New Server Hardening
Essential security steps for a freshly provisioned server.
Quick Checklist
- Update system packages
- Create admin user
- Configure SSH
- Set up firewall
- Enable automatic updates
- Configure fail2ban
Step 1: Update System
# Debian/Ubuntu
apt update && apt upgrade -y
# RHEL/CentOS
dnf update -yStep 2: Create Admin User
# Create user
useradd -m -s /bin/bash admin
passwd admin
# Add to sudo group
usermod -aG sudo admin # Debian/Ubuntu
usermod -aG wheel admin # RHEL/CentOS
# Verify sudo works
su - admin
sudo whoami # Should output: rootStep 3: Configure SSH Keys
# On your LOCAL machine
ssh-keygen -t ed25519 -C "admin@server"
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@server
# Test key login
ssh admin@server
# On the SERVER - disable password auth
sudo nano /etc/ssh/sshd_configSSH Configuration
# /etc/ssh/sshd_config
Port 22 # Consider changing
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers admin
# Restart SSH
sudo systemctl restart sshdStep 4: Configure Firewall
# UFW (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status
# firewalld (RHEL/CentOS)
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reloadStep 5: Automatic Security Updates
# Ubuntu/Debian
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
# RHEL/CentOS
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timerStep 6: Install fail2ban
# Install
sudo apt install fail2ban # Debian/Ubuntu
sudo dnf install fail2ban # RHEL
# Configure
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.localfail2ban Configuration
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600# Start fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2banStep 7: Set Timezone & NTP
# Set timezone
sudo timedatectl set-timezone America/New_York
# Enable NTP
sudo timedatectl set-ntp onVerification
# Check firewall
sudo ufw status
# Check SSH config
sudo sshd -t
# Check fail2ban
sudo fail2ban-client status
# Check updates
sudo apt list --upgradablePost-Setup
| Task | Command |
|---|---|
| Check open ports | ss -tuln |
| View auth logs | tail /var/log/auth.log |
| Check failed logins | lastb |
| View firewall rules | sudo ufw status |
- server
- hardening
- security
- new server
- setup