Articles

Linux Production Checklist: Harden Your Server (2026)

April 18, 2026 6 min read

Linux Production Checklist: Harden Your Server

A hardened Linux server is one where the attack surface has been minimized and the remaining services are configured to resist compromise.

Here’s a checklist to run through for production systems:

1. Secure SSH Access

  • Problem: SSH is a primary entry point. Default configurations are often too permissive.
  • Diagnosis: Check /etc/ssh/sshd_config for settings like PermitRootLogin, PasswordAuthentication, AllowUsers, AllowGroups, Port.
  • Common Causes & Fixes:
    • Root Login Enabled: PermitRootLogin no - Prevents direct root logins, forcing users to log in as their own user and then su or sudo to root. This provides an audit trail.
    • Password Authentication Enabled: PasswordAuthentication no - Disables password-based logins entirely. This forces the use of SSH keys, which are much harder to brute-force. Ensure you have PubkeyAuthentication yes set.
    • Unnecessary User/Group Access: AllowUsers user1 user2 or AllowGroups sshusers - Explicitly define who can log in via SSH. If no AllowUsers or AllowGroups directive is present, all users can attempt to log in.
    • Default Port (22): Port 2222 - Changing the default SSH port can reduce automated bot scans, though it’s not a security panacea. Ensure you update any firewall rules accordingly.
    • Protocol Version 1: Protocol 2 - SSHv1 is deprecated and insecure. Ensure only SSHv2 is allowed.
  • Restart SSH: sudo systemctl restart sshd

2. Firewall Configuration (iptables/firewalld)

  • Problem: Unnecessary open ports expose services to the network.
  • Diagnosis:
    • iptables: sudo iptables -L -v -n
    • firewalld: sudo firewall-cmd --list-all
  • Common Causes & Fixes:
    • Too Many Open Ports: Review the output of the diagnostic commands. For example, if you see ACCEPT for port 80 and 443 but no web server is running, close it.
      • iptables: sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT (to remove the rule allowing port 80). Then, sudo iptables-save > /etc/sysconfig/iptables (or equivalent for your distro) to persist.
      • firewalld: sudo firewall-cmd --zone=public --remove-port=80/tcp --permanent followed by sudo firewall-cmd --reload.
    • Default Policy is ACCEPT: sudo iptables -P INPUT ACCEPT is dangerous. Change it to DROP or REJECT.
      • iptables: sudo iptables -P INPUT DROP. This requires explicitly allowing all necessary traffic.
      • firewalld: The default zone policy is usually restrictive, but ensure you’re not leaving the default zone wide open.
    • Missing Established Connection Tracking: Ensure you have a rule like iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT. This allows return traffic for connections initiated from your server.
  • Persistence:
    • iptables: sudo service iptables save or sudo netfilter-persistent save (depending on distro).
    • firewalld: Changes made with --permanent are persistent.

3. Unnecessary Services

  • Problem: Every running service is a potential vulnerability.
  • Diagnosis:
    • sudo systemctl list-units --type=service --state=running
    • sudo ss -tulnp (shows listening sockets and the processes using them)
  • Common Causes & Fixes:
    • Unused Daemons: If ss shows a service listening on a port (e.g., rpcbind on 111/tcp or udp) and you don’t need it for NFS or other RPC services, disable it.
      • sudo systemctl disable --now <service-name> (e.g., sudo systemctl disable --now rpcbind)
    • NetworkManager on Servers: On production servers, NetworkManager can sometimes interfere with static IP configurations or be an unnecessary service.
      • sudo systemctl disable --now NetworkManager (ensure you have networking configured via netplan, ifcfg-scripts, etc., before disabling).
    • AVAHI/Avahi-daemon: Used for Zeroconf networking, typically not needed on servers.
      • sudo systemctl disable --now avahi-daemon

4. File Integrity Monitoring

  • Problem: Detects unauthorized modifications to critical system files.
  • Diagnosis: Install and configure AIDE (Advanced Intrusion Detection Environment) or Tripwire.
  • Common Causes & Fixes:
    • No FIM Installed: sudo apt update && sudo apt install aide (Debian/Ubuntu) or sudo yum install aide (RHEL/CentOS).
    • Database Not Initialized: After installation, you must create the initial database.
      • sudo aide --init
      • sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
    • Regular Checks Not Scheduled: Schedule aide --check to run daily via cron or systemd timers.
  • Why it works: AIDE creates a database of file checksums and attributes. When run again, it compares the current state to the database, flagging any changes.

5. Kernel Security Parameters (sysctl)

  • Problem: Fine-tune the kernel’s network and memory behavior to resist certain attacks.
  • Diagnosis: View current settings with sudo sysctl -a. Edit /etc/sysctl.conf or files in /etc/sysctl.d/.
  • Common Causes & Fixes:
    • IP Spoofing Vulnerability: net.ipv4.conf.all.rp_filter = 1 - Enables reverse path filtering, which checks if the incoming packet’s source IP address is legitimate for the interface it arrived on.
    • SYN Flood Attacks: net.ipv4.tcp_syncookies = 1 - Enables TCP SYN cookies, a mechanism to mitigate SYN flood attacks without dropping legitimate connections.
    • ICMP Redirects: net.ipv4.conf.all.accept_redirects = 0 and net.ipv6.conf.all.accept_redirects = 0 - Disables the acceptance of ICMP redirects, which can be used in man-in-the-middle attacks.
    • Source Routed Packets: net.ipv4.conf.all.accept_source_route = 0 and net.ipv6.conf.all.accept_source_route = 0 - Disables the acceptance of source-routed packets, another potential vector for network attacks.
    • Apply Changes: sudo sysctl -p

6. Log Management and Auditing

  • Problem: Logs are crucial for incident response and detecting suspicious activity.
  • Diagnosis: Check /etc/rsyslog.conf (or /etc/syslog-ng/syslog-ng.conf), /var/log/ contents, and auditd status.
  • Common Causes & Fixes:
    • Insufficient Logging: Ensure critical services are logging to appropriate files.
    • No Centralized Logging: For multiple servers, logs should be sent to a central, secure log server. Configure rsyslog or syslog-ng to forward logs to a remote host (e.g., *.* @logserver.example.com).
    • Auditd Not Running/Configured: auditd logs detailed system events (file access, command execution, etc.).
      • Install: sudo apt install auditd or sudo yum install auditd.
      • Enable: sudo systemctl enable --now auditd.
      • Configure rules in /etc/audit/rules.d/. A common rule is to watch sensitive directories: -w /etc/passwd -p wa -k identity (watch for write/attribute changes to passwd, tag with 'identity').
    • Log Rotation Issues: Ensure logs are rotated (logrotate configuration in /etc/logrotate.d/) to prevent disks from filling up.

7. Software Updates and Patching

  • Problem: Unpatched software is a common source of vulnerabilities.
  • Diagnosis: Regularly check for available updates.
  • Common Causes & Fixes:
    • Manual Updates Only: Relying on manual checks is prone to oversight.
    • Automated Security Updates: Configure unattended upgrades.
      • Debian/Ubuntu: sudo apt install unattended-upgrades && sudo dpkg-reconfigure --priority=low unattended-upgrades
      • RHEL/CentOS: sudo yum install yum-cron && sudo systemctl enable --now yum-cron
    • Regular Manual Review: Even with automation, periodically run sudo apt update && sudo apt list --upgradable or sudo yum check-update to see what’s being applied and if manual intervention is needed.

The next error you’ll likely encounter is related to SELinux or AppArmor blocking legitimate operations due to strict security profiles.

Want structured learning?

Take the full Linux & Systems Programming course →