Running Linux servers gives your business reliability and flexibility, but only if they’re properly secured. This checklist covers the essential hardening steps I apply to every Linux server I deploy.

Whether you’re running RHEL, Rocky Linux, Ubuntu, or another distribution, these fundamentals apply universally.

Initial Setup

User and access controls

  • Disable root SSH login — Edit /etc/ssh/sshd_config, set PermitRootLogin no
  • Create individual admin accounts — Never share credentials between administrators
  • Use SSH keys instead of passwords — Disable password authentication: PasswordAuthentication no
  • Configure sudo properly — Grant least privilege, log all sudo commands
  • Remove or disable unused accounts — Review /etc/passwd regularly

SSH hardening

  • Change default SSH port (optional but reduces automated attacks) — Update in sshd_config
  • Limit SSH access by IP if possible — Use firewall rules or AllowUsers
  • Set idle timeoutClientAliveInterval 300 and ClientAliveCountMax 0
  • Disable empty passwordsPermitEmptyPasswords no
  • Use SSH protocol 2 onlyProtocol 2

Firewall Configuration

Basic firewall rules

  • Enable firewall on bootsystemctl enable firewalld (RHEL/Rocky) or ufw enable (Ubuntu)
  • Default deny incoming — Block all ports except what’s explicitly needed
  • Allow only required services — Document why each open port is necessary
  • Restrict management access by IP — SSH and admin interfaces from known IPs only
  • Log dropped packets for security monitoring

Port audit

  • Run ss -tulnp to see what’s listening
  • Disable unnecessary servicessystemctl disable <service>
  • Document every open port with justification

System Updates

Patch management

  • Enable automatic security updatesdnf-automatic (RHEL) or unattended-upgrades (Ubuntu)
  • Schedule regular update windows for non-critical updates
  • Subscribe to security mailing lists for your distribution
  • Test updates in non-production first when possible
  • Maintain kernel update schedule — Reboot after kernel updates

File System Security

Permissions and ownership

  • Set restrictive umaskumask 027 in /etc/profile
  • Review world-writable directoriesfind / -perm -0002 -type d
  • Secure /tmp with separate partition and noexec,nosuid,nodev mount options
  • Disable SUID on unnecessary binariesfind / -perm -4000
  • Implement file integrity monitoring — AIDE or similar

Log management

  • Configure centralized logging — rsyslog to remote server or SIEM
  • Rotate logs properly — Configure logrotate
  • Protect log files from modification — Restrict permissions
  • Monitor log storage — Alert before disk fills

Service Hardening

For each running service

  • Run as non-root user when possible
  • Use chroot or containers for isolation
  • Disable unnecessary modules/features
  • Keep configurations in version control
  • Apply service-specific hardening guides (Apache, Nginx, MySQL, etc.)

SELinux / AppArmor

  • Leave SELinux enabled (RHEL/Rocky) — Never disable, troubleshoot properly instead
  • Enable AppArmor (Ubuntu) if not running SELinux
  • Create custom policies for your applications if needed
  • Monitor for policy violationsaudit2allow for analysis

Network Security

Network configuration

  • Disable IPv6 if not needed — Reduces attack surface
  • Configure host-based firewall (covered above)
  • Disable IP forwarding unless specifically required
  • Enable TCP SYN cookies — Protection against SYN floods
  • Ignore ICMP redirects — Prevent routing manipulation

DNS and hostname

  • Configure reliable DNS servers
  • Set proper hostname and domain
  • Consider local DNS caching for performance and reliability

Authentication and Authorization

Password policies

  • Set password complexity requirements — PAM configuration
  • Configure password expiration — Though consider passphrase-based approaches
  • Lock accounts after failed attemptspam_tally2 or pam_faillock
  • Enforce password history — Prevent reuse

Multi-factor authentication

  • Consider MFA for SSH — Google Authenticator PAM or similar
  • Use hardware tokens for critical systems — YubiKey, etc.

Monitoring and Auditing

System monitoring

  • Configure auditd — Track security-relevant system calls
  • Set up login monitoring — Track successful and failed logins
  • Monitor for unauthorized changes — File integrity monitoring
  • Enable process accounting — Track what runs and when

Alerting

  • Configure alerts for critical events — Root logins, sudo usage, service failures
  • Test alerting regularly — Make sure notifications actually work
  • Document response procedures — What to do when alerts fire

Backup and Recovery

Backup configuration

  • Automate regular backups — Include configurations, not just data
  • Store backups off-server — Remote location or cloud
  • Encrypt backup data — Protect data at rest
  • Test restores regularly — Untested backups aren’t backups

Disaster recovery

  • Document recovery procedures
  • Maintain configuration management — Ansible, etc., for rapid rebuild
  • Keep system documentation current

Ongoing Maintenance

Regular tasks

  • Weekly: Review logs for anomalies
  • Monthly: Check for available updates, review user accounts
  • Quarterly: Comprehensive security review, test backups
  • Annually: Full security audit, penetration testing consideration

Change management

  • Document all changes to production systems
  • Use configuration management (Ansible) for consistency
  • Test changes in staging when possible
  • Have rollback plans for every change

Need Help with Linux Server Security?

Proper Linux hardening takes time and expertise. As a Red Hat-certified professional, I help Colorado businesses secure their Linux infrastructure the right way.

Whether you need a security audit, help hardening existing servers, or guidance setting up new Linux systems, I can help. Contact me to discuss your specific needs.