Linux Server Hardening Checklist for 2026: Essential Security Steps

Linux server hardening is the foundation of robust cybersecurity infrastructure. In 2026, as threat actors evolve their techniques—particularly targeting Indian enterprises managing critical financial and regulatory data—hardening your Linux servers has shifted from optional best practice to mandatory security posture. This checklist covers SSH lockdown, firewall configuration, mandatory access controls (SELinux/AppArmor), intrusion prevention, user policies, kernel parameters, package management, and compliance with CIS baselines. By following these steps, enterprises across Bangalore, Mumbai, Delhi NCR, and Hyderabad can significantly reduce their attack surface and demonstrate compliance with NIS2, DORA, and emerging India-specific security frameworks.

1. SSH Hardening: Your First Line of Defense

SSH remains the primary attack vector for unauthorized server access. Attackers attempt thousands of brute-force login attempts daily against poorly configured SSH services. At TechTweek Infotech, our DevSecOps teams have observed a 340% increase in SSH enumeration attacks targeting Indian tech companies since 2024.

• Disable root login: Edit /etc/ssh/sshd_config and set PermitRootLogin no. Force privileged operations through sudo instead.
• Use SSH key-based authentication only: Set PasswordAuthentication no and PubkeyAuthentication yes. Store private keys securely (chmod 600).
• Change default SSH port: Modify Port 22 to a high-numbered port (e.g., 2248). Document this internally; obscurity provides minimal security but reduces noise.
• Limit SSH access by IP: Implement AllowUsers directive or use firewall rules (covered below) to restrict SSH access to known management IPs from your office networks in Pune, Noida, or AWS regions.
• Set connection timeouts: Add ClientAliveInterval 300 and ClientAliveCountMax 2 to disconnect idle sessions after 10 minutes.
• Disable weak ciphers: Configure Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com to enforce modern encryption.
• Enable SSH logging: Ensure SyslogFacility AUTH logs all connection attempts for audit trails.

2. Firewall Configuration: Control Traffic Flow

A properly configured firewall blocks unnecessary inbound traffic and prevents lateral movement. Most Indian enterprises operate multi-tier architectures (web, app, database tiers) requiring granular firewall rules.

• Enable and configure UFW (Ubuntu) or firewalld (RHEL/CentOS):

  sudo ufw enable
  sudo ufw default deny incoming
  sudo ufw default allow outgoing
  sudo ufw allow from 203.0.113.0/24 to any port 2248 comment 'SSH from office'
  sudo ufw allow 443/tcp comment 'HTTPS'
  sudo ufw allow 80/tcp comment 'HTTP'

• Implement network segmentation: Use separate firewall zones for DMZ (public-facing), application, and database tiers. TechTweek’s AWS Advanced Consulting Partner status enables us to architect security groups aligning with your infrastructure topology.
• Block unnecessary outbound connections: Restrict outbound traffic to required services only (DNS, NTP, package repos, monitoring endpoints).
• Log all dropped packets: Enable firewall logging to detect reconnaissance attempts: sudo ufw logging on.
• Regularly audit rules: Review monthly to remove obsolete rules. Document business justification for each open port.

3. Mandatory Access Controls: SELinux and AppArmor

Mandatory Access Controls (MAC) enforce security policies at the OS kernel level, restricting what processes can do even if user accounts are compromised. This is critical for regulated workloads in banking, fintech, and e-commerce sectors prevalent in tier-1 Indian cities.

• SELinux (RHEL/CentOS/Fedora) setup: Verify SELinux is enabled: getenforce (should show ‘Enforcing’). If set to ‘Disabled’, edit /etc/selinux/config, set SELINUX=enforcing, and reboot.
• Run SELinux in enforcing mode: Never disable SELinux in production; instead, create custom policies for non-standard applications using semanage tools or audit mode initially.
• AppArmor (Debian/Ubuntu): Ensure AppArmor daemon is active: sudo systemctl status apparmor. Create strict profiles for web servers, databases, and custom applications.
• Monitor MAC violations: Use ausearch for SELinux audits and check /var/log/audit/audit.log daily to identify policy gaps.
• Example AppArmor profile for Nginx: Confine Nginx to specific directories and capabilities, preventing attackers from modifying unauthorized files even if they exploit web vulnerabilities.

4. Intrusion Prevention & Fail2Ban Configuration

Fail2ban monitors logs and dynamically bans IPs after failed authentication attempts, dramatically reducing brute-force attack success rates. Combined with robust logging, it’s essential for defending against distributed attacks originating from compromised systems across India and globally.

