Hardening a Linux Server for Production (CIS-style Checklist)

linuxhardening



Hardening a Linux Server for Production (CIS-style Checklist)

Hardening a Linux Server for Production (CIS-style Checklist)

A production Linux server must be secure, resilient, and compliant. Out-of-the-box defaults are not enough. Attackers actively scan the internet for misconfigured SSH, weak passwords, and unpatched services. To protect your VPS or dedicated server, you need a structured hardening process. The CIS Benchmarks are widely used security checklists for hardening operating systems, and this guide adapts those principles for real-world sysadmin use in 2025.

In this article, we’ll cover SSH security, firewall setup, user management, kernel hardening, logging, intrusion detection, and compliance. By following this checklist, you’ll reduce your attack surface and be ready for production workloads — whether you’re hosting websites, APIs, or databases.

🔹 Step 1: Keep the System Updated

Apply security patches quickly. Automate where possible.

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# RHEL/CentOS
sudo dnf update -y

Enable unattended security upgrades:

sudo apt install unattended-upgrades

🔹 Step 2: Secure SSH

Edit /etc/ssh/sshd_config:

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy sysadmin
ClientAliveInterval 300
ClientAliveCountMax 2

Restart SSH:

sudo systemctl restart sshd

Optional: enforce 2FA with google-authenticator or hardware keys (YubiKey, FIDO2).

🔹 Step 3: Configure a Firewall

Use UFW (Ubuntu) or firewalld (RHEL).

# UFW example
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

For advanced rules, configure iptables/nftables directly and log drops.

🔹 Step 4: User & Privilege Management

  • Create non-root users with sudo access.
  • Use groups for privilege management.
  • Disable unused accounts.
sudo adduser deploy
sudo usermod -aG sudo deploy
sudo passwd -l root

🔹 Step 5: Filesystem & Permissions

  • Set correct permissions on sensitive files:
chmod 600 /etc/ssh/ssh_host_*_key
chmod 600 ~/.ssh/authorized_keys

Mount options for security in /etc/fstab:

tmpfs   /tmp        tmpfs   defaults,noexec,nosuid  0 0
/dev/sda1 /var      ext4    defaults,nodev,nosuid   0 2

🔹 Step 6: Kernel & Sysctl Hardening

Edit /etc/sysctl.conf:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2

Apply changes:

sudo sysctl -p

🔹 Step 7: Logging & Monitoring

Enable rsyslog and rotate logs:

sudo systemctl enable rsyslog --now

For centralized monitoring, ship logs with Filebeat to ELK or use Zabbix/Prometheus exporters.

🔹 Step 8: Intrusion Detection

Install Fail2Ban for brute-force protection:

sudo apt install fail2ban -y

Example jail config (/etc/fail2ban/jail.local):

[sshd]
enabled  = true
port     = 2222
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
bantime  = 3600

For rootkits/malware scanning, deploy rkhunter or AIDE.

🔹 Step 9: Services & Daemons

  • Disable unused services:
systemctl disable avahi-daemon
systemctl disable cups
  • Use systemctl list-unit-files --state=enabled to audit what’s running.

🔹 Step 10: Security Updates & Compliance

  • Enable automatic kernel updates (Ubuntu Livepatch, ksplice on Oracle, KernelCare).
  • Scan against CIS benchmark with Lynis:
sudo apt install lynis -y
sudo lynis audit system

Track compliance scores and remediate findings.

✅ Conclusion

Hardening is not a one-time task, but an ongoing process. By applying CIS-style recommendations — patching, SSH security, firewalling, sysctl tuning, intrusion detection, and monitoring — you greatly reduce your attack surface. A hardened server is harder to exploit and easier to maintain. At WeHaveServers.com, we deploy hardened Linux servers as the default baseline for our VPS and dedicated customers, ensuring production workloads run on secure, resilient infrastructure.

❓ FAQ

What’s the most important hardening step?

SSH security: disable root login, enforce key-based authentication, and use Fail2Ban.

Do I need CIS compliance for all servers?

Not necessarily. Use it as a baseline, but production servers handling sensitive data should meet compliance standards.

How often should I patch?

At least weekly, or daily for critical security fixes.

Should I disable IPv6?

Only if unused. Otherwise, configure firewall rules for IPv6 too.

Is SELinux/AppArmor required?

Yes in production. It enforces mandatory access controls and limits exploit scope.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *