Essential Linux Server Hardening Steps for Production Environments
Securing a Linux server is one of the most important responsibilities of a system administrator. A poorly configured server can become vulnerable to brute-force attacks, malware, privilege escalation, and unauthorized access.
In this article, I will share some essential Linux server hardening steps that I usually apply after deploying a fresh Ubuntu or Debian server for production use.
1. Update System Packages
The first thing I do is update all installed packages and security patches.
sudo apt update && sudo apt upgrade -y
Keeping packages updated reduces security vulnerabilities and improves server stability.
2. Create a Non-Root Sudo User
Using the root account directly is risky. Instead, create a separate sudo user.
adduser sovrab
usermod -aG sudo sovrab
This improves accountability and reduces direct root exposure.
3. Disable Root SSH Login
Root login through SSH should be disabled to prevent brute-force attacks.
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Find:
PermitRootLogin yes
Change it to:
PermitRootLogin no
Restart SSH service:
sudo systemctl restart ssh
4. Change Default SSH Port
Changing the default SSH port from 22 to another custom port helps reduce automated attack attempts.
Example:
Port 2222
Do not forget to allow the new port through the firewall.
5. Configure UFW Firewall
Ubuntu ships with UFW (Uncomplicated Firewall), which is easy to configure.
Allow SSH port:
sudo ufw allow 2222/tcp
Enable firewall:
sudo ufw enable
Check status:
sudo ufw status
6. Install Fail2Ban
Fail2Ban protects servers from repeated failed login attempts.
Install:
sudo apt install fail2ban -y
Enable and start:
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Check status:
sudo fail2ban-client status
7. Configure Automatic Security Updates
Automatic security updates help patch vulnerabilities quickly.
Install unattended upgrades:
sudo apt install unattended-upgrades
Enable:
sudo dpkg-reconfigure unattended-upgrades
8. Disable Unused Services
Unused services increase attack surfaces.
Check running services:
sudo systemctl list-units --type=service
Disable unnecessary services:
sudo systemctl disable service-name
9. Monitor Server Resources
Resource monitoring helps detect unusual activity and performance bottlenecks.
Useful commands:
htop
df -h
free -m
uptime
10. Secure Shared Hosting Environments
For cPanel or shared hosting servers, additional security measures are recommended:
- Configure CSF firewall
- Enable ModSecurity
- Harden PHP functions
- Use CloudLinux isolation
- Enable ImunifyAV or Imunify360
- Configure secure backups
11. Backup Strategy
Backups are critical for disaster recovery.
Important backup locations:
- Website files
- MySQL databases
- Configuration files
- DNS zones
- Email accounts
I usually automate backups using shell scripts and remote storage solutions.
12. Docker Security Basics
If Docker is installed:
- Avoid running containers as root
- Use trusted images only
- Keep images updated
- Limit container privileges
- Monitor exposed ports
Check containers:
docker ps
Conclusion
Linux server hardening is not a one-time task. Security requires continuous monitoring, patching, auditing, and optimization.
A properly secured Linux server improves reliability, uptime, and infrastructure stability while reducing security risks.
As a Linux System Administrator and Server Engineer, I regularly work with Linux servers, cloud infrastructure, Docker, cPanel, hosting technologies, and production environment optimization.
🌐 Portfolio:
https://sovrabroy.online
Top comments (0)