Pulsar67 Logo
How to secure a Linux Server

How to secure a Linux Server

By Trenton Barrett on March 24, 2025 (Last updated: March 29, 2025)

How to Secure a New Linux Server

Securing a Linux server is essential to protect your data and services from unauthorized access or misuse. This guide outlines foundational steps for hardening a fresh Ubuntu or Debian-based Linux server.

Step 1: Create a New User

It’s best practice not to log in directly as root. Create a new user account with administrative privileges: 

adduser yourusername
usermod -aG sudo yourusername

Step 2: Set Up SSH Key Authentication

SSH keys provide a secure and convenient way to log in. On your local machine, generate a key pair if you don’t have one: 

ssh-keygen -t ed25519 -C "[email protected]"

Then copy your public key to the server:

ssh-copy-id yourusername@your_server_ip

Step 3: Disable Root Login and Password SSH Access

Once SSH key authentication is configured, it’s best to disable root login and password-based SSH access. Edit your SSH config file: 

sudo nano /etc/ssh/sshd_config

Find or add the following lines:

PermitRootLogin no
PasswordAuthentication no

Save and restart SSH:

sudo systemctl restart ssh

Warning:

Make sure you can log in using your SSH key before disabling password access, or you may lock yourself out of the server.

Step 4: Set Up a Basic UFW Firewall

UFW (Uncomplicated Firewall) allows you to easily manage firewall rules. 

sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status verbose

This ensures that SSH remains accessible while blocking all other incoming connections by default.

Step 5: Install Fail2Ban

Fail2Ban scans log files and bans IPs that show malicious signs, such as too many password failures. 

sudo apt install fail2ban

Basic setup works out of the box. You can customize settings in:

/etc/fail2ban/jail.local

Step 6: Keep Your Server Updated

Regular updates are critical for security patches. Automate security updates by installing the unattended-upgrades package: 

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Step 7: Check for Open Ports

Use ss or netstat to check which services are exposed: 

sudo ss -tuln

Conclusion

You've now taken critical first steps to harden your Linux server against unauthorized access. While this guide covers the basics, additional measures like using intrusion detection systems, auditing logs, and monitoring file integrity can further improve security.

Back to Tutorials