Linux Server Administration Complete Guide Part 10: Security Hardening and Vulnerability Management

Final Part - Secure Your Server

January 21, 2026 Linux

Linux Server Administration Complete Guide Series

Part 9: Backup & Recovery | Part 10: Security Hardening (Current/Final)

Introduction: Security is Not Optional

Server security requires a Defense in Depth strategy, not a single solution. In this final part, we cover the essentials of Linux server security hardening.

1. System Hardening Basics

1.1 Disable Unnecessary Services

# Check running services
systemctl list-units --type=service --state=running

# Disable unnecessary services
sudo systemctl disable --now cups
sudo systemctl disable --now avahi-daemon
sudo systemctl disable --now bluetooth

# Check services enabled at boot
systemctl list-unit-files --type=service --state=enabled

1.2 Security Updates

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

# RHEL/CentOS
sudo dnf update -y
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

1.3 GRUB Security

# Set GRUB password
sudo grub-mkpasswd-pbkdf2
# Copy the hash

# Edit /etc/grub.d/40_custom
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512...

# Apply configuration
sudo update-grub

2. User Security

2.1 Password Policies

# /etc/login.defs
PASS_MAX_DAYS   90    # Maximum age
PASS_MIN_DAYS   7     # Minimum age
PASS_WARN_AGE   14    # Warning before expiry

# PAM password complexity (/etc/pam.d/common-password)
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

# Apply to existing users
sudo chage -M 90 -m 7 -W 14 username

2.2 sudo Configuration

# /etc/sudoers (use visudo)
# Enable logging
Defaults logfile=/var/log/sudo.log
Defaults log_input, log_output

# Timeout setting
Defaults timestamp_timeout=5

# Allow specific commands only
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

2.3 Account Lockout

# /etc/pam.d/common-auth
auth required pam_tally2.so deny=5 unlock_time=900

# Check failure count
pam_tally2 --user=username

# Unlock account
pam_tally2 --user=username --reset

3. SSH Security Hardening

# /etc/ssh/sshd_config

# Change default port
Port 2222

# Disable root login
PermitRootLogin no

# Disable password authentication
PasswordAuthentication no

# Allow key authentication only
PubkeyAuthentication yes

# Disable empty passwords
PermitEmptyPasswords no

# Limit login attempts
MaxAuthTries 3
LoginGraceTime 30

# Allow specific users/groups only
AllowUsers admin deploy
AllowGroups sshusers

# Protocol version
Protocol 2

# Apply changes
sudo systemctl restart sshd

4. Firewall Configuration

4.1 UFW (Ubuntu)

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow necessary ports only
sudo ufw allow 2222/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

# IP-based restrictions
sudo ufw allow from 192.168.1.0/24 to any port 22

# Enable firewall
sudo ufw enable
sudo ufw status verbose

4.2 firewalld (RHEL/CentOS)

# Check default zone
sudo firewall-cmd --get-default-zone

# Allow services
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

# Allow ports
sudo firewall-cmd --permanent --add-port=2222/tcp

# Apply rules
sudo firewall-cmd --reload

5. Intrusion Detection Systems

5.1 Fail2Ban

# Install
sudo apt install fail2ban

# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log

[nginx-http-auth]
enabled = true

# Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd

5.2 AIDE (Integrity Checking)

# Install
sudo apt install aide

# Initialize database
sudo aideinit

# Run check
sudo aide --check

# Update database
sudo aide --update

6. SELinux / AppArmor

6.1 SELinux (RHEL/CentOS)

# Check status
getenforce
sestatus

# Change mode
sudo setenforce 0  # Permissive
sudo setenforce 1  # Enforcing

# Permanent setting (/etc/selinux/config)
SELINUX=enforcing

# Troubleshooting
sudo ausearch -m avc -ts recent
sudo sealert -a /var/log/audit/audit.log

6.2 AppArmor (Ubuntu)

# Check status
sudo aa-status

# Profile management
sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx
sudo aa-complain /etc/apparmor.d/usr.sbin.nginx

# Check logs
sudo journalctl -fx | grep apparmor

7. Vulnerability Scanning

7.1 Lynis

# Install
sudo apt install lynis

# System audit
sudo lynis audit system

# View reports
sudo cat /var/log/lynis.log
sudo cat /var/log/lynis-report.dat

7.2 OpenVAS

# Install (Ubuntu)
sudo apt install openvas

# Initial setup
sudo gvm-setup

# Start scan
sudo gvm-start
# Web interface: https://localhost:9392

8. Log Monitoring

# Monitor suspicious activity
# Failed logins
grep "Failed password" /var/log/auth.log | tail -20

# sudo usage
grep "sudo" /var/log/auth.log

# System boot/shutdown
last reboot
last shutdown

# Currently logged in users
who
w

# Network connections
ss -tuln
netstat -tuln

9. Security Checklist

#!/bin/bash
# security_audit.sh

echo "=== Linux Security Audit ==="

echo -e "\n[1] Check system updates"
apt list --upgradable 2>/dev/null | head -10

echo -e "\n[2] Root login status"
grep "^PermitRootLogin" /etc/ssh/sshd_config

echo -e "\n[3] Password authentication status"
grep "^PasswordAuthentication" /etc/ssh/sshd_config

echo -e "\n[4] Open ports"
ss -tuln | grep LISTEN

echo -e "\n[5] SUID files"
find / -perm -4000 -type f 2>/dev/null | head -10

echo -e "\n[6] Empty password accounts"
awk -F: '($2 == "") {print $1}' /etc/shadow

echo -e "\n[7] Recent login failures"
grep "Failed password" /var/log/auth.log 2>/dev/null | tail -5

echo -e "\n[8] Firewall status"
ufw status 2>/dev/null || firewall-cmd --state 2>/dev/null

echo -e "\nAudit complete"

10. Series Conclusion

This concludes the Linux Server Administration Complete Guide series. Over 10 parts, we covered the essentials of server management from basics to security:

Part 1: Linux Basics and File System
Part 2: User and Permission Management
Part 3: Package Management and Service Operations
Part 4: Network Configuration and Firewall
Part 5: SSH and Remote Server Management
Part 6: Shell Script Basics
Part 7: Advanced Shell Scripts
Part 8: Log Management and Monitoring
Part 9: Backup and Recovery Strategies
Part 10: Security Hardening and Vulnerability Management

We hope this series serves as a solid foundation for your Linux server administration journey.

Back to List