Enterprise Linux

Linux Server Hardening Checklist for Enterprises

- by John Britto - Leave a Comment - ⏱ 12 min read
Linux Server Hardening Checklist for Enterprises






Linux Server Hardening Checklist


⚡ Quick Answer — 3 Critical Steps First

If you do nothing else today, do these 3 things

1

Harden SSH immediately. Disable root login, disable password authentication, use SSH keys only, and change the default port. This alone stops the majority of automated attacks scanning your server right now.

2

Enable a firewall and fail2ban. Allow only the ports your services actually need. Let fail2ban automatically ban IPs that repeatedly fail login attempts.

3

Apply all pending OS updates. Unpatched Linux servers are the single most common entry point for attackers. Patch now, then automate security updates going forward.

Table of Contents show

Why Linux Server Hardening Matters More Than Ever

A default Linux installation is not a secure Linux installation. The moment you spin up a fresh server, automated bots start scanning it — often within four minutes. Default settings, unnecessary open services, and unpatched packages give those bots plenty to work with.

In enterprise environments the stakes are even higher. One misconfigured server can become the entry point for a breach that takes down your entire infrastructure, exposes customer data, and triggers regulatory fines that make any IT budget look small.

78%
of Linux breaches involve misconfiguration, not zero-days
4 min
average time before a new server receives its first automated attack
$4.45M
average cost of a data breach (IBM Security 2023)

The encouraging reality is that most attacks exploit the exact same predictable weaknesses every time — default SSH configuration, unnecessary open ports, missing patches, and loose file permissions. Closing those gaps systematically is exactly what this guide is for.

Who This Guide Is For

Enterprise Linux admins, DevSecOps engineers, security teams preparing for CIS, SOC2, PCI-DSS, or HIPAA audits, and anyone managing production Linux servers who needs a clear, actionable hardening checklist.

SSH Hardening Linux — The Complete Guide

SSH is the front door of every Linux server and the most heavily attacked surface on any internet-facing system. Proper Linux SSH security configuration takes under 30 minutes and delivers more protection than almost any other single action you can take.

SSH Security Checklist

Disable direct root login over SSH CriticalSet PermitRootLogin to no in the SSH daemon configuration file. Root should never be directly reachable over the network.
Disable password authentication entirely CriticalRequire SSH key pairs for all logins. Passwords can be brute-forced; properly generated key pairs cannot be guessed in any realistic timeframe.
Change the default SSH port away from 22 HighMoving to a non-standard port above 1024 eliminates the vast majority of automated scan traffic that exclusively targets port 22.
Enforce SSH Protocol version 2 only CriticalProtocol version 1 carries known cryptographic vulnerabilities and must never be permitted on any modern server regardless of use case.
Whitelist specific users or groups allowed to connect HighUse the AllowUsers or AllowGroups directive to explicitly name exactly who may connect via SSH, blocking all other accounts by default.
Set session idle timeout and maximum login grace time MediumConfigure ClientAliveInterval, ClientAliveCountMax, and LoginGraceTime so idle and unresponsive sessions are automatically disconnected.
Disable X11 forwarding and TCP forwarding MediumUnless your environment has a documented specific need, both X11 and TCP forwarding should be disabled to reduce the attack surface.
Restrict allowed cryptographic ciphers and algorithms HighExplicitly define the permitted ciphers, MACs, and key exchange algorithms. Remove all deprecated options including arcfour and MD5-based MACs.
Enable two-factor authentication for SSH logins HighAdd a time-based one-time password requirement on top of key authentication using the Google Authenticator PAM module for a powerful second layer.
Deploy fail2ban to automatically block brute-force attempts CriticalConfigure fail2ban to monitor SSH authentication logs and automatically ban source IPs after a defined number of consecutive failures.

Production-Ready SSH Configuration Settings

The following settings represent a hardened SSH configuration baseline. Apply them to your SSH daemon configuration file, verify syntax before restarting, and always keep a backup console session open during testing.

Hardened SSH Daemon Settings
— Core Settings —
Port: 2299 (custom, not 22)
Protocol: 2 only
— Authentication —
Root Login: Disabled
Password Auth: Disabled
Public Key Auth: Enabled
Empty Passwords: Not permitted
Max Auth Tries: 3
Login Grace Time: 60 seconds
— Session Controls —
Idle Timeout Interval: 300 seconds
Max Alive Count: 2
X11 Forwarding: Disabled
TCP Forwarding: Disabled
Agent Forwarding: Disabled
Compression: Disabled
— Cryptography —
Ciphers: ChaCha20-Poly1305, AES-256-GCM only
MACs: HMAC-SHA2-512-ETM, HMAC-SHA2-256-ETM only
Key Exchange: Curve25519-SHA256, DH-Group16-SHA512 only
— Logging —
Log Facility: AUTH
Log Level: VERBOSE
Before You Apply Any Changes

Always keep an existing SSH session open while testing new configuration. Verify syntax before restarting the daemon. Have out-of-band console access available as a fallback in case of accidental lockout. Never apply untested changes directly to production.

