Boost Your Server Security: Essential SSH, User, and Sudo Hardening Steps
This guide walks you through practical Linux server hardening techniques—including SSH configuration tweaks, disabling ICMP ping responses, managing system users and groups, protecting critical account files, and safely granting root privileges—so you can reduce attack surface and improve overall security.
Securing a newly purchased server is crucial; the following steps provide a straightforward hardening checklist for Linux systems.
Modify SSH login configuration
Edit the SSH daemon configuration file and adjust key parameters:
vim /etc/ssh/sshd_config
# Change the listening port (use a value > 10000 to reduce scanning)
Port 10000
# Use only SSH protocol 2 (disable the insecure version 1)
Protocol 2
# Disallow direct root login; use a regular account and <code>suinstead PermitRootLogin no # Disable empty passwords PermitEmptyPasswords no
After saving, restart the SSH service:
service sshd restartDisable system response to ping requests
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_allThe default value is 0, meaning ping replies are enabled; setting it to 1 silences all ICMP echo replies.
User management
Basic commands to inspect accounts and groups:
cat /etc/passwd # list users
cat /etc/group # list groups
who # current logged‑in users
last # login historyRemove unnecessary default accounts and groups to prevent brute‑force abuse:
userdel sync
userdel shutdown
# other removable users: halt, uucp, operator, games, gopher
groupdel adm
groupdel games
# other removable groups: lp, dipProtect the critical account files by making them immutable (only root can change them):
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadowTo revert, replace +i with -i and run the same commands.
Create new users
adduser username # create a new user
passwd username # set the user’s passwordRegular users should have full permissions only within their home directories; privileged actions require sudo. The sudoers file is read‑only by default; to edit it, grant write permission temporarily:
chmod -v u+w /etc/sudoers # allow editing
# edit the file, add the needed lines, then save and exit (wq)
chmod -v u-w /etc/sudoers # restore read‑only modeGrant root privileges
Method 1: Enable the wheel group in /etc/sudoers and add the user to that group.
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# then add the user to wheel
usermod -g wheel uusamaMethod 2 (recommended): Directly add explicit entries for root and the user.
## Allow root to run any command anywhere
root ALL=(ALL) ALL
uusama ALL=(ALL) ALLMethod 3: Change the user’s UID to 0 in /etc/passwd.
uusama:x:500:500:tommy:/home/uusama:/bin/bash
# after modification
uusama:x:0:500:tommy:/home/uusama:/bin/bashAfter applying any of these methods, log in with the uusama account and use su - or sudo -s to obtain root privileges.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.