Sagar.BlogArticle
All posts
All posts
Linux

Linux Hardening — Secure Your System

Apply essential Linux security hardening steps: keep packages updated, lock down SSH, configure the firewall, manage users, and monitor logs.

April 1, 20255 min read
linuxsecurityhardeningsshfirewallfail2ban

1. Keep the System Updated

sudo apt update && sudo apt upgrade -y     # Debian/Ubuntu
sudo dnf upgrade -y                        # Fedora
sudo pacman -Syu                           # Arch

# Enable automatic security updates (Ubuntu)
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

2. Harden SSH

Edit /etc/ssh/sshd_config:

PermitRootLogin no            # Disable root login
PasswordAuthentication no     # Key-only auth (disable passwords)
Port 2222                     # Change default port
AllowUsers sagar john         # Restrict to specific users

# Apply changes
sudo systemctl restart sshd

3. Configure Firewall

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status verbose

4. User Security

# Lock an unused account
sudo usermod -L unused_user

# Check for accounts with empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

# Review sudo access
sudo cat /etc/sudoers
sudo cat /etc/group | grep sudo

5. Check File Permissions

# Find world-writable files (potential risk)
find / -type f -perm -0002 -not -path "/proc/*" 2>/dev/null

# Find SUID files (run as owner)
find / -perm -4000 -type f 2>/dev/null

# Secure SSH directory
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/authorized_keys

6. Block Brute-Force with fail2ban

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd

# Check auth log for failed attempts
grep "Failed password" /var/log/auth.log | tail -20

Security Checklist

  • System fully updated
  • SSH: key-only auth, no root login, non-default port
  • Firewall enabled with minimal open ports
  • Unused accounts locked or removed
  • No world-writable files in sensitive paths
  • Unnecessary services disabled
  • fail2ban or similar installed and running
  • Log monitoring in place

Set PasswordAuthentication no in sshd_config ONLY after confirming your SSH key works. Otherwise you may permanently lock yourself out.

Quick Check

What does `PermitRootLogin no` in sshd_config do?

Exercise

Check open ports on your system and identify any services you don't recognise that are listening on external interfaces.