mobile wallpaper 1mobile wallpaper 2mobile wallpaper 3mobile wallpaper 4
334 words
2 minutes
Linux Server Security Baseline in Practice: 12 Must-Do Hardening Steps Before Going Live
2024-06-18

When buying a new VPS, many people’s first step is “installing applications,” but the correct sequence should be “harden first, then go live.” This article provides you with a security baseline that I’ve used long-term, suitable for personal blogs, small API services, and HomeLab public entrances.

1. Accounts and Permissions#

  1. Create a new regular ops user, disable direct root connections.
  2. Give the ops user minimal sudo privileges.
  3. Delete unnecessary system accounts and close unused login shells.
adduser levi
usermod -aG sudo levi
passwd -l root

2. Minimal SSH Exposure#

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
MaxAuthTries 3
LoginGraceTime 20

Before restarting, be sure to open a new terminal to test and confirm you can log in with keys, then execute:

sudo systemctl restart sshd

3. Firewall Whitelisting#

Deny incoming by default, only allow necessary ports (e.g., 22/80/443).

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

4. Automatic Security Updates#

  • Debian/Ubuntu: Enable unattended-upgrades.
  • RHEL-based: Enable dnf-automatic update policy.

The core goal is to reduce the “known vulnerability window.”

5. Login Failure Protection#

Install Fail2ban to block brute-force source IPs.

sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

It is recommended to at least enable the sshd jail and set a reasonable ban duration.

6. Service Minimization#

Execute a service inventory check once:

sudo ss -tulpen
sudo systemctl list-unit-files --type=service

Any public listening port that you “don’t know why it exists” should be disabled first, then verified.

7. Logs and Auditing#

Ensure at least:

  • SSH login logs are traceable.
  • Sudo operations are traceable.
  • System logs are rotated periodically.

It is recommended to retain the last 30-90 days of security logs for tracing anomalies.

8. Backup and Recovery Drills#

Security isn’t just about “preventing intrusions”; it also includes “recoverability.”

  • Configure daily snapshots or off-site backups.
  • Do a recovery drill at least once a month.
  • Backup content must include the site, database, certificates, and critical configurations.

Common Mistakes#

  1. Turning off password login first, configuring keys later, resulting in locking yourself out.
  2. Changing too many firewall rules at once, accidentally blocking port 22.
  3. Only doing backups but never doing recovery verification.

Summary#

Completing the baseline before deploying your business will elevate your server’s risk resistance by an order of magnitude. For personal sites, these 12 items already cover the vast majority of common attack surfaces.

Share

If this article helped you, please share it with others!

Linux Server Security Baseline in Practice: 12 Must-Do Hardening Steps Before Going Live
https://blog.levifree.com/posts/linux-server-security-baseline/
Author
LeviFREE
Published at
2024-06-18
License
CC BY-NC-SA 4.0

Some information may be outdated

Table of Contents