DEV Community: Radhitya Rangga Pratama The latest articles on DEV Community by Radhitya Rangga Pratama (@tamaa). https://dev.to/tamaa https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3859709%2F8eb7a00a-002a-4618-91b0-c6100a5de885.jpeg DEV Community: Radhitya Rangga Pratama https://dev.to/tamaa en Stop Leaving Your Doors Open: 5 Essential Steps for Linux Server Hardening Radhitya Rangga Pratama Fri, 03 Apr 2026 15:51:14 +0000 https://dev.to/tamaa/stop-leaving-your-doors-open-5-essential-steps-for-linux-server-hardening-4cg3 https://dev.to/tamaa/stop-leaving-your-doors-open-5-essential-steps-for-linux-server-hardening-4cg3 <p>Setting up a server is easy; keeping it secure is a different story. In an era where automated bots scan for vulnerabilities within seconds of a server going live, "default settings" are your biggest enemy. As a security enthusiast at <strong>NexxaCodeID</strong>, I’ve learned that security isn't just a feature—it’s the foundation.</p> <p>Here is how I implement <strong>Security by Design</strong> to harden Linux infrastructure against modern threats.</p> <ol> <li>##SSH Hardening: The First Line of Defense Your SSH port is the primary target for brute-force attacks. Don't leave the keys under the mat.</li> </ol> <p><strong>Disable Root Login</strong>: Never allow direct root access.</p> <p><strong>Key-Based Auth</strong>: Disable password authentication entirely; use Ed25519 SSH keys.</p> <p><strong>Change Default Port</strong>: Moving from port 22 to a custom port (e.g., 2204) cuts down 90% of bot noise.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Edit /etc/ssh/sshd_config Port 2204 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes </code></pre> </div> <ol> <li><p><strong>Implement a "Default Deny" Firewall</strong><br> The rule is simple: If it’s not required, it’s closed. Use UFW (Uncomplicated Firewall) to drop all incoming traffic except for essential services like HTTPS and your custom SSH port.</p></li> <li><p><strong>Fail2Ban: Automating the Ban Hammer</strong><br> Bots are persistent. Fail2Ban monitors system logs and automatically jails IP addresses that show malicious signs (like multiple failed login attempts). It’s a set-it-and-forget-it layer of proactive defense.</p></li> <li><p><strong>Zero-Trust Access with Cloudflare Tunnels</strong><br> Industry Standard 2026: Why expose your SSH port to the public internet at all? By using Cloudflare Tunnel (cloudflared), your server doesn't need any inbound ports open. Access is routed through an encrypted tunnel protected by Cloudflare’s Zero Trust dashboard. This makes your server invisible to port scanners.</p></li> <li><p><strong>Automated Security Patching</strong><br> Security fails when software rots. Enable unattended-upgrades to ensure critical security patches are applied the moment they are released, without needing manual intervention.</p></li> </ol> <p><strong>Digital Stewardship</strong>: A Christian Perspective<br> In Cyber Security, we act as stewards of data and privacy. From a Christian ethical standpoint, building secure systems is an act of service—protecting our neighbors' digital lives from those who seek to do harm. Integrity is built when we harden the parts of the system that no one sees, ensuring the safety of those who rely on it.</p> devops linux security tutorial