How-To-Secure-A-Linux-Server
Tutorialimthenachoman/How-To-Secure-A-Linux-Server
An evolving how-to guide for securing a Linux server.
Overview
This guide provides step-by-step instructions for hardening a Linux server. It covers SSH security, firewall setup, intrusion detection, and more. The content is contributed by the community and evolves over time.
README Preview
# How To Secure A Linux Server\n\nAn evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters.\n\n[](#license)\n\n## Table of Contents\n\n- [Introduction](#introduction)\n - [Guide Objective](#guide-objective)\n - [Why Secure Your Server](#why-secure-your-server)\n - [Why Yet Another Guide](#why-yet-another-guide)\n - [Other Guides](#other-guides)\n - [To Do / To Add](#to-do--to-add)\n- [Guide Overview](#guide-overview)\n - [About This Guide](#about-this-guide)\n - [My Use-Case](#my-use-case)\n - [Editing Configuration Files - For The Lazy](#editing-configuration-files---for-the-lazy)\n - [Contributing](#contributing)\n- [Before You Start](#before-you-start)\n - [Identify Your Principles](#identify-your-principles)\n - [Picking A Linux Distribution](#picking-a-linux-distribution)\n - [Installing Linux](#installing-linux)\n - [Pre/Post Installation Requirements](#prepost-installation-requirements)\n - [Other Important Notes](#other-important-notes)\n - [Using Ansible Playbooks to secure your Linux Server](#using-ansible-playbooks-to-secure-your-linux-server)\n- [The SSH Server](#the-ssh-server)\n - [Important Note Before You Make SSH Changes](#important-note-before-you-make-ssh-changes)\n - [SSH Public/Private Keys](#ssh-publicprivate-keys)\n - [Create SSH Group For AllowGroups](#create-ssh-group-for-allowgroups)\n - [Secure `/etc/ssh/sshd_config`](#secure-etcsshsshd_config)\n - [Remove Short Diffie-Hellman Keys](#remove-short-diffie-hellman-keys)\n - [2FA/MFA for SSH](#2famfa-for-ssh)\n- [The Basics](#the-basics)\n - [Limit Who Can Use sudo](#limit-who-can-use-sudo)\n - [Limit Who Can Use su](#limit-who-can-use-su)\n - [Run applications in a sandbox with FireJail](#run-applications-in-a-sandbox-with-firejail)\n - [NTP Client](#ntp-client)\n - [Securing /proc](#securing-proc)\n - [Force Accounts To Use Secure Passwords](#force-accounts-to-use-secure-passwords)\n - [Autom
FAQ (4)
ConfigurationShould I enable 'HashKnownHosts yes' in my SSH client configuration?
Yes, setting 'HashKnownHosts yes' in /etc/ssh/ssh_config or ~/.ssh/config hashes host names and addresses in the known_hosts file. This prevents plaintext leakage of server identities if the file is compromised, mitigating SSH worm attacks and casual snooping. Add the line 'HashKnownHosts yes' to the relevant config file, then restart SSH connections.
TroubleshootingHow to prevent SSH disconnections when using a mobile internet connection (LTE)?
Disable TCPKeepAlive (spoofable security risk) and use ClientAliveInterval with ClientAliveCountMax instead. For LTE networks with NAT timeouts as low as 25 seconds, set ClientAliveInterval 25 and ClientAliveCountMax 3 in /etc/ssh/sshd_config. Restart SSH: sudo systemctl restart sshd. This sends an encrypted keep-alive every 25 seconds and tolerates up to 3 missed responses before disconnecting.
TroubleshootingHow to fix predictable SSH keys on headless Linux servers due to low entropy?
Install rng-tools to add entropy sources. On Debian/Ubuntu: sudo apt-get install rng-tools. For hardware entropy, consider Infinite Noise TRNG. For more details, see https://hackaday.com/2017/11/02/what-is-entropy-and-how-do-i-get-more-of-it/ and https://www.2uo.de/myths-about-urandom.
TroubleshootingHow can changing the SSH default port reduce brute-force attack attempts?
Change the SSH port from 22 to a random high port (e.g., 6222) in /etc/ssh/sshd_config (Port 6222), then allow it through UFW: sudo ufw allow 6222/tcp. Restart SSH: sudo systemctl restart sshd. This drops automated brute-force attempts from hundreds to a few per minute. For complete elimination, combine with disabling password authentication (PasswordAuthentication no) and using SSH keys. Port knocking (e.g., knockd) hides the port entirely.