User Accounts and Privilege Management

User and privilege management is where most enterprise Linux environments carry the most hidden risk. Dormant accounts never cleaned up, service accounts with interactive shell access, developers granted broad sudo permissions because it was easier than scoping them properly — every one of these is a door an attacker can walk through.

User and Privilege Checklist

Audit every user account on the system CriticalReview the full account list and lock or remove anything that is no longer actively needed. Old accounts are a prime target for attackers.
Assign no-login shells to service accounts HighApplication service accounts like those for web servers and databases should be assigned a no-login shell so they cannot be used for interactive access.
Enforce strong password policy via PAM HighConfigure the PAM pwquality module to require passwords of at least 14 characters with complexity rules and prevent reuse of recent passwords.
Configure password aging and expiration MediumSet a maximum password age of 90 days, a 14-day advance warning, and a minimum age of 7 days to prevent immediate recycling.
Scope sudo permissions to specific commands only HighNever grant unrestricted sudo access when specific command permissions would suffice. Always edit the sudoers file using the safe editor tool.
Lock the root account from direct login CriticalLock the root account password so it cannot be used for direct login. All administrative actions should go through named accounts using sudo.
Enable full sudo activity logging HighEvery privileged command executed via sudo must be logged with the username, timestamp, and full command. This is non-negotiable for compliance.

Network and Firewall Hardening

Every open port on your server is a potential entry point. The operating principle is straightforward: if a service is not needed, stop it. If a port is not needed, close it. Most default Linux server installations run services that nobody consciously enabled — and each one expands your attack surface needlessly.

Network Hardening Checklist

Audit every port and service currently listening CriticalUse the socket statistics tool to list everything listening on the network. Compare against what your applications actually require and shut down everything else.
Enable and configure a host-based firewall CriticalSet the default policy to deny all incoming connections, then explicitly allow only the services and ports your system requires. Enable it on every server.
Disable IPv6 if your environment does not use it MediumAn unused but enabled IPv6 stack is an unmonitored network interface that most firewall rules fail to cover adequately by default.
Enable TCP SYN cookie protection against flood attacks HighActivating SYN cookies via kernel network settings protects your server from SYN flood denial-of-service attacks targeting the TCP handshake process.
Disable IP source routing and ICMP redirect acceptance HighDisabling these kernel network options prevents attackers from manipulating routing decisions and intercepting traffic intended for your server.
Deploy fail2ban across all relevant services CriticalConfigure fail2ban to protect SSH, web application login pages, mail services, and any other service that maintains authentication logs.
Remove all legacy cleartext network services HighTelnet, RSH, rlogin, and unencrypted FTP must be removed or permanently disabled. There is no legitimate reason for these on a modern secure server.
Recommended Firewall Policy

Default incoming: deny all · Default outgoing: allow all · Then explicitly allow: your custom SSH port, HTTPS on 443, and any other ports your specific applications require. Nothing else should be open.

File System and Permissions Hardening

Incorrect file permissions are one of the most common and most consequential Linux security misconfigurations. A world-writable directory, an unnecessarily privileged binary, or sensitive configuration files readable by unprivileged users — these create the exact conditions that privilege escalation attacks are designed to exploit.

File System Checklist

Locate and review all SUID and SGID binaries HighAny executable with the SUID or SGID bit set runs with elevated privileges. Every such file is a potential privilege escalation path and must be justified.
Identify and remediate all world-writable files CriticalNo file on a production server should be writable by all users unless there is a specific documented and approved reason for that configuration.
Verify permissions on all sensitive system files CriticalThe user account file should be 644, the shadow credentials file should be 640 with root and shadow group ownership, and the SSH config should be 600.
Apply sticky bit to all world-writable directories HighThe sticky bit on a shared directory like the temporary folder prevents users from deleting files created by other users in that same location.
Mount shared partitions with execution and SUID restrictions HighThe temporary, variable data, and home partitions should be mounted with noexec, nosuid, and nodev options to prevent script execution from those locations.
Enable Mandatory Access Controls via SELinux or AppArmor HighMAC systems enforce access policy beyond standard Unix permissions. Use SELinux on Red Hat systems and AppArmor on Ubuntu. Never disable either in production.
A Rule That Is Never Negotiable

World-writable permissions on any production file or directory is never acceptable. Not temporarily. Not just for testing. Not because a developer asked nicely. It removes all file-level access control and must never be used outside of a fully isolated lab environment.

