📚EBooks-Space
Linux server security configuration

Linux Server Hardening Baseline: SSH, Patching, and Logging

A minimum-viable hardening baseline for Linux servers. Covers SSH configuration, automated patching, centralized logging, and firewall rules.

LinuxLinux Administration
linuxhardeningsshpatchingloggingsecurity

Every Linux server exposed to a network is a target. Default configurations are designed for ease of use, not security. Hardening is the process of replacing those defaults with configurations that reduce attack surface, limit blast radius, and create audit trails.

This article is a 2026 baseline hardening checklist. It covers the items that every production Linux server should have in place regardless of workload. It is not a comprehensive security guide—it is a minimum standard. The security hub on this site covers deeper security topics, and the application security path provides a structured progression.

The Linux hub and Linux administration path cover the system administration fundamentals that this checklist builds on. For related planning, see the Ubuntu 26.04 LTS upgrade plan, Ubuntu release cadence guide, and kernel 7.0 testing plan.

SSH hardening

SSH is the primary remote access method and the first thing attackers probe. Lock it down:

Disable password authentication

Use key-based authentication exclusively. In /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

Disable root login

PermitRootLogin no

Require users to log in with their own account and use sudo for privilege escalation.

Use Ed25519 keys

Ed25519 keys are shorter, faster, and more secure than RSA keys. Generate with ssh-keygen -t ed25519. Disable older key types on the server if all clients support Ed25519.

Limit SSH access

Restrict which users can SSH by adding:

AllowUsers deploy monitor admin

Or use AllowGroups to manage access via group membership.

Change default port (optional)

Changing the SSH port from 22 reduces automated scanning noise. It is not a security measure on its own—any determined attacker will find the real port—but it eliminates the bulk of brute-force attempts.

Enable fail2ban or similar

Install fail2ban to automatically block IP addresses after repeated failed authentication attempts. Configure it to ban after 3–5 failures for at least 30 minutes.

User management

Principle of least privilege

Every user account should have the minimum permissions needed for its function. Avoid giving sudo ALL to service accounts or deployment users.

Remove or lock unused accounts

Audit the user list with cat /etc/passwd. Lock any account that is not actively needed:

sudo usermod -L unused_account

Use strong password policies

Even with SSH key authentication, local password policies matter for sudo and console access. Set minimum length (12+ characters) and maximum age (90 days) via /etc/login.defs and PAM configuration.

Separate service accounts

Run each application under its own service account with no login shell. In the systemd unit file, set User=appname and NoNewPrivileges=true.

Patching strategy

Automatic security updates

Enable unattended security updates. On Ubuntu:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Configure it to apply security patches automatically and send email notifications on failures.

Patching cadence

  • Security patches: apply within 48 hours of release
  • Bug fix updates: apply within one week, after testing
  • Kernel updates: apply within one week, with a reboot planned
  • Major version upgrades: follow a planned upgrade cycle

Reboot management

Some patches (especially kernel updates) require a reboot to take effect. Use needsrestart or checkrestart to identify running processes using outdated libraries.

Logging and auditing

Centralise logs

Ship all logs to a central logging system (syslog-ng, rsyslog, or a cloud logging service). Local logs can be tampered with if an attacker gains access to the server.

Enable auditd

The Linux audit framework (auditd) records system calls and can alert on suspicious activity:

  • File access to sensitive files (/etc/passwd, /etc/shadow, SSH keys)
  • Privilege escalation (sudo, su)
  • User creation and deletion
  • Network socket creation

Protect log integrity

Set log files to append-only where possible. Ship logs off-machine immediately. If an attacker deletes local logs, the centralised copy remains intact.

Monitor for anomalies

Set up alerts for:

  • SSH login failures above a threshold
  • Successful logins from unexpected IP addresses or at unusual times
  • Changes to /etc/ configuration files
  • New cron jobs or systemd timers

Firewall configuration

Default deny

Set the default policy to drop all incoming traffic, then explicitly allow only the ports you need:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Rate limiting

Apply rate limiting to SSH and any other service exposed to the internet. UFW supports rate limiting with sudo ufw limit ssh.

Review regularly

Firewall rules accumulate over time. Review them quarterly and remove rules for services that are no longer running.

Backup validation

The 3-2-1 rule

Keep at least 3 copies of critical data, on 2 different storage types, with 1 copy off-site.

Test restores

A backup that has not been restored is not a backup—it is a hope. Test restores quarterly:

  1. Restore to a separate machine
  2. Verify data integrity
  3. Verify application functionality
  4. Document the time required

Encrypt backups

Encrypt backups at rest and in transit. If a backup is stolen, encryption is the only remaining protection.

Validation checklist

After applying these hardening measures, validate:

  • [ ] SSH: password authentication disabled, root login disabled, key-only access
  • [ ] Users: unused accounts locked, service accounts isolated, sudo configured with least privilege
  • [ ] Patching: automatic security updates enabled, reboot management in place
  • [ ] Logging: centralised logging active, auditd configured, alerts set
  • [ ] Firewall: default deny, only necessary ports open, rate limiting on SSH
  • [ ] Backups: automated, encrypted, tested restore within the last quarter

Further reading on EBooks-Space