DEV Community

Cover image for 15 Critical Steps to Secure Your Linux Server: Complete Security Guide
Fedya
Fedya

Posted on

15 Critical Steps to Secure Your Linux Server: Complete Security Guide

Protecting your Linux server isn't just about following a checklist—it's about creating layers of defense that work together to keep your data safe and your services running smoothly.


Why Linux Server Security Matters More Than Ever

In today's digital landscape, a single security breach can cost businesses thousands of dollars and years of reputation rebuilding. While Linux is inherently more secure than many other operating systems, it's not invulnerable. The good news? With the right approach, you can create a fortress that's incredibly difficult to penetrate.

Whether you're managing a personal VPS, running a startup's infrastructure, or maintaining enterprise servers, this guide will walk you through 15 essential security steps that every Linux administrator should implement.


🔐 Step 1: Secure SSH Access

SSH is often the first target for attackers. Let's lock it down properly.

Change the Default SSH Port

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Change port (example: use port 2222 instead of 22)
Port 2222

# Restart SSH service
sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

Disable Root SSH Login

# In /etc/ssh/sshd_config
PermitRootLogin no
Enter fullscreen mode Exit fullscreen mode

Enable Key-Based Authentication

# Generate SSH key pair on your local machine
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Copy public key to server
ssh-copy-id -p 2222 username@your-server-ip

# Disable password authentication
# In /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
Enter fullscreen mode Exit fullscreen mode

Pro Tip: Always test your key-based login in a separate terminal before disabling password authentication!


🛡️ Step 2: Configure a Robust Firewall

UFW (Uncomplicated Firewall) makes firewall management accessible without sacrificing power.

# Install and enable UFW
sudo ufw enable

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (adjust port as needed)
sudo ufw allow 2222/tcp

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Check status
sudo ufw status verbose
Enter fullscreen mode Exit fullscreen mode

Advanced Firewall Rules

# Rate limiting for SSH (prevents brute force)
sudo ufw limit 2222/tcp

# Allow specific IP ranges
sudo ufw allow from 192.168.1.0/24 to any port 22

# Block specific countries (using iptables-geoip)
sudo ufw deny from country-code
Enter fullscreen mode Exit fullscreen mode

👤 Step 3: Implement Proper User Management

Never run services as root, and always follow the principle of least privilege.

Create Service Users

# Create system user for web services
sudo useradd -r -s /bin/false -d /var/www webuser

# Create regular user with sudo privileges
sudo adduser newadmin
sudo usermod -aG sudo newadmin
Enter fullscreen mode Exit fullscreen mode

Configure Sudo Properly

# Edit sudoers file safely
sudo visudo

# Example: Allow user to run specific commands without password
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
Enter fullscreen mode Exit fullscreen mode

🔄 Step 4: Keep Your System Updated

Automated updates can be a lifesaver, but they need to be configured thoughtfully.

# Update package lists and upgrade system
sudo apt update && sudo apt upgrade -y

# Install unattended upgrades
sudo apt install unattended-upgrades

# Configure automatic security updates
sudo dpkg-reconfigure -plow unattended-upgrades
Enter fullscreen mode Exit fullscreen mode

Set Up Update Notifications

# Install apticron for email notifications
sudo apt install apticron

# Configure in /etc/apticron/apticron.conf
EMAIL="your-email@domain.com"
Enter fullscreen mode Exit fullscreen mode

🔍 Step 5: Install and Configure Fail2Ban

Fail2Ban is your automated security guard, watching for suspicious activity and taking action.

# Install Fail2Ban
sudo apt install fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit configuration
sudo nano /etc/fail2ban/jail.local
Enter fullscreen mode Exit fullscreen mode

Essential Fail2Ban Configuration

# In /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 your-trusted-ip

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Enter fullscreen mode Exit fullscreen mode

🔐 Step 6: Secure Shared Memory

Prevent privilege escalation attacks through shared memory.

