Linux Hardening Guide
AuthorEmmanuel Secretaria
Published Jul 10, 2025
This guide outlines essential steps to harden a Linux server against unauthorized access and attacks. Follow these best practices to enhance your system's security posture.
1. Disable Root SSH Login & Enforce Key Authentication
File to edit:
sudo nano /etc/ssh/sshd_config
Modify or add the following lines:
PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes
Restart SSH service:
sudo systemctl restart ssh
2. Enable and Configure UFW (Uncomplicated Firewall)
Install UFW:
sudo apt install ufw
Set default policies:
sudo ufw default deny incoming sudo ufw default allow outgoing
Allow SSH traffic:
sudo ufw allow OpenSSH
Enable the firewall:
sudo ufw enable
3. Install and Configure Fail2Ban (Brute-force Protection)
Install Fail2Ban:
sudo apt install fail2ban sudo systemctl enable fail2ban --now
Create jail.local
overrides:
jail.localsudo nano /etc/fail2ban/jail.local
Add the following content:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = systemd maxretry = 3 findtime = 10m bantime = 1h
Restart Fail2Ban:
sudo systemctl restart fail2ban
4. Scan for Open Ports
View open sockets using ss
:
sssudo ss -tuln
Install and use Nmap for deeper port analysis:
sudo apt install nmap nmap -sS -T4 localhost
5. Enable auditd
for System Auditing
auditdInstall auditd
:
auditdsudo apt install auditd
Enable and start the service:
sudo systemctl enable auditd --now
6. Secure Shared Memory
Edit /etc/fstab
:
/etc/fstabsudo nano /etc/fstab
Add the following line:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
Reboot or remount:
sudo mount -o remount /run/shm
✅ Summary
| Task | Status |
|---|---|
| Disable Root SSH Login | ✅ Done |
| Enable UFW Firewall | ✅ Done |
| Install and Configure Fail2Ban | ✅ Done |
| Scan for Open Ports | ✅ Done |
| Enable auditd Auditing | ✅ Done |
| Harden Shared Memory | ✅ Done |