Login Sign Up

5-Minute Server Security Hardening Checklist

· 3 min read · 8 views

You just deployed a new server. Before it goes live, run through this quick hardening checklist. These are the highest-impact security measures you can implement in under 5 minutes.

1. Update Everything (30 seconds)

# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y

# RHEL/Rocky/Alma
sudo dnf update -y

This single command fixes every known CVE that has an available patch. Do this first, always.

2. Enable Automatic Security Updates (30 seconds)

# Ubuntu/Debian
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

# RHEL/Rocky
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic-install.timer

3. Secure SSH (60 seconds)

Edit /etc/ssh/sshd_config and ensure these settings:

# Disable root login
PermitRootLogin no

# Disable password authentication (use keys only)
PasswordAuthentication no

# Use SSH protocol 2 only
Protocol 2

# Limit authentication attempts
MaxAuthTries 3

# Set idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2

Then restart SSH: sudo systemctl restart sshd

4. Configure the Firewall (60 seconds)

# UFW (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

# firewalld (RHEL/Rocky)
sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --zone=public --add-service=ssh --permanent
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload

5. Remove Unnecessary Packages (30 seconds)

Every installed package is potential attack surface. Remove what you don't need:

# Common unnecessary packages on servers
sudo apt remove telnet ftp rsh-client -y  # Debian/Ubuntu
sudo dnf remove telnet ftp rsh -y          # RHEL/Rocky

# See what's listening
sudo ss -tulnp

6. Set Up Fail2ban (60 seconds)

sudo apt install fail2ban -y  # or: sudo dnf install fail2ban -y
sudo systemctl enable --now fail2ban

Default configuration protects SSH. For web servers, add jails for nginx/apache.

7. Enable CVE Monitoring (30 seconds)

Your server is secure now, but new CVEs are published daily. Set up continuous monitoring so you know the moment a vulnerability affects your packages.

Download the FixTheCVE scanner to automatically detect unpatched vulnerabilities on your systems.

Bonus: Quick Audit Commands

# Check for users with empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

# Find world-writable files
sudo find / -type f -perm -0002 -not -path "/proc/*" 2>/dev/null

# Check for unauthorized SUID binaries
sudo find / -type f -perm -4000 2>/dev/null

# View failed login attempts
sudo lastb | head -20

# Check listening services
sudo ss -tulnp

This checklist covers the basics. For a more comprehensive hardening guide, check CIS Benchmarks for your specific distribution. The key takeaway: a few minutes of hardening prevents hours of incident response.

Linux Patch Management
Share this post:

Protect Your Systems

Get automated CVE monitoring and vulnerability alerts for your infrastructure.

Start Free Monitoring