Essential Linux Server Hardening Steps for Production Environments

Securing a Linux server is one of the most important responsibilities of a system administrator. A poorly configured server can become vulnerable to brute-force attacks, malware, privilege escalation, and unauthorized access.

In this article, I will share some essential Linux server hardening steps that I usually apply after deploying a fresh Ubuntu or Debian server for production use.

1. Update System Packages

The first thing I do is update all installed packages and security patches.

sudo apt update && sudo apt upgrade -y

Keeping packages updated reduces security vulnerabilities and improves server stability.

2. Create a Non-Root Sudo User

Using the root account directly is risky. Instead, create a separate sudo user.

adduser sovrab
usermod -aG sudo sovrab

This improves accountability and reduces direct root exposure.

3. Disable Root SSH Login

Root login through SSH should be disabled to prevent brute-force attacks.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find:

PermitRootLogin yes

Change it to:

PermitRootLogin no

Restart SSH service:

sudo systemctl restart ssh

4. Change Default SSH Port

Changing the default SSH port from 22 to another custom port helps reduce automated attack attempts.

Example:

Port 2222

Do not forget to allow the new port through the firewall.

5. Configure UFW Firewall

Ubuntu ships with UFW (Uncomplicated Firewall), which is easy to configure.

Allow SSH port:

sudo ufw allow 2222/tcp

Enable firewall:

sudo ufw enable

Check status:

sudo ufw status

6. Install Fail2Ban

Fail2Ban protects servers from repeated failed login attempts.

Install:

sudo apt install fail2ban -y

Enable and start:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

sudo fail2ban-client status

7. Configure Automatic Security Updates

Automatic security updates help patch vulnerabilities quickly.

Install unattended upgrades:

sudo apt install unattended-upgrades

Enable:

sudo dpkg-reconfigure unattended-upgrades

8. Disable Unused Services

Unused services increase attack surfaces.

Check running services:

sudo systemctl list-units --type=service

Disable unnecessary services:

sudo systemctl disable service-name

9. Monitor Server Resources

Resource monitoring helps detect unusual activity and performance bottlenecks.

Useful commands:

htop
df -h
free -m
uptime

10. Secure Shared Hosting Environments

For cPanel or shared hosting servers, additional security measures are recommended:

• Configure CSF firewall
• Enable ModSecurity
• Harden PHP functions
• Use CloudLinux isolation
• Enable ImunifyAV or Imunify360
• Configure secure backups

11. Backup Strategy

Backups are critical for disaster recovery.

Important backup locations:

• Website files
• MySQL databases
• Configuration files
• DNS zones
• Email accounts

I usually automate backups using shell scripts and remote storage solutions.

12. Docker Security Basics

If Docker is installed:

• Avoid running containers as root
• Use trusted images only
• Keep images updated
• Limit container privileges
• Monitor exposed ports

Check containers:

docker ps

Conclusion

Linux server hardening is not a one-time task. Security requires continuous monitoring, patching, auditing, and optimization.

A properly secured Linux server improves reliability, uptime, and infrastructure stability while reducing security risks.

As a Linux System Administrator and Server Engineer, I regularly work with Linux servers, cloud infrastructure, Docker, cPanel, hosting technologies, and production environment optimization.

🌐 Portfolio:
https://sovrabroy.online

linux #devops #cloud #docker #serveradministration