All Posts
LinuxSecurityDevOps
June 15, 2025

Linux Server Hardening: A Practical Checklist

The essential security steps I take on every new Linux server -- from SSH hardening to kernel parameters and automatic updates.

First 10 Minutes

Every new server gets the same treatment within the first 10 minutes:

  1. Create a non-root user with sudo privileges
  2. Disable root SSH login
  3. Switch to SSH key-only authentication
  4. Change the default SSH port
  5. Enable and configure UFW firewall

Kernel Hardening

Sysctl parameters that should be on every server:

  • Disable IP forwarding unless needed
  • Enable SYN flood protection
  • Disable ICMP redirects
  • Enable reverse path filtering
  • Restrict kernel pointer access

Automatic Updates

Unattended upgrades for security patches. The risk of a zero-day exploit is far greater than the risk of a security patch breaking something.

Monitoring

Fail2ban for brute-force protection, logwatch for daily summaries, and a lightweight alerting system for critical events. You cannot secure what you do not monitor.

The Philosophy

Security is not a one-time setup. It is a practice. Review your configurations monthly, audit your access logs, and assume that any system connected to the internet is a target.

Written by

Shyam

More PostsProjects