Auditing, Logging and Monitoring

Running a hardened server without comprehensive logging is like having a security system with no recording. You need complete visibility into authentication events, privilege escalations, file changes, and network activity. In regulated enterprise environments this visibility is not optional — it is explicitly required by SOC2, PCI-DSS, and HIPAA.

Audit and Logging Checklist

Deploy and configure the Linux audit daemon CriticalThe audit daemon captures detailed kernel-level system call activity. Configure rules targeting authentication changes, privilege use, and modifications to system directories.
Forward all logs to a remote central log server CriticalAn attacker who gains root access can erase local logs. Real-time forwarding to a remote write-protected destination using rsyslog or syslog-ng is essential.
Monitor critical system configuration files for changes HighAny change to the user database, credential store, or administrative privilege configuration outside a change management window must trigger an immediate alert.
Deploy AIDE for continuous file integrity monitoring HighAIDE generates a cryptographic baseline of the filesystem after hardening. Subsequent runs detect any unauthorized modifications to tracked files and directories.
Configure log retention to meet compliance requirements MediumPCI-DSS requires twelve months of log retention with three months readily accessible. Configure log rotation and storage capacity to satisfy this requirement.
Generate real-time alerts on privilege escalation failures HighRepeated failed attempts to gain elevated privileges are a strong indicator of account compromise. These events require real-time notification, not only passive log storage.

Kernel Hardening

Linux kernel defaults are designed for maximum compatibility across hardware and use cases, not for security. Hardening the kernel means overriding those defaults with settings that reduce exposure to network attacks, memory exploits, and information disclosure. These settings are configured through the kernel runtime parameter system and persist across reboots when added to the appropriate configuration file.

Key Kernel Security Parameters
— Network Protection —
SYN Cookie Protection: Enabled
Source Route Acceptance (IPv4): Disabled
Source Route Acceptance (IPv6): Disabled
ICMP Redirect Acceptance: Disabled
ICMP Redirect Sending: Disabled
Reverse Path Filtering: Enabled (prevents IP spoofing)
Broadcast ICMP Ignore: Enabled
— Kernel Security —
SUID Core Dumps: Disabled
Kernel Message Restriction: Enabled
Kernel Pointer Restriction: Maximum (level 2)
Magic SysRq Key: Disabled
Address Space Randomization (ASLR): Full randomization (level 2)

CIS Benchmark Compliance for Linux

The Center for Internet Security Benchmarks are the globally recognized standard for Linux server security configuration. They are used as the baseline configuration requirement by enterprises worldwide and represent the primary framework that security auditors use when assessing your environment.

CIS Linux Benchmarks are structured into two levels. Level 1 delivers strong security with minimal operational impact and is recommended as the baseline for all production servers. Level 2 adds deeper controls suited to high-security environments where some tradeoffs with operational flexibility are acceptable.

CIS Linux Benchmark Coverage Areas

Filesystem configuration and partitioning · Software and patch management · Bootloader security configuration · Process hardening · Mandatory access controls · Network stack hardening · Comprehensive logging and auditing · User account lifecycle management · System access warning banners

Automating Your CIS Compliance Check

Manually verifying 200 or more CIS controls on every server is impractical. Use Lynis for a fast hardening score assessment, or OpenSCAP for a full formal compliance report mapped directly to CIS benchmark controls. Both tools are open source and widely used in enterprise environments.

Run your audit tool before applying any hardening changes to establish your baseline score, then run it again after each section of this checklist to measure your progress. A well-hardened enterprise server should score 75 or above on the Lynis hardening index. Default unmodified installations typically score between 55 and 65.

Target Hardening Score

Lynis hardening index of 75 or higher is the enterprise target. Following this complete checklist consistently achieves scores between 78 and 88 depending on the Linux distribution and specific environment configuration.

HIPAA, PCI-DSS and SOC2 Linux Compliance

For organizations subject to regulatory requirements, Linux server hardening is a legal and contractual obligation, not a recommendation. The three most common enterprise compliance frameworks each have specific technical requirements that map directly to Linux security controls.

