Build an Impenetrable Linux Server: A Step‑by‑Step Security Hardening Guide

Introduction

As an operations engineer, I have witnessed many servers compromised due to weak security configurations. This article shares practical experience to help you build a complete Linux server security framework.

Real‑World Attack Case

A server showed abnormal CPU usage, revealing a mining malware infection. The attack chain involved SSH brute‑force, backdoor installation, persistent connections, resource‑draining mining processes, and lateral movement attempts.

Core Defense Strategies – Multi‑Layer Protection

Layer 1: SSH Hardening

Change the default SSH port (e.g., Port 22022) and restart the service.

Disable direct root login and create a regular sudo user.

Enable key‑based authentication, generate an Ed25519 key pair, configure authorized_keys, and disable password authentication.

Layer 2: Fail2Ban

Install Fail2Ban ( apt install fail2ban -y or yum install epel-release -y && yum install fail2ban -y) and create /etc/fail2ban/jail.local with custom SSH protection rules, then enable and start the service.

Layer 3: Firewall Configuration

Simple firewall with UFW:

ufw enable
ufw default deny incoming
ufw default allow outgoing
ufw allow 22022/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw status verbose

Advanced iptables rules include default DROP policies, loopback allowance, established connection acceptance, SSH rate‑limiting, web service ports, and rule persistence.

Layer 4: Intrusion Detection System

Deploy OSSEC‑HIDS by downloading the source, extracting, and running ./install.sh, then edit /var/ossec/etc/ossec.conf to define monitoring rules.

Layer 5: File Integrity Monitoring

Install AIDE, initialize its database, and create a cron‑based integrity check script that logs anomalies.

Advanced Protection Techniques

1. Port Knocking

apt install knockd -y
cat > /etc/knockd.conf <<'EOF'
[options]
    UseSyslog

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22022 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9000,8000,7000
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22022 -j ACCEPT
    tcpflags    = syn
EOF
systemctl enable knockd && systemctl start knockd

2. Honeypot Deployment

pip3 install cowrie
# Configure Cowrie to listen on port 22 while the real SSH service runs on a non‑standard port.

3. Automated Log Analysis

#!/bin/bash
LOGFILE="/var/log/auth.log"
ALERT_EMAIL="[email protected]"
failed_attempts=$(grep "Failed password" $LOGFILE | grep "$(date '+%b %d')" | wc -l)
if [ $failed_attempts -gt 50 ]; then
    echo "Warning: $failed_attempts SSH login failures today" | mail -s "SSH Security Alert - $(hostname)" $ALERT_EMAIL
fi
new_users=$(grep "new user" /var/log/auth.log | grep "$(date '+%b %d')")
if [ -n "$new_users" ]; then
    echo "Warning: New user creation detected:
$new_users" | mail -s "User Management Alert - $(hostname)" $ALERT_EMAIL
fi

Monitoring and Alerting

Lightweight Monitoring with Netdata

bash <(curl -Ss https://my-netdata.io/kickstart.sh)
# Edit /etc/netdata/health_alarm_notify.conf to enable email notifications.
SEND_EMAIL="YES"
DEFAULT_RECIPIENT_EMAIL="[email protected]"

Custom Alert Script (Python)

#!/usr/bin/env python3
import psutil, smtplib, time
from email.mime.text import MIMEText

def check_system_health():
    alerts = []
    if psutil.cpu_percent(interval=1) > 80:
        alerts.append(f"CPU usage too high: {psutil.cpu_percent()}%")
    mem = psutil.virtual_memory()
    if mem.percent > 85:
        alerts.append(f"Memory usage too high: {mem.percent}%")
    for part in psutil.disk_partitions():
        usage = psutil.disk_usage(part.mountpoint)
        if usage.percent > 90:
            alerts.append(f"Disk {part.mountpoint} usage too high: {usage.percent}%")
    return alerts

def send_alert(alerts):
    if not alerts:
        return
    msg = MIMEText('
'.join(alerts))
    msg['Subject'] = f'Server Health Alert - {time.strftime("%Y-%m-%d %H:%M")}'
    msg['From'] = '[email protected]'
    msg['To'] = '[email protected]'
    print('Sending alert:
' + '
'.join(alerts))
    # SMTP sending logic would go here.

if __name__ == "__main__":
    alerts = check_system_health()
    send_alert(alerts)

Incident Response Playbook

Post‑Invasion Steps

Immediate Isolation

# Drop all inbound traffic but keep SSH from your IP
iptables -A INPUT -j DROP
iptables -I INPUT 1 -s YOUR_IP -j ACCEPT

Preserve Evidence

tar -czf evidence_$(date +%Y%m%d_%H%M).tar.gz \
    /var/log/auth.log \
    /var/log/syslog \
    /var/log/messages

Backdoor Cleanup

# Review cron jobs and startup services
crontab -l
cat /etc/crontab
ls -la /etc/cron.*
systemctl list-unit-files --state=enabled
ls -la /etc/init.d/

Practical Exercises

Simulated Attack Tests

# Nmap scan
nmap -sS -O YOUR_SERVER_IP
# Hydra brute‑force test on custom SSH port
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
    ssh://YOUR_SERVER_IP:22022 -t 4

Performance Tuning

# Optimize SSH settings
echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
echo "MaxSessions 5" >> /etc/ssh/sshd_config

Advanced Tips

1. PAM Two‑Factor Authentication

# Install Google Authenticator PAM module
apt install libpam-google-authenticator -y
google-authenticator
# Append to SSH PAM config
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd

2. Automated Security Audits

#!/bin/bash
echo "=== Linux Server Security Audit Report ==="
echo "Audit Time: $(date)"

echo "1. User Account Check:"
awk -F: '$3==0{print "Warning: " $1 " has root UID"}' /etc/passwd

echo "2. Empty Password Check:"
awk -F: '$2==""{print "Warning: " $1 " has empty password"}' /etc/shadow

echo "3. Critical File Permissions:"
ls -l /etc/passwd /etc/shadow /etc/sudoers

echo "4. Listening Network Ports:"
netstat -tlnp | grep LISTEN

echo "=== Audit Complete ==="
EOF
chmod +x /usr/local/bin/security_audit.sh

Summary and Recommendations

Implementing the layered measures described above can dramatically raise a Linux server’s security posture, progressing from a basic level (SSH port change + key authentication) to expert level (honeypots, automated response).

🔴 Basic: Change SSH port, enable key authentication.

🟡 Standard: Add Fail2Ban and firewall rules.

🟢 Advanced: Deploy IDS and file integrity monitoring.

🔵 Expert: Deploy honeypots and automated incident response.

Best practices include regular system updates, principle of least privilege, periodic audits and log analysis, a documented incident response plan, and routine security drills.