Hey, Is Your Linux Server the Easiest Target on the Block?
Last week I got a 3 a.m. page. A tiny Ubuntu box I’d spun up for a side project was mining crypto for someone in Latvia. My mistake? I skipped the final “lock the door” step after install. One missing patch, one lazy firewall rule, and boom—my CPU was somebody else’s paycheck.
IBM says the average breach now costs $4.45 million. I didn’t lose millions, but I did lose a weekend and a lot of sleep. If you’d rather not repeat my story, let’s walk through a real-world checklist you can finish this afternoon.
First, the Mindset Shift
Think of your server like your house. You wouldn’t leave the front door open because the alarm is “probably” on. Same deal here: layers, not luck.
The 2025 Lock-Down List (Copy-Paste Friendly)
1. Patch Day = Today
- Turn on auto-updates. On Debian/Ubuntu:
sudo apt install unattended-upgrades - Reboot without downtime. Try
libcare-plusfor live kernel patches so you don’t kick users off. - Firmware counts too. Run
fwupdmgr updateevery month. Yes, BIOS patches are boring—until you miss one.
2. Kill the Root Password
- SSH keys only. Run
ssh-copy-id user@server, then setPasswordAuthentication noin/etc/ssh/sshd_config. - Disable root login entirely. Add
PermitRootLogin noto that same file. - Add MFA. I use Google Authenticator; takes 90 seconds to set up and stops 99% of drive-by bots.
3. Build a Tiny Digital Fence
- Only open what you need. With
nftables:
sudo nft add rule inet filter input tcp dport 22 accept
sudo nft add rule inet filter input drop - Hide SSH behind WireGuard. Spin up
wg-quick, change SSH to listen on10.0.0.1/24only. No public port 22 = far fewer logs to read.
4. Guard the Kernel
- Switch on SELinux or AppArmor. I use AppArmor because the profiles are easier to read. One line in
/etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 security=apparmor"
sudo update-grub && reboot - Lock the kernel. Add
kernel_lockdown=confidentialityto the same line. Even root can’t tamper with kernel modules now.
5. Encrypt Everything
- Full-disk LUKS2. Most installers offer it—just tick the box. Save the recovery key in a password manager.
- Make temp folders boring. Mount
/tmpand/var/tmpwithnoexec,nosuid,nodevin/etc/fstab. Malware hates that.
6. Watch Like a Hawk
- Ship logs somewhere safe. I send mine to a $5 VPS running Loki and Grafana. One command:
curl -sSL https://raw.githubusercontent.com/grafana/loki/main/tools/logcli/install.sh | sh - Audit the big stuff. Add this to
/etc/audit/rules.d/audit.rules:
-w /etc/passwd -p wa -k usermod
-w /usr/bin/sudo -p x -k priv_esc