• Install and enable fail2ban:

  sudo apt-get install fail2ban
  sudo systemctl enable fail2ban
  sudo systemctl start fail2ban

• Create custom jail for SSH: Copy /etc/fail2ban/jail.conf to jail.local and configure:

  [sshd]
  enabled = true
  port = ssh
  logpath = /var/log/auth.log
  maxretry = 3
  findtime = 600
  bantime = 3600

• Ban persistence: Enable recidive jail to ban repeat offenders for extended periods (e.g., 604800 seconds = 1 week).
• Whitelist trusted IPs: Add your office IPs (BSNL, Jio, Airtel corporate networks) and monitoring systems to the ignore list to prevent accidental lockout.
• Monitor fail2ban status: Regularly check sudo fail2ban-client status sshd to verify bans are active and legitimate traffic isn’t blocked.

5. User and Sudo Policy Enforcement

Weak user and privilege escalation policies enable post-exploitation lateral movement. Implement principle of least privilege across your infrastructure.

• Remove unnecessary system accounts: Disable unused service accounts (e.g., games, news, uucp) with usermod -s /usr/sbin/nologin.
• Enforce strong passwords: Configure PAM (Pluggable Authentication Modules) with libpam-pwquality:

  sudo apt-get install libpam-pwquality
  Edit /etc/security/pwquality.conf: minlen=14, dcredit=-1, ucredit=-1, ocredit=-1, lcredit=-1

• Implement password expiry: Set PASS_MAX_DAYS 90 in /etc/login.defs to force regular password rotations (critical for compliance with FCA and ICO standards relevant to UK/EU-facing operations).
• Audit sudo usage: Configure sudo logging in /etc/sudoers and monitor with grep sudo /var/log/auth.log.
• Use sudo group restrictions: Create application-specific sudo rules, e.g., allow ‘appuser’ to restart service X without password: appuser ALL=(root) NOPASSWD: /usr/bin/systemctl restart myapp.
• Disable sudo password caching: Add Defaults use_pty and Defaults log_input, log_output to /etc/sudoers.d/hardening for enhanced auditing.

6. Kernel Parameters & System Hardening

Kernel hardening reduces the effectiveness of exploit techniques like buffer overflows and privilege escalation.

• Enable ASLR (Address Space Layout Randomization): Add kernel.randomize_va_space = 2 to /etc/sysctl.conf.
• Disable magic SysRq key: Set kernel.sysrq = 0 to prevent unauthorized system access via SysRq combinations.
• Restrict kernel module loading: Set kernel.modules_disabled = 1 after boot to prevent dynamic module injection (requires reboot configuration).
• Enable core dump restrictions: Set kernel.core_uses_pid = 1 and configure core dump limits in /etc/security/limits.conf: * soft core 0.
• Harden network stack:

  kernel.net.ipv4.conf.all.send_redirects = 0
  kernel.net.ipv4.conf.all.accept_source_route = 0
  kernel.net.ipv4.icmp_echo_ignore_broadcasts = 1
  kernel.net.ipv4.tcp_syncookies = 1

• Apply changes permanently: Edit /etc/sysctl.conf and run sudo sysctl -p.

7. Package Management & System Updates

Outdated packages are the fastest path to compromise. Establish a rigorous patch management process aligned with your 24/7 follow-the-sun operations across India, UK, EU, and USA timezones.

• Enable automatic security updates:

  sudo apt-get install unattended-upgrades
  sudo dpkg-reconfigure -plow unattended-upgrades

• Schedule updates during maintenance windows: Configure /etc/apt/apt.conf.d/50unattended-upgrades to apply updates at non-peak hours (e.g., 02:00 IST for India-based servers).
• Maintain inventory of installed packages: Use apt list --installed or rpm -qa to audit. Remove unnecessary packages: sudo apt-get autoremove.
• Monitor CVE databases: Subscribe to vendor security advisories (Ubuntu, Red Hat, Debian) and prioritize critical vulnerabilities.
• Test updates in staging: Mirror production environments in development and validate updates before production rollout.
• Lock critical package versions: Use APT pinning to prevent accidental upgrades of critical services during security patches of less critical components.

8. Comprehensive Logging & Auditing

Effective logging is foundational to incident response, forensics, and regulatory compliance (NIS2, DORA, GDPR, FCA requirements).

