/Rocky Linux:
sudo dnf update -y
# Enable auto-updates:
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer2. Configure a Firewall
# UFW (Uncomplicated Firewall) — easiest option for Ubuntu/Debian
sudo apt install ufw
# Default: deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow only what you need:
sudo ufw allow ssh # Port 22 (SSH)
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
# Enable the firewall:
sudo ufw enable
# Check status:
sudo ufw status verbose
# Advanced: allow SSH only from specific IP:
sudo ufw allow from 203.0.113.5 to any port 223. Harden SSH Access
SSH is the most common entry point for attacks on Linux servers. Hardening it is critical.
# Edit SSH configuration:
sudo nano /etc/ssh/sshd_config
# Make these changes:
Port 2222 # Change from default 22 (reduces noise)
PermitRootLogin no # Never allow root SSH login
PasswordAuthentication no # Use SSH keys only (disable passwords)
PubkeyAuthentication yes
MaxAuthTries 3 # Limit brute force attempts
LoginGraceTime 30
AllowUsers yourusername # Whitelist specific users only
ClientAliveInterval 300
ClientAliveCountMax 2
# Restart SSH after changes:
sudo systemctl restart sshd
# Set up SSH key authentication:
# On your local machine, generate a key pair:
ssh-keygen -t ed25519 -C "your_email@example.com"
# Copy public key to server:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server-ip4. Install Fail2Ban
Fail2Ban monitors log files and automatically bans IP addresses that show signs of brute-force attacks.
# Install:
sudo apt install fail2ban
# Create a local config (don't edit the main config):
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# SSH jail settings:
[sshd]
enabled = true
port = 2222 # Match your SSH port
filter = sshd
logpath = /var/log/auth.log
maxretry = 3 # Ban after 3 failed attempts
bantime = 3600 # Ban for 1 hour
findtime = 600 # In 10-minute window
# Start and enable Fail2Ban:
sudo systemctl enable --now fail2ban
# Check banned IPs:
sudo fail2ban-client status sshd
# Unban an IP (if you accidentally ban yourself):
sudo fail2ban-client set sshd unbanip YOUR_IP5. Minimize Installed Services
# View all running services:
sudo systemctl list-units --type=service --state=running
# Disable unnecessary services:
sudo systemctl disable --now bluetooth.service # If no Bluetooth needed
sudo systemctl disable --now avahi-daemon # mDNS (rarely needed on servers)
sudo systemctl disable --now cups # Printing (servers)
# View network listening services:
sudo ss -tlnp
# Or:
sudo netstat -tlnp
# Every open port is a potential attack surface
# If a service is listening and you don't need it, disable it6. Enable and Configure auditd
# auditd tracks system events for security monitoring
sudo apt install auditd audispd-plugins
# Enable:
sudo systemctl enable --now auditd
# Add audit rules:
sudo nano /etc/audit/rules.d/custom.rules
# Monitor privileged commands:
-a always,exit -F arch=b64 -S execve -F euid=0 -k root_commands
# Monitor passwd file changes:
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
# Monitor SSH config changes:
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Reload rules:
sudo augenrules --load
# Query audit logs:
sudo ausearch -k passwd_changes
sudo ausearch -k root_commands --start today7. Set Up Automatic Security Scanning with Lynis
# Lynis: Security auditing tool for Linux systems
sudo apt install lynis
# Run a full system audit:
sudo lynis audit system
# Review the report:
sudo cat /var/log/lynis.log | grep -E "WARNING|SUGGESTION" | head -50
# Lynis gives you a hardening index score and specific recommendations
# Aim for a score above 70 for a well-hardened system8. Disable Core Dumps
# Core dumps can contain sensitive information (passwords in memory)
sudo nano /etc/security/limits.conf
# Add:
* hard core 0
* soft core 0
# Also disable via sysctl:
sudo nano /etc/sysctl.conf
# Add:
kernel.core_pattern = /dev/null
fs.suid_dumpable = 0
sudo sysctl -pSecurity Hardening Checklist
- ☑ System packages updated, auto-updates enabled
- ☑ UFW firewall configured (deny all, allow only necessary ports)
- ☑ SSH hardened: no root login, key-only auth, custom port
- ☑ Fail2Ban installed and protecting SSH
- ☑ Unnecessary services disabled
- ☑ auditd logging enabled
- ☑ Lynis audit run and high-priority findings addressed
Wrap Up
Linux security is a continuous process. These fundamentals form a solid baseline — run Lynis regularly to catch drift, review audit logs periodically, and keep up with security updates. A properly hardened Linux server is genuinely difficult to compromise.