How to Harden Your Linux Server Against Unauthorized Access

Frequent System Updates

Keeping software up to date is a fundamental security measure; updates include critical vulnerability patches and bug fixes that are often released before vulnerabilities become publicly known.

Automatic Security Updates

You can configure automatic updates on various distributions: CentOS/Fedora use yum-cron or dnf-automatic, while Debian and Ubuntu use unattended upgrades. Choose automatic updates based on your workload and test changes in a staging environment before production deployment.

Add a Restricted User Account

After logging in as root, create a non‑privileged user and grant sudo rights so you avoid operating directly as root.

If sudo is not installed, install it from your package manager; the command may be sudo not found.

CentOS / Fedora

Create a user: example_user and set a password.

Add the user to the wheel group.

Ubuntu

Create a user: example_user and set a password.

Add the user to the sudo group.

Debian

Install sudo with apt-get if not present.

Create a user: example_user and set a password.

Add the user to the sudo group.

After creating the limited‑privilege user, disconnect from the server and reconnect using the new account.

Hardening SSH Access

Use encrypted key pairs instead of passwords for SSH authentication.

Create a Verification Key Pair

Generate a 4096‑bit RSA key pair on your local machine; optionally protect the private key with a passphrase.

If a key already exists, check with ls ~/.ssh/id_rsa* before overwriting.

Upload the public key to the server (replace example_user and 203.0.113.10 with your actual username and IP).

SSH Daemon Options

Disallow root login via SSH.

Disable password authentication, requiring key‑based login.

Listen only on IPv4 ( AddressFamily inet) or IPv6 ( AddressFamily inet6) as needed.

Add the AddressFamily line to sshd_config and restart the SSH service.

Restart commands differ by init system (systemd vs. SysV/Upstart).

Use Fail2Ban to Protect SSH Login

Fail2Ban monitors failed login attempts and automatically bans offending IP addresses, providing an additional layer of defense against brute‑force attacks.

Delete Unused Network‑Facing Services

Identify running services with netstat or ss -tulpn, then remove unnecessary packages using the distribution’s package manager (yum, dnf, apt, pacman, etc.).

Typical services to consider removing: RPC, Exim, and any unused daemons; keep SSH and NTP as needed.

Configure Firewall

Use a firewall (iptables, firewalld, or UFW) to allow only required inbound traffic and block everything else.

Next Steps

These are the basic steps to harden a Linux server; further security layers may include application‑level hardening, intrusion detection systems, or additional access controls.