• Configure syslog centralization: Forward all logs to a centralized logging server (rsyslog or ELK stack) with TLS encryption to prevent tampering.
• Enable auditd for system calls:

  sudo apt-get install auditd
  sudo auditctl -w /etc/sudoers -p wa -k sudoers_changes
  sudo auditctl -w /etc/passwd -p wa -k passwd_changes

• Monitor critical log files: Ensure read-only permissions on /var/log/auth.log, /var/log/audit/audit.log, and /var/log/syslog.
• Configure log rotation: Use logrotate with compression to manage disk space while maintaining 90+ days of historical logs for compliance audits.
• Alert on suspicious events: Integrate with SIEM tools (AWS CloudWatch, Splunk) to trigger real-time alerts on failed sudo attempts, privileged user additions, firewall rule changes, and SELinux violations.

9. CIS Benchmarks Compliance

The Center for Internet Security (CIS) Benchmarks provide prescriptive hardening standards. Compliance is often required for regulated industries (fintech, healthcare) and government contracts in India.

• Download CIS Benchmark for your OS: Visit cisecurity.org and download the Ubuntu 22.04 LTS or RHEL 8/9 benchmark relevant to your infrastructure.
• Use automated scanning tools: Deploy CIS-CAT Pro Assessor or open-source alternatives (Lynis, OpenSCAP) to scan compliance status: sudo lynis audit system --quick.
• Remediate gaps iteratively: Address ‘Scored’ requirements first (directly impact security), then ‘Not Scored’ recommendations (operational best practices).
• Document compliance status: Generate compliance reports quarterly for stakeholder reporting, particularly important for board audits and regulatory submissions in India.
• Schedule periodic re-assessments: Run CIS audits post-deployment, post-update, and at least quarterly to ensure drift doesn’t occur.

FAQ: Linux Server Hardening Questions

What’s the difference between SELinux and AppArmor?

SELinux (Security Enhanced Linux) uses Type Enforcement and runs on RHEL/CentOS/Fedora. AppArmor uses path-based restrictions and runs on Debian/Ubuntu. Both provide mandatory access controls at the kernel level. SELinux is typically more granular but steeper learning curve; AppArmor is simpler to configure but slightly less comprehensive. For most organizations, whichever is default on your OS distribution is sufficient if properly configured.

How often should I apply kernel security updates?

Critical kernel patches (privilege escalation, memory corruption) should be applied within 2 weeks of release. Use a staged rollout: first deploy to non-critical staging servers, test for 1 week, then push to production during maintenance windows. At TechTweek, our 24/7 follow-the-sun coverage ensures updates are applied seamlessly without business disruption across India, UK, and EU regions.

Can fail2ban prevent all brute-force attacks?

Fail2ban mitigates brute-force attacks by banning IPs after repeated failed attempts, but it’s not a complete solution. Distributed attacks (botnet-based) from hundreds of IPs can still overwhelm systems. Combine fail2ban with SSH key authentication (no passwords), IP whitelisting, and intrusion detection systems (IDS) like Snort or Suricata for defense-in-depth.

Is disabling SSH password authentication safe?

Yes, SSH key-based authentication is significantly more secure than password authentication. Keys are cryptographically strong and immune to brute-force attacks. Ensure private key files are protected (chmod 600), stored securely (encrypted, not on shared systems), and you have backup access methods (console, bastion host) before disabling passwords in production.

How do I audit compliance with CIS Benchmarks for GDPR/NIS2?

Use automated scanning tools (Lynis, CIS-CAT, OpenSCAP) to assess your baseline, then remediate non-compliant controls. Document all remediation steps and maintain evidence (screenshots, logs, configuration files) for 3+ years. For organizations serving EU customers, demonstrate DORA compliance by maintaining secure development and incident response processes alongside OS hardening. TechTweek Infotech specializes in AWS Advanced Consulting Partner-level compliance architecture tailored to NIS2 and DORA requirements.

Conclusion: Take Action Today

Linux server hardening is not a one-time activity but a continuous security posture improvement. The checklist above—SSH lockdown, firewalls, SELinux/AppArmor, fail2ban, user policies, kernel parameters, package hygiene, logging, and CIS compliance—addresses the vast majority of common attack vectors. In 2026, as threats evolve and regulatory frameworks tighten globally, hardened Linux infrastructure is non-negotiable. Organizations across Bangalore, Mumbai, Delhi NCR, and other Indian metros managing sensitive financial, healthcare, or personal data must implement these controls to maintain customer trust and regulatory standing.

If managing Linux hardening in-house strains your team’s capacity, consider Linux Server Management Services from TechTweek Infotech. As an AWS Advanced Consulting Partner with 24/7 follow-the-sun coverage spanning India, UK, EU, USA, and Australia, we provide cost-efficient, compliance-aligned server hardening, DevSecOps automation, and continuous monitoring—all delivered from our expert Indian teams. Let us handle the complexity while you focus on your core business.