BestHub
Sign in
Information Security 7 min read

Hardening Linux Servers: Essential SSH & Firewall Configurations

This guide explains how to secure Linux servers against common attacks by configuring SELinux, iptables, SSH public‑key authentication, and immutable file attributes, while also showing real‑world scan results and practical hardening steps.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Hardening Linux Servers: Essential SSH & Firewall Configurations

Introduction

Many enterprises' servers face attacks such as HTTP service attacks, OS vulnerability exploits, and SQL injection. Most servers are hosted on Alibaba Cloud or Tencent Cloud, which provide antivirus and firewall services (e.g., Alibaba Cloud Shield), but no solution is absolutely safe.

This article records practical security configurations for Linux servers, aiming to reduce risk even though absolute security is unattainable.

Server Configuration

For Linux, enable SELinux and iptables, reduce user and process privileges, promptly patch application vulnerabilities, upgrade the kernel to a stable version, harden web applications, and limit database user permissions.

Example server specifications:

Alibaba Cloud Shenzhen Zone B

Bandwidth: 2 Mbps

CPU: 1 core

Memory: 1024 MB

OS: CentOS 7.0 64‑bit

Installed services: Tomcat 7.0, JRE 7, Nginx 1.9.9, MariaDB 5.5, PHP 5.4.16, providing a blog and WeChat public platform API.

Port scan results (internal) show almost no exploitable ports:

Local nmap scan results:

External scans return no results, indicating the server appears closed to the internet.

SSH Service Hardening

SSH is the most common remote login service; although safer than Telnet, it still has vulnerabilities. Proper configuration can prevent brute‑force attacks and improve performance.

Edit /etc/ssh/sshd_config and apply the following settings (remove leading “#” to enable):

Key points:

Use public‑key authentication; generate a key pair and place the public key in the file specified by AuthorizedKeysFile.

Set the key file permission to 640 ( chmod 640 /home/kid/.ssh/authorized_keys) and its directory to 700 ( chmod 700 /home/kid).

Ensure each public key occupies a single line.

After editing, restart SSH: sudo systemctl restart sshd. Test the new login without closing the current session. Monitor logs with sudo tail -f /var/log/message and sudo tail -f /var/log/secure. You can also lock the configuration files against tampering:

sudo chattr +i /etc/ssh/sshd_config
sudo chattr +i /home/kid/.ssh/authorized_keys

To modify later, remove the immutable flag with sudo chattr -i ….

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

firewallinformation securitySELinuxServer SecuritySSH Hardening
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment