← Back to Blog

Server Hardening · 14 min read · June 25, 2026

How to Secure a Linux Server from Hackers in 2026

A Linux server exposed to the internet faces thousands of automated attacks every day. This guide covers every layer of defense you need — from package updates and SSH hardening to firewall configuration, intrusion detection, backup strategy, and automated vulnerability scanning. Follow these steps in order and your server will resist the vast majority of real-world attacks.

1. Update All Packages and Enable Automatic Security Updates

The single most effective security measure is also the simplest: keep your system current. Attackers scan the internet for servers running outdated software with known CVEs. If a patch exists and you have not applied it, you are a target.

Update everything right now

# Debian / Ubuntu
sudo apt update && sudo apt upgrade -y

# RHEL / CentOS / AlmaLinux
sudo dnf update -y

# Check if a reboot is required (Debian/Ubuntu)
cat /var/run/reboot-required 2>/dev/null

Enable unattended security updates

# Debian / Ubuntu — install unattended-upgrades
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

# RHEL / CentOS — enable dnf-automatic
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic-install.timer

Unattended-upgrades will automatically install security patches without waiting for you to log in. This closes the window between when a vulnerability is disclosed and when your server is patched.

2. Harden SSH Configuration

SSH is the most targeted service on any Linux server. Default configurations leave it wide open to brute-force attacks, credential stuffing, and exploitation of weak algorithms.

Disable password authentication and use keys only

# Generate a strong key pair on your local machine
ssh-keygen -t ed25519 -C "your-name@company"

# Copy the public key to the server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server

Edit /etc/ssh/sshd_config

# Disable root login
PermitRootLogin no

# Disable password authentication — keys only
PasswordAuthentication no
ChallengeResponseAuthentication no

# Disable empty passwords
PermitEmptyPasswords no

# Use SSH protocol 2 only
Protocol 2

# Change default port (reduces automated scans)
Port 2222

# Limit login attempts per session
MaxAuthTries 3

# Idle timeout — disconnect after 5 minutes of inactivity
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable X11 forwarding
X11Forwarding no

# Allow only specific users
AllowUsers yourusername

# Restart SSH to apply changes
sudo systemctl restart sshd

After changing the SSH port, remember to update your firewall rules and connect with ssh -p 2222 user@your-server.

3. Configure a Firewall (UFW or firewalld)

A firewall is your server's first line of network defense. It controls which ports are reachable and from where. If a service does not need to be public, block it.

Using UFW (Debian / Ubuntu)

# Deny all incoming by default
sudo ufw default deny incoming

# Allow all outgoing
sudo ufw default allow outgoing

# Allow SSH on custom port
sudo ufw allow 2222/tcp

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

# Verify rules
sudo ufw status verbose

Using firewalld (RHEL / CentOS / AlmaLinux)

# Start and enable firewalld
sudo systemctl enable --now firewalld

# Allow SSH on custom port
sudo firewall-cmd --permanent --add-port=2222/tcp

# Allow HTTP and HTTPS
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

# Reload to apply
sudo firewall-cmd --reload

# List active rules
sudo firewall-cmd --list-all

Only open the ports you actually need. Every open port is a potential attack surface.

4. Install and Configure Fail2ban

Fail2ban monitors log files for repeated failed login attempts and automatically bans offending IP addresses. It turns brute-force attacks from a real threat into background noise.

# Install fail2ban
sudo apt install fail2ban -y    # Debian/Ubuntu
sudo dnf install fail2ban -y    # RHEL/CentOS

# Create a local config (never edit the main config directly)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local

[DEFAULT]
# Ban for 1 hour after 5 failed attempts
bantime  = 3600
findtime = 600
maxretry = 5
banaction = ufw          # Use 'firewallcmd-ipset' for firewalld

[sshd]
enabled  = true
port     = 2222          # Match your SSH port
logpath  = /var/log/auth.log
backend  = auto

# Enable and start fail2ban
sudo systemctl enable --now fail2ban

# Check status
sudo fail2ban-client status sshd

For internet-facing servers, consider setting bantime to 86400 (24 hours) or using the recidive jail to escalate bans for repeat offenders.

5. Disable Unnecessary Services and Remove Unused Software

Every running service is a potential entry point. If you are not using it, turn it off. Audit what is listening on your server:

# List all listening ports and associated processes
sudo ss -tlnp

# List all enabled systemd services
sudo systemctl list-unit-files --state=enabled

If you see services you do not recognize or need, disable them:

# Disable and stop a service
sudo systemctl disable --now service-name

# Remove the package entirely (Debian/Ubuntu)
sudo apt remove --purge package-name -y

Common services that should be disabled if not in use: cups (printing), avahi-daemon (mDNS), rpcbind (NFS), and any FTP server. If you are running a web server, the only things listening should be SSH, HTTP, and HTTPS.

6. Set Up Regular Security Auditing

Auditing catches misconfigurations before attackers do. Schedule regular reviews and use automated tools to maintain visibility.

Run Lynis for a comprehensive audit

# Install Lynis
sudo apt install lynis -y       # Debian/Ubuntu
sudo dnf install lynis -y       # RHEL/CentOS

# Run a full system audit
sudo lynis audit system

Lynis scores your system's security posture and provides hardening suggestions. It checks hundreds of items including file permissions, kernel configuration, authentication settings, and network parameters.

Review user accounts and privileges

# Find all users with a login shell
awk -F: '$7 !~ /nologin|false/ {print $1}' /etc/passwd

# Find all users with sudo access
grep -E '^sudo|^wheel' /etc/group

# Check for empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

# Review authorized SSH keys
sudo find /home -name authorized_keys -exec ls -la {} \;

Check for outdated packages with known CVEs

# Debian / Ubuntu — list upgradable packages
apt list --upgradable 2>/dev/null

# RHEL / CentOS — check for security updates only
sudo dnf check-update --security

Schedule these checks monthly at a minimum. Automate them where possible so nothing slips through.

7. Implement Real-Time Monitoring and Alerting

Monitoring catches attacks in progress, not days after the fact. Without it, you are relying on luck to discover a breach.

Set up basic log monitoring

# Watch auth log in real time
sudo tail -f /var/log/auth.log

# Search for failed SSH attempts today
sudo grep "Failed password" /var/log/auth.log | tail -20

# Check for new user creation events
sudo grep "useradd" /var/log/auth.log

Install and configure auditd

# Install the audit framework
sudo apt install auditd -y      # Debian/Ubuntu
sudo dnf install audit -y       # RHEL/CentOS

# Monitor changes to SSH config
sudo auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config

# Monitor changes to passwd and shadow
sudo auditctl -w /etc/passwd -p wa -k user_changes
sudo auditctl -w /etc/shadow -p wa -k user_changes

# Monitor sudo usage
sudo auditctl -w /etc/sudoers -p wa -k sudoers_changes

# Make rules persistent
sudo augenrules --load

Auditd gives you an immutable record of who changed what and when. This is critical for both intrusion detection and post-incident forensics.

8. Develop a Robust Backup Strategy

Backups are your last line of defense. If everything else fails — if an attacker wipes your data, encrypts it with ransomware, or destroys your system — backups are what let you recover.

Follow the 3-2-1 backup rule

• 3 copies of your data
• 2 different storage types (e.g., local disk and cloud storage)
• 1 offsite copy in a separate physical or cloud location

Automate with rsync and cron

# Create a backup script
cat > /usr/local/bin/backup.sh <<'EOF'
#!/bin/bash
DATE=$(date +%Y-%m-%d)
BACKUP_DIR="/backups/$DATE"

mkdir -p "$BACKUP_DIR"

# Backup critical directories
rsync -a --delete /etc/ "$BACKUP_DIR/etc/"
rsync -a --delete /home/ "$BACKUP_DIR/home/"
rsync -a --delete /var/www/ "$BACKUP_DIR/www/"
rsync -a --delete /var/log/ "$BACKUP_DIR/log/"

# Sync to remote storage
rsync -a /backups/ user@backup-server:/remote/backups/

# Remove local backups older than 30 days
find /backups -maxdepth 1 -mtime +30 -exec rm -rf {} \;
EOF

chmod +x /usr/local/bin/backup.sh

# Schedule daily at 2 AM
echo "0 2 * * * root /usr/local/bin/backup.sh" | sudo tee /etc/cron.d/daily-backup

Test your backups quarterly. A backup you have never restored is not a backup — it is a hope. Run a test restore to a staging environment and verify data integrity.

9. Use RootCrak for Automated Vulnerability Scanning

Manual hardening is essential, but it is easy to miss something. Automated scanning fills the gaps by checking your server against hundreds of known vulnerability patterns, misconfigurations, and exposed services in seconds.

RootCrak provides a free security scan that evaluates your entire server posture:

• Outdated packages — identifies software with known CVEs
• Open ports — flags services that should not be publicly accessible
• SSH configuration — checks for weak algorithms, password auth, and root login
• Firewall rules — verifies your firewall is properly configured
• Security score — gives you a clear, actionable rating

# Run a free RootCrak scan in under 60 seconds
curl -sSL https://rootcrak.com/scan | bash

The scan produces a detailed report with prioritized remediation steps. It catches what manual audits miss — outdated TLS versions, insecure cipher suites, exposed admin panels, and unpatched kernel vulnerabilities.

10. Layer Your Defenses — Defense in Depth

No single measure is enough. Real security comes from stacking multiple layers so that if one fails, the next one catches the attack.

• Network layer: Firewall rules that block everything except necessary traffic
• Service layer: Hardened SSH, disabled unnecessary services, rate-limited connections
• Application layer: Updated software, secure configurations, minimal attack surface
• Detection layer: Fail2ban, auditd, real-time monitoring, automated scanning
• Recovery layer: Tested backups, documented incident response plan

If an attacker gets past the firewall, fail2ban blocks them. If they get past fail2ban, SSH key authentication stops them. If they somehow get in, monitoring catches them. If everything else fails, backups let you recover. That is defense in depth.