How to Harden Your Linux Server: Essential SSH, User, and Root Security Settings

Securing a newly purchased server is crucial to prevent unauthorized access; the following procedures improve the server's security posture.

Modify SSH login configuration

Edit the SSH daemon configuration file and adjust key parameters:

vim /etc/ssh/sshd_config
# Change the following items
Port 10000            # Use a non‑standard port (e.g., >10000) to reduce scanning exposure; remember to open this port in the firewall and cloud console.
Protocol 2            # Disable protocol 1, which has known vulnerabilities.
PermitRootLogin no   # Disallow direct root login; use a regular account and <code>su</code> or <code>sudo</code> instead.
PermitEmptyPasswords no  # Prevent logins with empty passwords.

After saving, restart the SSH service:

service sshd restart

Disable ping responses

Prevent the system from answering any ICMP echo requests (both inbound and outbound):

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

The default value is 0 (responses enabled).

User management

Basic commands to inspect accounts and groups:

cat /etc/passwd          # List users
cat /etc/group           # List groups
who                      # Show currently logged‑in users
last                     # Show login history

Remove unnecessary default accounts and groups to reduce attack surface:

userdel sync
userdel shutdown
# Additional unwanted users: sync, shutdown, halt, uucp, operator, games, gopher

groupdel adm
groupdel games
# Additional unwanted groups: adm, lp, games, dip

Make critical account files immutable so they cannot be altered without root privileges:

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow

To revert, replace +i with -i and run the same commands.

Create new user

Add a regular user and set its password:

adduser username
passwd username

Regular users have full permissions only within their home directories; for privileged actions use sudo. To edit the sudoers file, first grant write permission, modify, then restore read‑only status:

chmod u+w /etc/sudoers   # Allow editing
# (edit the file, e.g., add a line for the new user)
chmod u-w /etc/sudoers   # Re‑lock the file

Grant root privileges

Method 1: Uncomment the wheel group line in /etc/sudoers and add the user to the wheel group.

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL   # Remove the leading ‘#’
# Then add the user to the wheel group, e.g.:
# usermod -g wheel uusama

Afterwards log in as uusama and use su - to obtain root.

Method 2 (recommended): Directly add explicit entries for root and the user:

## Allow root to run any command anywhere
root ALL=(ALL) ALL
uusama ALL=(ALL) ALL

Log in as uusama and run sudo -s to get a root shell.

Method 3: Change the user’s UID to 0 in /etc/passwd:

uusama:x:500:500:tommy:/home/uusama:/bin/bash
# Change to:
uusama:x:0:500:tommy:/home/uusama:/bin/bash

After saving, logging in as uusama provides root privileges immediately.