Linux server hardening checklist

Topic: Servers linux

Checklist for securing a new or existing Linux server: SSH key-only and no root login, firewall default deny, updates, non-root service user, minimal packages, and logging. Use this before putting a server in production or during a security review.

Intent: Checklist

Quick answer

  • SSH: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes; firewall: allow only 22 (or SSH port), 80, 443; default deny.
  • Updates: apt upgrade or dnf update on a schedule; remove unused packages; create a non-root user for the app and run service as that user.
  • Audit: no unnecessary services (systemctl list-units); log retention and rotation; backup /etc and critical data; document changes.

Prerequisites

Steps

  1. SSH and access

    Disable root login and password auth; use key-only; optional: change port, AllowUsers list; test in new session before closing current.

  2. Firewall and services

    Enable ufw or nftables; allow only required ports; disable and mask unused services (systemctl disable --now).

  3. Updates and minimal install

    Apply security updates; remove packages not needed; run unattended-upgrades or cron for patches; pin kernel if needed.

  4. Application and logging

    Run app as dedicated user; least privilege dirs; configure logrotate and journald limits; back up /etc and data; document.

Summary

You will run through a hardening checklist: SSH, firewall, updates, minimal install, non-root service user, and logging. Use this before go-live or during an audit so the server meets a baseline security standard.

Prerequisites

  • Root or sudo; SSH and firewall guides done or in progress.

Steps

Step 1: SSH and access

  • PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes.
  • Test new session; then close old one. Optional: AllowUsers, different port.

Step 2: Firewall and services

  • ufw enable or nftables with default drop; allow 22, 80, 443 (or your ports).
  • systemctl list-units —type=service; disable and mask what is not needed.

Step 3: Updates and minimal install

  • apt upgrade / dnf update; schedule or use unattended-upgrades.
  • Remove unneeded packages; keep kernel updates or pin if required.

Step 4: Application and logging

  • Service runs as its own user; dirs with least privilege.
  • Logrotate and journald limits; backup /etc and data; document changes.

Verification

  • SSH key-only and no root; firewall allows only required ports; no extra services; updates applied; logs and backups configured.

Troubleshooting

Locked out — Use console; restore SSH config or firewall; re-test before closing console.

Service broken after disabling — Re-enable the unit if it was required by the app; disable only what you have verified as unused.

Next steps

Continue to