Every day, millions of server hack attempts occur on the internet — automated bots scan IP addresses looking for open ports and weak passwords. Most breaches happen not through zero-day vulnerabilities, but through basic configuration mistakes that can be fixed in a few hours. Here's the complete checklist for hardening a fresh or existing Linux server.

Authentication and access

1. Switch to SSH keys instead of passwords

SSH password brute force is the most common attack. Generate a key pair (ed25519 or RSA 4096) on your local machine, copy the public key to the server via ssh-copy-id, then completely disable password authentication in /etc/ssh/sshd_config: PasswordAuthentication no.

2. Disable root SSH login

Root is the first account bots attack. In the same file, set PermitRootLogin no. Use a regular user with sudo rights for administration.

3. Change the default SSH port

Port 22 is a target for automated scanners. Changing to a non-standard port (e.g., 2277) isn't a silver bullet, but significantly reduces brute-force attempts in logs. Set Port 2277 in sshd_config and update firewall rules.

4. Two-factor authentication (2FA)

For critical servers, configure TOTP via libpam-google-authenticator. Even if an SSH key is compromised — without the second factor, the attacker can't get in.

Network security

5. Configure UFW (Uncomplicated Firewall)

Open only the ports that are actually needed. Basic rules: allow SSH (new port), HTTP (80), HTTPS (443), block everything else: ufw default deny incoming, ufw allow 2277/tcp, ufw allow 80,443/tcp, ufw enable.

6. Install fail2ban

fail2ban analyzes logs and automatically blocks IP addresses generating too many failed login attempts. Configure jails for SSH, Nginx, PHP-FPM, and mail services. Standard configuration — 1-hour ban after 5 failed attempts in 10 minutes.

7. Close unnecessary ports and services

Run ss -tlnp and review all open ports. Every unnecessary running service is a potential vulnerability. Disable what isn't used: systemctl disable --now service-name.

Updates and patching

8. Automatic security updates

Install unattended-upgrades on Ubuntu/Debian. Configure automatic application of security patches without administrator involvement. Critical vulnerabilities are often patched within hours of publication — manual updating lags behind.

9. Regular package audit

Use apt list --upgradable or debsecan to review vulnerabilities in installed software. For CentOS/RHEL — yum updateinfo list security.

Access rights and filesystem

10. Principle of least privilege

The web server (nginx, apache) should run as an unprivileged user (www-data). Site files should not belong to this user — only be readable by it. Avoid chmod 777 — this opens files for writing by anyone.

11. Mount /tmp and /var/tmp as noexec

Add the noexec parameter for temporary directories in /etc/fstab. This prevents running malicious scripts uploaded to temporary folders.

Monitoring and intrusion detection

12. Configure centralized log analysis

auth.log, syslog, nginx/access.log, and error.log should be regularly reviewed or analyzed automatically. Tools: Logwatch, GoAccess for nginx, or a full ELK/Loki+Grafana stack.

13. Install an intrusion detection system (IDS)

AIDE or Tripwire track file changes on the server and alert about unauthorized modifications. This helps detect compromise even after an attacker has entered the system.

Backups and recovery

14. Automated backups with recovery testing

A backup without recovery testing is not a backup. Set up automatic backup of the database and files (daily) to a separate server or S3-compatible storage. Monthly, test restoration on a staging environment.

15. Availability monitoring and alerts

Set up external monitoring (UptimeRobot, Betterstack, or your own Uptime Kuma) with Telegram or email notifications when the server goes down or an SSL certificate expires. You should learn about a problem before your clients do.

Summary

Server security is not a one-time action but a process. Apply this checklist every time you deploy a new server and review settings quarterly. Most breaches can be prevented with basic security hygiene — don't wait for a problem to appear on its own.