Server Security Hardening: 8 Best Practices
When you spin up a new server — whether it's a VPS, a cloud instance, or a bare-metal box — it comes with a default configuration designed for convenience, not security. Hardening is the process of locking that server down before it faces real-world threats. Here are 8 actionable steps every administrator should take.
1. Disable Root Login Over SSH
Logging in directly as root over SSH is a significant risk. If an attacker brute-forces your SSH credentials, they immediately have full system access. Instead, create a non-root user with sudo privileges and disable root SSH login.
In /etc/ssh/sshd_config, set: PermitRootLogin no
2. Use SSH Key Authentication — Disable Password Login
Password-based SSH authentication is vulnerable to brute-force attacks. SSH key pairs (asymmetric cryptography) are exponentially harder to crack. Generate a key pair locally, add the public key to ~/.ssh/authorized_keys on the server, then disable password auth:
PasswordAuthentication no in sshd_config.
3. Change the Default SSH Port
While not a security silver bullet, changing SSH from port 22 to a non-standard port (e.g., 2222 or higher) dramatically reduces automated scan traffic and login attempts in your logs. Combine this with other measures for meaningful effect.
4. Configure a Firewall (UFW or iptables)
Only allow traffic on ports your services genuinely use. A minimal ruleset for a web server might be:
- Allow port 80 (HTTP) and 443 (HTTPS)
- Allow your custom SSH port
- Deny all other inbound traffic
With UFW: ufw allow 443/tcp, ufw enable. Simple and effective.
5. Keep the OS and Packages Updated
Unpatched software is one of the leading causes of server compromises. Set up automatic security updates where appropriate, and review changelogs before applying major updates in production. On Debian/Ubuntu: apt install unattended-upgrades.
6. Install and Configure Fail2Ban
Fail2Ban monitors log files for repeated failed authentication attempts and automatically bans offending IP addresses using firewall rules. It's particularly effective against SSH brute-force attacks and can be extended to protect web applications, FTP, and more.
7. Use SSL/TLS Everywhere
All web traffic — not just login pages — should be served over HTTPS. Use Let's Encrypt for free, automatically renewing SSL certificates. For internal services and APIs, use self-signed certificates or a private CA. Never transmit sensitive data over unencrypted connections.
8. Audit User Accounts and Permissions
Regularly review which user accounts exist on your server. Remove accounts that are no longer needed. Apply the principle of least privilege: every user and service should have only the permissions required to perform its function — nothing more.
Useful commands:
cut -d: -f1 /etc/passwd— list all user accountsgetent group sudo— see who has sudo accesslast— review recent login history
Security Is an Ongoing Process
Hardening isn't a one-time task — it's a continuous practice. Schedule regular security reviews, monitor your logs, subscribe to CVE notifications for software you run, and consider periodic penetration testing for critical infrastructure. The goal is to make your server an unattractive and difficult target at every layer.