# Edit /etc/fstab
sudo nano /etc/fstab

# Add this line:
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0

# Remount
sudo mount -o remount /run/shm
Enter fullscreen mode Exit fullscreen mode

📊 Step 7: Set Up Comprehensive Logging

You can't protect what you can't see. Proper logging is crucial for security monitoring.

Configure Rsyslog

# Edit rsyslog configuration
sudo nano /etc/rsyslog.conf

# Enable additional logging modules
module(load="imuxsock")
module(load="imklog")

# Create custom log files
sudo nano /etc/rsyslog.d/50-default.conf
Enter fullscreen mode Exit fullscreen mode

Install and Configure Logwatch

# Install logwatch
sudo apt install logwatch

# Configure for daily email reports
sudo nano /etc/cron.daily/00logwatch

#!/bin/bash
/usr/sbin/logwatch --output mail --mailto your-email@domain.com --detail high
Enter fullscreen mode Exit fullscreen mode

🚫 Step 8: Disable Unnecessary Services

Every running service is a potential attack vector.

# List all running services
sudo systemctl list-units --type=service --state=running

# Disable unnecessary services
sudo systemctl disable service-name
sudo systemctl stop service-name

# Check listening ports
sudo netstat -tulpn
Enter fullscreen mode Exit fullscreen mode

Common Services to Review

  • cups (printing service)
  • bluetooth
  • avahi-daemon (network discovery)
  • rpcbind (RPC service)

🛡️ Step 9: Configure SELinux or AppArmor

Mandatory Access Control adds an extra security layer.

For Ubuntu (AppArmor)

# Check AppArmor status
sudo apparmor_status

# Install additional profiles
sudo apt install apparmor-profiles apparmor-utils

# Set profile to enforce mode
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
Enter fullscreen mode Exit fullscreen mode

For CentOS/RHEL (SELinux)

# Check SELinux status
sestatus

# Set to enforcing mode
sudo setenforce 1

# Make permanent
sudo nano /etc/selinux/config
SELINUX=enforcing
Enter fullscreen mode Exit fullscreen mode

🔐 Step 10: Implement File Integrity Monitoring

Detect unauthorized changes to critical system files.

Install and Configure AIDE

# Install AIDE
sudo apt install aide

# Initialize database
sudo aideinit

# Move database to final location
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Run check
sudo aide --check
Enter fullscreen mode Exit fullscreen mode

Automate AIDE Checks

# Create cron job for daily checks
sudo crontab -e

# Add line:
0 2 * * * /usr/bin/aide --check | mail -s "AIDE Report" your-email@domain.com
Enter fullscreen mode Exit fullscreen mode

🔒 Step 11: Secure Network Services

Secure Apache/Nginx

# Hide server version (Apache)
# In /etc/apache2/conf-available/security.conf:
ServerTokens Prod
ServerSignature Off

# For Nginx
# In /etc/nginx/nginx.conf:
server_tokens off;
Enter fullscreen mode Exit fullscreen mode

SSL/TLS Configuration

# Install Certbot for Let's Encrypt
sudo apt install certbot python3-certbot-nginx

# Get SSL certificate
sudo certbot --nginx -d yourdomain.com

# Test SSL configuration
curl -I https://yourdomain.com
Enter fullscreen mode Exit fullscreen mode

📈 Step 12: Monitor System Resources

Keep an eye on system performance and detect anomalies.

Install System Monitoring Tools

# Install htop, iotop, and netstat
sudo apt install htop iotop net-tools

# Install and configure Nagios for advanced monitoring
sudo apt install nagios3
Enter fullscreen mode Exit fullscreen mode

Set Up Resource Alerts

# Create script to monitor disk usage
nano /usr/local/bin/disk-alert.sh

#!/bin/bash
THRESHOLD=80
df -h | awk 'NR>1 {if($5+0 > THRESHOLD) print $0}' | \
while read line; do
    echo "Disk usage alert: $line" | mail -s "Disk Alert" your-email@domain.com
done
Enter fullscreen mode Exit fullscreen mode

