Linux Server Security: Hardening Your Production Systems
Lina V.
Secure SSH Configuration
SSH is the primary management interface for Linux servers and must be locked down. Disable root login over SSH entirely - use a regular account and escalate with sudo. Disable password authentication and require SSH key pairs. Change the default port from 22 to reduce automated scanning noise. Limit SSH access to specific IP ranges using firewall rules or the AllowUsers directive. Install fail2ban to automatically block IP addresses after repeated failed login attempts.
User and Permission Management
Follow the principle of least privilege rigorously. Each application should run as its own dedicated user with minimal permissions. Never run services as root. Use sudo for administrative tasks and configure it to log every command. Review /etc/passwd and /etc/group regularly for unnecessary accounts. Remove or disable accounts for former employees and contractors immediately upon departure.
Firewall Configuration With iptables or nftables
Configure the host firewall to allow only the specific ports and protocols each server requires. A web server needs ports 80 and 443 - nothing else should be open inbound. Block all outbound traffic except what is explicitly required (DNS, NTP, package repositories, and application-specific connections). Log dropped packets to detect scanning and exploitation attempts.
File System Security
Mount /tmp and /var/tmp with the noexec, nosuid, and nodev options to prevent malware execution from temporary directories. Set appropriate permissions on sensitive files like /etc/shadow (mode 640) and SSH keys (mode 600). Use a file integrity monitoring tool to detect unauthorized changes to critical system files. True Protection's Linux agent monitors file integrity and alerts on unauthorized modifications to system binaries, configuration files, and cron jobs.
Automatic Security Updates
Configure unattended-upgrades (Debian/Ubuntu) or dnf-automatic (RHEL/Fedora) to apply security patches automatically. For production systems where automatic patching is too risky, at minimum enable automatic notification of available updates and establish a process to apply them within 72 hours of release.