Boost Your Server Security: Essential SSH, User, and Root Hardening Steps

After finally purchasing a server, it would be disastrous if a hacker compromised it due to negligence.

Here are some simple methods to increase the server's security; my cloud server is configured this way, which, although a bit cumbersome, feels much safer.

Modify SSH Login Configuration

Open the SSH configuration file and adjust the following items:

vim /etc/ssh/sshd_config

# Change the following items
Port 10000
# Change SSH port to a number above 10000 to reduce scanning probability. Open the same port in the firewall (e.g., Alibaba Cloud console) or skip this step.

Protocol 2
# Disable protocol version 1 due to design flaws that make passwords easy to crack.

PermitRootLogin no
# Disallow direct root login; use a regular account and then switch to root with <em>su</em> (prefer <em>su -</em> for a full environment).

PermitEmptyPasswords no
# Disallow empty password logins.

Finally, restart the SSH service:

service sshd restart

Disable System Ping Responses

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

The default value is 0.

User Management

Basic user management commands:

cat /etc/passwd        # List users
cat /etc/group         # List groups
who                    # Show currently logged‑in users
last                    # Show login history

Generally, delete unnecessary default users and groups to prevent brute‑force attacks.

userdel sync
userdel shutdown
# Extra users to delete: sync shutdown halt uucp operator games gopher

groupdel adm
groupdel games
# Extra groups to delete: adm lp games dip

Linux account and password files are /etc/passwd , /etc/shadow , /etc/group , and /etc/gshadow ; protect them by adding the immutable attribute.

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow

To revert, replace +i with -i and run the four commands again.

Note: the i attribute prevents modification, deletion, or renaming of the file; only root can set or clear it.

Create New Users

Command to add a user: adduser username Change a user's password:

passwd username

Regular users have full permissions only in their home directories; for tasks requiring root, use sudo . Remember to adjust /etc/sudoers permissions before editing.

Make /etc/sudoers writable, edit, then restore read‑only permissions:

chmod -v u+w /etc/sudoers   # add write permission
# edit the file, e.g., add a line for a new user
chmod -v u-w /etc/sudoers   # remove write permission

Grant Root Privileges

Method 1: Edit /etc/sudoers, uncomment the line for the wheel group, and add the user to the wheel group.

## Allows people in group wheel to run all commands
# Uncomment the line below
%wheel ALL=(ALL) ALL
# Then add the user to the wheel group, e.g.:
# usermod -g wheel uusama

After this, log in as uusama and run su - to obtain root privileges.

Method 2 (recommended): Add explicit entries for the user in /etc/sudoers:

## Allow root to run any commands anywhere
root ALL=(ALL) ALL
uusama ALL=(ALL) ALL

Now log in as uusama and run sudo -s to gain root privileges.

Method 3: Edit /etc/passwd and change the user's UID to 0.

uusama:x:500:500:tommy:/home/uusama:/bin/bash
# Change to:
uusama:x:0:500:tommy:/home/uusama:/bin/bash

After saving, logging in as uusama provides root privileges directly.

Source: http://uusama.com/69.html (© original author)