Introduction

Hardening Linux servers is a critical process to reduce vulnerabilities and ensure system integrity. Combined with periodic maintenance, it helps maintain performance and security in the long term. In this practical guide, we will cover best practices for hardening and maintenance, from initial configuration to task automation.

1. Initial Security Configuration

1.1. System Updates

Keeping the system updated is the first step. Use apt update && apt upgrade (Debian/Ubuntu) or yum update (RHEL/CentOS). Configure automatic security updates with unattended-upgrades.

1.2. User and Privilege Management

• Disable root SSH access: in /etc/ssh/sshd_config, set PermitRootLogin no.
• Create a user with sudo: adduser usuario && usermod -aG sudo usuario.
• Use SSH key authentication instead of passwords.

2. Firewall and Access Control

Configure ufw (Uncomplicated Firewall) or iptables. Example with UFW:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable

For more complex environments, consider fail2ban to protect against brute force attacks. As we saw in our article on code review with AI, automation is key; similarly, automating security with tools like ansible can save time.

3. Kernel and Service Hardening

3.1. Kernel Parameters

Edit /etc/sysctl.conf to disable IP forwarding, mitigate network attacks, etc.:

net.ipv4.ip_forward=0
net.ipv4.conf.all.accept_source_route=0
kernel.exec-shield=1

3.2. Unnecessary Services

Disable non-essential services with systemctl disable servicio. Check open ports with ss -tuln.

4. Periodic Maintenance

4.1. Log Rotation and Monitoring

Configure logrotate to prevent logs from filling the disk. Monitor with journalctl or tools like Nagios. In the category Automation and Observability you will find more resources.

4.2. Backups and Recovery

Automate backups with rsync or duplicity. Verify backup integrity periodically.

5. Automation with Scripts

Create a hardening script that executes all the above configurations. For example, a bash script that configures SSH, firewall, sysctl, etc. You can integrate it with configuration management tools like Ansible.

Conclusion

Hardening and maintenance of Linux servers is an ongoing process. Implement these practices from the start and review them periodically. For more guides, visit our category Guides and Tutorials.