Linux Server Hardening Checklist for 2026
A practical, current hardening checklist for production Linux servers — identity, kernel, network, logging, and the controls that actually reduce risk.
Start with the base image
Hardening starts with the image, not the running server. Use a minimal distribution image — Debian slim, Ubuntu minimal, RHEL UBI minimal — and add only the packages a workload actually needs. Every package is attack surface and patch burden.
Build images with a configuration management tool (Ansible, SaltStack) or a builder (Packer, Image Builder). Manual hardening on running servers does not survive contact with replacement.
Identity and SSH
Disable password authentication entirely. Require SSH key authentication, ideally with hardware-backed keys (YubiKey, Secretive). Restrict root login to forced commands only or disable it outright; sudo is the right model for privilege elevation.
Configure SSH for modern algorithms only: Ed25519 keys, ChaCha20-Poly1305 ciphers, secure MACs. Set ClientAliveInterval and MaxAuthTries. Run sshd on a non-default port only if your operational tooling supports it — port obscurity provides marginal value and breaks more than it helps.
Kernel and OS-level controls
Enable mandatory access control: SELinux on Red Hat-family distributions, AppArmor on Debian-family. Both ship with reasonable defaults. Run in enforcing mode in production; permissive mode is for development.
Tighten sysctl: disable IP forwarding unless required, enable rp_filter, disable ICMP redirects, enable SYN cookies. Use the CIS Linux benchmark as the source of values — it is comprehensive and well-maintained.
Network and firewall
Default deny on inbound; allow only the ports a workload requires. nftables is the current standard; firewalld and ufw are sensible front-ends. Document every allow rule with its owner and justification.
If the server lives in a cloud, use the cloud-native security groups for the perimeter and host-level firewall for defense in depth. Never rely on a single layer.
Patching and minimal exposure
Enable unattended security upgrades and reboot on a controlled schedule. The longest-running uptime is not a badge of honor in 2026 — it is unpatched kernel CVEs.
Use a configuration management tool to enforce package versions for non-security upgrades. Drift between staging and production is the most common cause of post-patch outages.
Logging and audit
Ship system logs to a central destination — journald-remote, rsyslog, or a vendor agent. Local logs are the first thing an attacker erases.
Enable auditd for the actions that matter: privileged command execution, file integrity on /etc, mount operations. Tune the audit rules — a noisy auditd is an ignored auditd.
Test it
Run Lynis or OpenSCAP against the image and remediate findings. Add the scan to CI so regressions surface before deployment. The exact tool matters less than the discipline of running it on every image.
Reader questions, answered
Is fail2ban still useful?+
Marginally. Disabling password authentication does more good than any fail2ban configuration. If you must use it, scope it tightly.
Do I need a host IDS?+
For high-value or regulated systems, yes. Wazuh and Falco are credible open-source options.
Raza Ahmad is a technology author and IT infrastructure specialist based in Melbourne, Australia. He writes practitioner-grade guides on cloud computing (Azure and AWS), cybersecurity, enterprise networking with Cisco platforms, Linux administration, DevOps, and virtualization. His work focuses on translating complex infrastructure topics into clear, accurate guidance that engineers, system administrators, and IT decision makers can put to work in production environments. Every article published under his byline is fact-checked against current vendor documentation, official standards, and Raza's own hands-on experience operating the technologies he covers.
More from IT Infrastructure
VMware vs Proxmox in 2026: An IT Infrastructure Comparison
Post-Broadcom VMware licensing has rewritten the virtualization decision for many organizations. Here is how Proxmox VE compares for real-world workloads.
Building a Backup and Disaster Recovery Strategy That Actually Works
Backups that nobody has restored are not backups. Here is the operational playbook for a 3-2-1-1-0 strategy that survives ransomware, hardware loss, and human error.
SAN vs NAS vs Object Storage: Choosing Enterprise Storage in 2026
Block, file, and object storage solve different problems. Here is how to match each to the workloads that actually need it.
One email. The technology stories that actually matter for engineers.
A curated digest of the week's most useful tutorials, reviews, and analysis — no clickbait, no AI summaries of someone else's work.
Free. Unsubscribe anytime. See our privacy policy.