🔍 Step 13: Implement Network Monitoring

Install and Configure nmap for Network Discovery

# Install nmap
sudo apt install nmap

# Scan your own network for open ports
nmap -sS -T4 -A your-server-ip

# Create network monitoring script
nano /usr/local/bin/network-scan.sh

#!/bin/bash
nmap -sn 192.168.1.0/24 > /var/log/network-scan.log
Enter fullscreen mode Exit fullscreen mode

Use netstat for Connection Monitoring

# Monitor active connections
netstat -an | grep ESTABLISHED

# Check for listening services
ss -tlnp
Enter fullscreen mode Exit fullscreen mode

🔐 Step 14: Backup and Recovery Strategy

Security isn't just about prevention—it's also about recovery.

Automated Backup Script

# Create backup script
nano /usr/local/bin/backup.sh

#!/bin/bash
BACKUP_DIR="/backup"
DATE=$(date +%Y%m%d_%H%M%S)

# Backup important directories
tar -czf $BACKUP_DIR/system_backup_$DATE.tar.gz \
  /etc \
  /home \
  /var/www \
  /var/log

# Keep only last 7 backups
find $BACKUP_DIR -name "system_backup_*.tar.gz" -mtime +7 -delete

# Make executable
chmod +x /usr/local/bin/backup.sh

# Add to cron for daily execution
0 3 * * * /usr/local/bin/backup.sh
Enter fullscreen mode Exit fullscreen mode

🔬 Step 15: Regular Security Auditing

Install Security Scanning Tools

# Install Lynis for security auditing
sudo apt install lynis

# Run security audit
sudo lynis audit system

# Install chkrootkit for rootkit detection
sudo apt install chkrootkit
sudo chkrootkit
Enter fullscreen mode Exit fullscreen mode

Create Security Audit Checklist

Regular audits should include:

  • Review user accounts and permissions
  • Check for unnecessary running services
  • Analyze log files for suspicious activity
  • Update security policies and procedures
  • Test backup and recovery procedures
  • Review and update firewall rules

🎯 Putting It All Together: Your Security Action Plan

Now that you have all 15 steps, here's how to implement them effectively:

Week 1: Foundation

  • Steps 1-3: SSH, Firewall, User Management
  • Test everything thoroughly

Week 2: Monitoring and Protection

  • Steps 4-8: Updates, Fail2Ban, Logging, Services
  • Set up automated processes

Week 3: Advanced Security

  • Steps 9-12: SELinux/AppArmor, File Integrity, SSL, Monitoring
  • Fine-tune configurations

Week 4: Maintenance and Auditing

  • Steps 13-15: Network monitoring, Backups, Auditing
  • Establish ongoing procedures

🚀 Beyond the Basics: Next Steps

Once you've implemented these 15 steps, consider these advanced security measures:

  • Intrusion Detection Systems (IDS) like Suricata or Snort
  • Web Application Firewalls (WAF) for web servers
  • Container security if using Docker or Kubernetes
  • Zero-trust networking principles
  • Regular penetration testing

💡 Final Thoughts

Server security is not a destination—it's a journey. The threat landscape constantly evolves, and so should your defenses. These 15 steps provide a solid foundation, but remember:

  • Document everything: Keep detailed records of your configurations
  • Test regularly: Verify that your security measures work as expected
  • Stay informed: Follow security advisories for your Linux distribution
  • Plan for incidents: Have a response plan ready before you need it

The time you invest in securing your Linux server today will save you countless hours and potential headaches tomorrow. Start with the basics, build gradually, and always prioritize understanding over blind implementation.


What's your experience with Linux server security? Have you implemented any of these steps, or do you have additional recommendations? Share your thoughts in the comments below!


📚 Useful Resources

Happy securing! 🛡️

Top comments (1)

Collapse
 
dedicatedcloud profile image
dedicatedcloud

Great post. Not sure if it’s mistake or not but I don’t think it should take 4 weeks to implement the 15 steps.