Back to Blog
Linux
Security
Server Management
Hardening
CompTIA

Linux Server Security Hardening Essentials

Essential security configurations for Linux servers based on CompTIA Linux+ best practices and real-world implementation.

2 min read

Based on my CompTIA Linux+ certification and production experience, here are essential hardening steps I apply to every Linux server.

1. Initial System Updates

Always start with a fully patched system:

# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y

# RHEL/CentOS/Fedora
sudo dnf update -y

2. User Access Management

Disable Root Login

Edit /etc/ssh/sshd_config:

PermitRootLogin no

Implement sudo Privileges

Add users to sudo group instead of sharing root:

usermod -aG sudo username

Enforce Strong Passwords

Install and configure libpam-pwquality:

minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

3. SSH Hardening

Key configurations in /etc/ssh/sshd_config:

Port 2222                    # Non-standard port
PasswordAuthentication no    # Key-based only
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers user1 user2       # Whitelist approach

4. Firewall Configuration

# UFW (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw enable

# firewalld (RHEL/CentOS)
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

5. File System Security

Separate Partitions

  • /var/log - Prevents logs from filling root
  • /tmp - With noexec flag
  • /home - User data isolation

Mount Options

Add to /etc/fstab:

tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

6. Monitoring and Auditing

Enable auditd for system call monitoring:

sudo apt install auditd
sudo auditctl -w /etc/passwd -p wa -k identity
sudo auditctl -w /etc/shadow -p wa -k identity

7. Automated Scanning

Schedule regular scans with Lynis:

sudo lynis audit system --quick

8. Backup Verification

Security includes recovery capability:

  • Automated daily backups
  • Monthly restoration tests
  • Offsite backup storage

Verification Checklist

  • No direct root login
  • SSH on non-standard port
  • Key-based authentication only
  • Firewall active with minimal rules
  • Automatic updates enabled
  • Auditing configured
  • Backups scheduled and tested

These practices provide a strong security foundation for any Linux server deployment.

Share on X

More Articles

View All

Explore more articles on the blog covering cloud infrastructure, systems administration, and IT operations.