Linux Server Hardening Checklist: 20 Essential Steps

1. Create a dedicated admin user

Never use root for daily administration. Create a named user with sudo privileges so all actions are attributable and auditable.

2. Enforce strong password policies

Configure PAM to require minimum length, complexity, and password age. Even if you use key-based SSH, passwords still protect sudo and console access.

3. Lock unused accounts

Disable or lock any default or unused accounts. Every active account is a potential entry point.

4. Configure sudo with least privilege

Do not give blanket sudo access. Use the sudoers file to grant specific commands to specific users or groups.

5. Harden SSH configuration

SSH is your primary attack surface. Apply these critical settings:

6. Install fail2ban

Automatically ban IP addresses after repeated failed login attempts. Essential for any internet-facing server. Configure it to monitor SSH, and optionally your web server and application logs.

7. Enable a host firewall

Use ufw or iptables/nftables to allow only necessary ports. Default deny all incoming traffic.

8. Disable unnecessary services

Every running service is a potential attack vector. List active services and disable anything not needed.

9. Configure network parameters

Harden the network stack with sysctl settings to prevent common network attacks.

10. Enable automatic security updates

Unpatched software is the leading cause of server compromises. Enable unattended security updates.

11. Remove unnecessary packages

Audit installed packages and remove anything that is not required. Compilers, development tools, and debugging utilities should not be on production servers — they make exploitation easier.

12. Set proper mount options

Use restrictive mount options to limit what can happen on each partition.

13. Find and fix insecure permissions

Regularly scan for world-writable files, files without owners, and SUID/SGID binaries.

14. Configure centralized logging

Ship logs to a central server or SIEM. If a server is compromised, local logs can be tampered with. Use rsyslog, systemd-journal-remote, or a log agent (Fluentd, Vector, Filebeat) to forward logs.

15. Enable the Linux audit framework

auditd provides detailed tracking of security-relevant events: file access, system calls, user actions.

16. Set up log rotation

Ensure logs are rotated and retained for an appropriate period. Unrotated logs can fill disks and cause service outages. Configure logrotate for application-specific logs that are not managed by journald.

17. Restrict kernel modules

Prevent loading of unnecessary kernel modules to reduce the kernel attack surface.

18. Enable SELinux or AppArmor

Mandatory Access Controls (MAC) provide an additional security layer beyond traditional file permissions. SELinux (RHEL/CentOS) or AppArmor (Ubuntu/Debian) restrict what each process can access, even if it runs as root. Do not disable these — learn to work with them.

19. Set up intrusion detection

Deploy file integrity monitoring to detect unauthorized changes to system files.

20. Implement regular security scanning

Use tools like Lynis, OpenSCAP, or cloud-native scanners to regularly audit your server against security benchmarks. Automate these scans and review the reports. Security hardening is not a one-time task — it requires continuous monitoring and improvement.