- 1 Linux Security Hardening: A Quick Guide You Can Actually Use
- 2 Start Here: Update Everything
- 3 Lock the Front Door
- 4 Firewall in 60 Seconds
- 5 Install a Bouncer
- 6 Hide Your Stuff
- 7 File Permissions That Save You
- 8 Add echos for audit trails
- 9 Quick Win: Encrypted Backups
- 10 Web Server Add-On (If You Run One)
- 11 Test Everything
- 12 After You’re Done
- 13 Monthly Ritual
Linux Security Hardening: A Quick Guide You Can Actually Use
I remember the first time I got hacked. One morning my server was spewing spam at 3 AM. My inbox? Flooded with angry emails. Zero sleep that night.
The fix was simpler than I feared. Here’s what I learned in plain English.
Start Here: Update Everything
The basics everyone skips.
- Runsudo apt update && sudo apt upgrade -y* right now
- Orsudo yum update -y* if you’re on RHEL
- Then let your server patch itself every night: *sudo apt install unattended-upgrades -y*
- Finally clear the junk: *sudo apt autoremove*
Takes 5 minutes. 70% of breaches could’ve been stopped by this alone. NCSC proved it.
Lock the Front Door
SSH is the way into your box. Make it painful for attackers.
Create Your Non-Root User
Don’t use root. Period.
sudo adduser alice sudo usermod -aG sudo alice
Ban Passwords Forever
SSH keys only:
- Type ssh-keygen on your laptop
- Cats the **.pub** file
- Paste into ~alice/.ssh/authorized_keys
Two Tiny Tweaks That Matter
sudo nano /etc/ssh/sshd_config
Add:
Port 2222 PermitRootLogin no PasswordAuthentication no
Restart: *sudo systemctl restart sshd*
Your logs will drop from hundreds of tries per day to maybe three.
Firewall in 60 Seconds
Ubuntu makes this stupid-simple.
sudo ufw allow 2222 # or whatever port you picked sudo ufw allow http sudo ufw allow https sudo ufw --force enable
Done. Your server now ignores door-knockers.
Install a Bouncer
Fail2ban — literally bans IP addresses after three failed logins:
sudo apt install fail2ban
Done. I had zero brute-force attempts after adding this.
Hide Your Stuff
List every running service:
sudo systemctl list-unit-files | grep enabled
See anything you don’t recognize? Kill it:
sudo systemctl stop some-service sudo systemctl disable some-service
File Permissions That Save You
Two commands. Run them now:
sudo chmod 600 /etc/ssh/sshd_config sudo chmod 700 /etc/cron* /etc/at*
Your SSH settings are now locked down tighter than my coffee pot on a Monday.
Add echos for audit trails
Know what’s changing.
sudo apt install auditd sudo auditctl -e 1
Then grab AIDE to watch your files:
sudo apt install aide sudo aideinit
Quick Win: Encrypted Backups
My old backup? A USB stick in my basement.
New backup:
sudo apt install restic restic init --repo /srv/backup
Schedule it with cron. Back up nightly. Sleep like a baby.
Web Server Add-On (If You Run One)
- Get **free SSL** from Let’s Encrypt:
- sudo apt install certbot python3-certbot-nginx*
- Only allow **TLS 1.3** (so your customers use the latest crypto):
ssl_protocols TLSv1.3 TLSv1.2;
Test Everything
sudo lynis audit system
Lynis tells you what you missed. Fix the red stuff.
After You’re Done
Run sudo ss -tulpn
Only ports you expect should show up.
If port 3306 is open and you don’t run MySQL?
That’s your next fire drill.
Monthly Ritual
- Monday 9 AM: patch and reboot
- Check logs for weird IPs
- Verify backup by restoring a single file
Thirty minutes once a month saves you _weeks_ of panicky cleanup.
Print this page. Tape it near your box. Consider yourself 10× safer than 90 % of servers I still see online.
