Why Server Hardening Is Non-Negotiable
A fresh Ubuntu server installation is designed for ease of use, not security. Default configurations prioritize compatibility over protection, leaving numerous attack surfaces exposed. Password authentication is enabled, unnecessary services run in the background, and kernel parameters are set to permissive defaults. Every one of these defaults is an invitation to attackers.
Server hardening is the systematic process of reducing the attack surface by eliminating unnecessary services, tightening configurations, and implementing multiple layers of defense. Think of it as locking not just the front door, but every window, vent, and crawlspace in your building.
This checklist covers 30 essential hardening steps organized by category. Not every step applies to every server, but every step should be consciously evaluated. Even implementing half of these measures puts your server leagues ahead of most.
SSH Hardening (Steps 1-8)
SSH is the most critical service on your server because it provides direct administrative access. If an attacker compromises SSH, they own your server. These first eight steps focus entirely on hardening this gateway.
While security through obscurity is not a complete strategy, changing the SSH port from 22 to a non-standard port dramatically reduces automated brute force attempts. Most botnets only scan port 22.
Never allow direct root SSH access. Create a regular user with sudo privileges, then disable root login entirely. This forces attackers to guess both a username and password.
SSH keys are exponentially stronger than passwords. A 4096-bit RSA key or an Ed25519 key is practically impossible to brute force. Disable password authentication entirely after setting up key access.
Use the AllowUsers or AllowGroups directive to limit which accounts can SSH in. Even if an attacker compromises a service account, they cannot use it for SSH access.
Limit how long a connection can stay open during authentication and how many attempts are allowed per connection.
Ensure no account with an empty password can log in, and disable X11 forwarding if you do not need a graphical display tunnel.
Disable weak and deprecated algorithms. Only allow modern, battle-tested ciphers.
Add Google Authenticator (TOTP) as a second factor for SSH. Even if a key is stolen, the attacker still needs the time-based code.
Firewall Configuration (Steps 9-12)
Only allow traffic on ports that your services actually use. Block everything else by default with a deny-all incoming policy.
Even before Fail2ban kicks in, limit SSH connection attempts at the firewall level.
ICMP timestamps can leak server uptime information, and ICMP redirects can be used in man-in-the-middle attacks.
SYN cookies protect against SYN flood attacks without consuming server resources for half-open connections.
Kernel and System Hardening (Steps 13-18)
The kernel has many tunable parameters that affect security. Set these in /etc/sysctl.conf or /etc/sysctl.d/99-hardening.conf.
By default, /dev/shm allows programs to execute code from shared memory, which is a common exploitation technique.
Prevent execution of binaries from /tmp. Many exploits download payloads to /tmp and execute them there. This simple mount option neutralizes that attack vector.
Unpatched vulnerabilities are the number one cause of server compromises. Configure unattended-upgrades to install security patches automatically.
Every running service is a potential attack surface. List all active services and disable everything you do not use.
Protect the bootloader with a password to prevent an attacker with physical or console access from modifying boot parameters (e.g., booting into single-user mode).
Intrusion Detection and Monitoring (Steps 19-24)
Fail2ban monitors log files and automatically bans IPs that show malicious patterns like repeated failed login attempts.
AIDE (Advanced Intrusion Detection Environment) takes a snapshot of your filesystem and alerts you when files are modified. Essential for detecting rootkits and unauthorized changes.
Rkhunter scans for known rootkits, backdoors, and local exploits. Run it regularly and after any suspicious activity.
Ensure all logs go to a central location. If an attacker compromises the server, they may try to delete local logs. Remote logging preserves the evidence.
The Linux audit system tracks security-relevant events like file access, system calls, and user commands. This is essential for forensic analysis.
Regularly check who has logged into your server and when. Look for unusual patterns, off-hours logins, or logins from unexpected locations.
Access Control and Permissions (Steps 25-28)
Use PAM (Pluggable Authentication Modules) to enforce minimum password length, complexity, and history requirements.
Only give sudo access to users who absolutely need it. Use visudo to configure granular permissions.
