Server security hardening is the process of reducing a system's attack surface by configuring it securely, removing unnecessary services, and implementing layered defenses. A fresh server install is like an unlocked house with all the windows open—functional, but vulnerable. Hardening closes those openings and installs alarm systems. Whether you are running a personal blog or a business application, security hardening is not optional; it is the baseline requirement for any internet-facing server.

This complete guide covers the essential server security hardening steps every administrator should take, from SSH configuration and firewall setup to intrusion detection and kernel tuning. Following these steps will protect your server against the vast majority of automated attacks.

Secure Your Server with InterServer VPS

Full root access from $2.50/month. Hardening your own VPS gives you complete control over security. Price-locked for life.

Coupon: VPSFEEDX — First Month $0.01
Get InterServer VPS →

Why Server Hardening Matters

The internet is continuously scanned by automated bots looking for vulnerable servers. Within minutes of a new VPS coming online, it will be probed for open ports, weak passwords, and outdated software. According to security research, the average unprotected server is compromised within hours. The most common attack vectors are:

  • Brute-force SSH password attacks (thousands of attempts per hour)
  • Exploitation of known vulnerabilities in outdated software
  • Abuse of open ports running unnecessary services
  • Malware deployment via compromised web applications

Hardening addresses each of these vectors with specific, proven countermeasures.

Step 1: Secure SSH Access

SSH is the primary way you administer your server, and it is also the primary target for attackers. Hardening SSH is the single most important security step.

Disable Root Login

The root account has unlimited privileges. If an attacker compromises root, they own your server. Create a regular user with sudo access (see our VPS setup guide) and disable direct root login over SSH.

sudo nano /etc/ssh/sshd_config

Set:

PermitRootLogin no

Use Key-Based Authentication

Passwords can be guessed; SSH keys cannot. Generate an Ed25519 key pair on your local machine:

ssh-keygen -t ed25519 -C "[email protected]"

Copy the public key to your server:

ssh-copy-id username@your_server_ip

Then disable password authentication:

PasswordAuthentication no
PubkeyAuthentication yes

Change the Default SSH Port

Changing the SSH port from 22 to a non-standard port (like 2222 or 22022) eliminates the vast majority of automated brute-force attempts. Edit sshd_config:

Port 22222

Update your firewall to allow the new port before restarting SSH, or you will lock yourself out:

sudo ufw allow 22222/tcp
sudo systemctl restart ssh

Limit SSH Access by IP

If you have a static IP address, restrict SSH to only accept connections from your IP:

AllowUsers [email protected]
InterServer VPS

Step 2: Configure a Firewall

A firewall filters incoming and outgoing network traffic based on rules. The principle is "deny by default"—block everything, then allow only what you need. On Ubuntu, use UFW (Uncomplicated Firewall):

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22222/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

This blocks all incoming connections except SSH (on your custom port), HTTP, and HTTPS. Verify the configuration:

sudo ufw status verbose

For more advanced needs, consider iptables or nftables directly, but UFW is sufficient for most server setups.

Step 3: Install and Configure Fail2ban

Fail2ban is an intrusion prevention framework that monitors log files for malicious patterns and automatically bans offending IP addresses. It is essential for protecting SSH and web services from brute-force attacks.

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Create a local configuration file to customize settings:

sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 22222
logpath = %(sshd_log)s

This configuration bans any IP that fails to log in 3 times within 10 minutes for 1 hour. Adjust bantime to 86400 for a 24-hour ban, or -1 for a permanent ban.

Step 4: Keep the System Updated

Outdated software is the single biggest security vulnerability on most servers. Enable automatic security updates so critical patches are applied without delay:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Additionally, manually run full system updates regularly:

sudo apt update && sudo apt upgrade -y

Reboot the server after kernel updates:

sudo reboot

Step 5: Disable Unnecessary Services

Every running service is a potential attack vector. Audit what is running and disable anything you do not need:

sudo ss -tulpn

This lists all listening ports and the processes using them. Disable unnecessary services:

sudo systemctl disable servicename
sudo systemctl stop servicename

Common services to disable on a web server include: Bluetooth, CUPS (printing), Avahi (mDNS), and various daemons that are useful on desktops but not servers.

Step 6: Secure Shared Memory

Shared memory (/dev/shm) can be exploited by some attacks. Mount it with restrictive options by editing /etc/fstab:

tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0

Remount without rebooting:

sudo mount -o remount /dev/shm

Step 7: Install an Intrusion Detection System

Intrusion Detection Systems (IDS) monitor file integrity and alert you to unauthorized changes. AIDE (Advanced Intrusion Detection Environment) creates a database of file hashes and notifies you if any files are modified.

sudo apt install aide -y
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Run a check at any time:

sudo aide --check

Schedule regular checks via cron and have the results emailed to you.

Step 8: Configure Kernel Security Parameters

The Linux kernel has built-in security features that are not always enabled by default. Edit /etc/sysctl.conf to enable network hardening:

# Prevent SYN flood attacks
net.ipv4.tcp_syncookies = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0

# Log martian packets
net.ipv4.conf.all.log_martians = 1

# Prevent IP spoofing
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

Apply the changes:

sudo sysctl -p

Step 9: Set Up Log Monitoring

Logs are your eyes into what is happening on your server. Logwatch sends a daily email summary of important log entries:

sudo apt install logwatch -y

Configure the email recipient in /etc/logwatch/conf/logwatch.conf:

Output = mail
MailTo = [email protected]
Detail = High

Step 10: Enable Two-Factor Authentication for SSH

For maximum security, add two-factor authentication to SSH using Google Authenticator:

sudo apt install libpam-google-authenticator -y
google-authenticator

Follow the prompts to generate a QR code, then configure PAM and SSH to require the TOTP code in addition to the key.

Security Hardening Checklist

TaskPriorityDifficulty
Disable root SSH loginCriticalEasy
Enable SSH key authenticationCriticalEasy
Disable SSH password authenticationCriticalEasy
Configure UFW firewallCriticalEasy
Install Fail2banHighEasy
Enable automatic security updatesHighEasy
Change SSH portMediumEasy
Disable unnecessary servicesMediumModerate
Configure kernel sysctl parametersMediumModerate
Install AIDE intrusion detectionMediumModerate
Set up Logwatch email summariesLowEasy
Enable SSH two-factor authLowModerate

Harden Your Own VPS with InterServer

Full root access from $2.50/month. Apply every hardening step in this guide with complete control over your server.

Coupon: VPSFEEDX — First Month $0.01
Get InterServer VPS →

Affiliate Disclosure: VPSFeedX may earn a commission when you purchase through links on this page. This does not affect the price you pay or our recommendations.