Mar 23, 2026 · Written by: Netspare Team
Linux Server Hardening Baseline: SSH, Firewall, Updates, and Service Exposure
Every freshly provisioned VPS arrives with defaults optimized for vendor convenience, not your threat model. Before you install WordPress, panels, or k3s, lock SSH, shrink the exposed surface, and ensure unattended security updates.
Hardening is iterative: start with a baseline checklist, capture it in Ansible or cloud-init, then re-apply after major distro upgrades.
These steps target Ubuntu/Debian and RHEL-family alike; only package names and firewall front-ends differ.
Immutable infrastructure patterns (replace nodes) complement but do not replace live patching—kernel CVEs still need reboot windows coordinated with workloads.
CIS benchmarks provide scored profiles; export compliance scorecards monthly for SOC2 evidence packs.
SSH: keys, users, and sudo
Disable password authentication and root login over SSH after provisioning a sudo-capable user with an ed25519 key. Use AllowUsers or Match blocks to scope who may authenticate.
Enforce sudo with logging; avoid sharing the root password across humans.
Firewall and optional fail2ban
Default-deny inbound with explicit allows for 80/443 (and 22 from jump IPs only). On Ubuntu prefer ufw for readability; on RHEL firewalld zones map cleanly to multi-interface servers.
fail2ban or equivalent rate limits brute-force noise on SSH and mail services; tune jails to avoid locking out legitimate CI systems.
Automatic security updates and auditing
- Enable unattended-upgrades (Debian/Ubuntu) or dnf-automatic security (RHEL-family) with reboot strategy documented.
- Install and configure auditd or eBPF-based telemetry where compliance requires tamper-evident logs.
- Remove or mask services you do not need (`ss -tulpn` inventory monthly).
- Set correct time sync (chrony) before TLS-heavy workloads.
Kernel hardening and filesystem hygiene
Apply sysctl hardening (rp_filter, SYN cookies, disable ICMP redirects) via staged config files tracked in git. Separate /var and /tmp mount options (noexec, nodev) when workloads allow.
Keep separate partitions or volumes for databases and logs so a full disk cannot silently break sshd.
Kernel updates and reboot coordination
Use kpatch/livepatch only for specific CVE classes; verify compatibility with your NVIDIA/GPU or ZFS stacks if present.
Maintenance pages and health checks should flip automatically when orchestrated reboots begin.
CIS profiles and evidence
Automate OpenSCAP or equivalent scans; track delta over time instead of point-in-time PDFs.
Document exceptions with compensating controls—"risk accepted" without mitigation ages poorly in audits.
Frequently asked questions
Is AppArmor or SELinux mandatory?
Is fail2ban enough for SSH?
Netspare Team
More posts from this authorYou may also like
- systemd Units, Timers, and journalctl: A Linux Admin Primer
Cron still exists, but systemd timers integrate with dependency ordering and logging. Learn unit files, `systemctl status`, and filtering journal fields.
- Nginx vs Apache for Reverse Proxy, PHP, and Static File Serving
Event-driven nginx often wins on C10K-style concurrency; Apache excels where .htaccess per-directory rules are non-negotiable. Learn hybrid patterns (nginx + php-fpm).
- Windows Server 2022: AD, IIS, Hyper-V, and File Services in a Small Datacenter
When Active Directory, Group Policy, or legacy .NET/IIS apps anchor your estate, Windows Server remains the pragmatic core. Here is how roles interact and what to harden first.
- Rocky Linux vs AlmaLinux for RHEL-Compatible VPS and Hosting Workloads
Both rebuild RHEL sources for 1:1 compatibility with EL packaging. Differences show up in governance, release cadence, and vendor tooling—important when you standardize dozens of nodes.