Review and tighten permissions on critical system files. Many fresh installations have overly permissive defaults.
| File/Directory | Recommended Permission | Why |
|---|---|---|
| /etc/passwd | 644 (root:root) | Readable by all, writable only by root |
| /etc/shadow | 640 (root:shadow) | Contains password hashes |
| /etc/ssh/sshd_config | 600 (root:root) | SSH server configuration |
| /root/.ssh/ | 700 (root:root) | SSH keys directory |
| /root/.ssh/authorized_keys | 600 (root:root) | Public keys for login |
| /etc/cron.d/ | 700 (root:root) | Cron jobs directory |
| /var/log/ | 750 (root:adm) | Log files |
AppArmor confines programs to a limited set of resources. Enable profiles for all critical services to contain potential breaches.
Network and DNS Security (Steps 29-30)
Use trusted DNS resolvers and enable DNSSEC validation. Prevent DNS poisoning attacks that could redirect your server's outgoing traffic to malicious servers.
The ultimate safety net is a tested backup. A backup that has never been restored is not a backup — it is a hope. Schedule regular test restores to verify your backups actually work.
The Complete Checklist
| # | Step | Category | Priority |
|---|---|---|---|
| 1 | Change SSH port | SSH | Medium |
| 2 | Disable root login | SSH | Critical |
| 3 | Key-based auth only | SSH | Critical |
| 4 | Restrict SSH users | SSH | Critical |
| 5 | Login grace time / max retries | SSH | Medium |
| 6 | Disable empty passwords / X11 | SSH | Medium |
| 7 | Strong ciphers only | SSH | Medium |
| 8 | SSH two-factor auth | SSH | Recommended |
| 9 | Configure firewall | Firewall | Critical |
| 10 | Rate limit SSH at firewall | Firewall | Medium |
| 11 | Block ICMP timestamps | Firewall | Recommended |
| 12 | SYN flood protection | Kernel | Medium |
| 13 | Harden sysctl parameters | Kernel | Critical |
| 14 | Secure shared memory | Kernel | Medium |
| 15 | Mount /tmp noexec | Kernel | Medium |
| 16 | Automatic security updates | System | Critical |
| 17 | Disable unused services | System | Medium |
| 18 | GRUB bootloader password | System | Recommended |
| 19 | Install Fail2ban | IDS | Critical |
| 20 | File integrity monitoring | IDS | Medium |
| 21 | Rootkit detection | IDS | Medium |
| 22 | Centralized logging | Logging | Medium |
| 23 | Audit logging (auditd) | Logging | Medium |
| 24 | Monitor login activity | Logging | Medium |
| 25 | Strong password policies | Access | Medium |
| 26 | Restrict sudo access | Access | Critical |
| 27 | Correct file permissions | Access | Critical |
| 28 | Enable AppArmor | Access | Medium |
| 29 | DNS security | Network | Recommended |
| 30 | Verify backups | Recovery | Critical |
How Panelica Automates Server Hardening
Panelica implements many of these hardening steps automatically during installation and through ongoing management. The 5-layer user isolation architecture (Cgroups v2, namespaces, SSH chroot, per-user PHP-FPM, Unix permissions) provides defense in depth that would take hours to configure manually.
- 5-layer user isolation: Cgroups v2, namespaces, SSH chroot, per-user PHP-FPM pools, Unix permissions
- ModSecurity WAF with OWASP Core Rule Set — active protection against web application attacks
- Fail2ban with pre-configured jails for SSH, HTTP auth, and rate limiting
- nftables firewall management with IP blocking and rule management through the panel
- Security Advisor that runs 50+ automated checks on your server configuration
- Automatic SSL with Let's Encrypt and Force HTTPS
- Audit logging for all administrative actions
Server hardening is not a one-time task — it is an ongoing process. Threats evolve, new vulnerabilities are discovered, and configurations drift over time. Schedule quarterly security reviews using this checklist, keep your system updated, and monitor your logs actively. A hardened server is not impenetrable, but it makes the cost of attack far higher than the potential reward.