PCI-DSS Requirements for Linux Servers

PCI-DSS applies to every system that processes, stores, or transmits payment card data. The standard requires unique user accounts for all access with no shared credentials permitted, system activity logging retained for a minimum of twelve months, file integrity monitoring on all critical system files, and strict bidirectional traffic restrictions limiting both inbound and outbound connections to only what is necessary.

HIPAA Technical Safeguards for Linux

HIPAA mandates specific technical safeguards for any system handling electronic Protected Health Information. For Linux servers this means implementing audit controls that record all system activity involving PHI, access controls that restrict data visibility to authorized personnel only, automatic session termination after defined periods of inactivity, encrypted transmission of all data using TLS 1.2 or higher, and integrity mechanisms that detect unauthorized modification of health records.

SOC2 Linux Security Controls

SOC2 Type II audits evaluate the effectiveness of your security, availability, and confidentiality controls over time. Auditors specifically examine whether multi-factor authentication is enforced, whether access reviews are conducted and documented periodically, whether defined SLAs exist for patching critical vulnerabilities, whether all system changes are logged and attributed, and whether encryption is verified at rest and in transit across all in-scope systems.

Compliance Is the Floor, Not the Ceiling

A passing compliance audit confirms you meet a defined minimum standard. It does not mean your environment is secure against determined attackers. Build your security posture to go meaningfully beyond compliance requirements. Use the audit as your baseline verification, not your goal.

Best Tools to Automate Linux Server Hardening

At enterprise scale, manual hardening of individual servers is both unreliable and unsustainable. The answer is infrastructure automation that applies your hardening baseline consistently to every server from the moment it is provisioned, with no manual steps that can be skipped or forgotten.

Recommended Security and Hardening Tools

Ansible with dev-sec.io Hardening RolesThe dev-sec project provides production-ready, CIS-aligned Ansible roles covering OS hardening, SSH security, and more. Used by enterprises worldwide to automate consistent Linux hardening at any scale.
Lynis Security Auditing ToolOpen-source system auditing tool that produces a prioritized hardening score with specific actionable recommendations. Run before hardening to baseline and after each change to measure improvement.
OpenSCAP Compliance ScannerThe official open-source SCAP implementation capable of scanning against CIS benchmarks, DISA STIG profiles, and PCI-DSS requirements, producing detailed HTML and XML compliance reports.
AIDE File Integrity MonitorCreates a verified cryptographic snapshot of your filesystem after hardening is complete. Any subsequent unauthorized change to tracked files is detected and reported on the next scheduled scan.
fail2ban Intrusion PreventionMonitors authentication logs across SSH, web applications, mail servers, and other services, automatically blocking source IP addresses that exhibit brute-force or scanning behavior.
Wazuh Open Source SIEM and HIDSCombines host-based intrusion detection, centralized log analysis, vulnerability assessment, and compliance monitoring into a single unified platform. Well suited for enterprise Linux security operations teams.

Where to Start Right Now

This guide covers a lot of ground because Linux server hardening is genuinely a multi-layered discipline. But you do not need to complete everything before you have meaningful protection. Start with the highest-impact items first and build from there.

SSH hardening is your day-one priority. Thirty minutes of configuration changes will block the overwhelming majority of automated attacks your server faces daily. Follow that with firewall setup and fail2ban deployment, then work through user accounts, kernel settings, and file permissions in sequence.

Run a Lynis audit after each section and watch your hardening score climb. A realistic target for most enterprise teams is reaching a score of 80 or above within two weeks of focused effort starting from a default installation.

Security is an ongoing practice, not a one-time project. The hardened server you build today will face new vulnerabilities as software evolves. Stay current with security advisories for your distribution, maintain a regular patching schedule, and treat hardening as a continuous part of your server management lifecycle.

Your 8-Day Action Plan

Day 1 — SSH hardening configuration (30 minutes, highest immediate impact)
Day 1 — Firewall rules and fail2ban deployment
Day 2 — Full user account and sudo permission audit
Day 2 — Run Lynis and record your baseline hardening score
Day 3 — Apply kernel security parameter settings
Days 3 to 4 — File permission audit and SUID binary review
Days 4 to 5 — Configure audit daemon and remote log forwarding
Week 2 — Run OpenSCAP CIS benchmark scan and work through findings

LinuxTeck — A Complete Linux Learning Blog
Updated regularly to reflect current CIS Benchmark versions and Linux security best practices.


Related post

Linux cloud hosting UK

Linux Cloud Hosting UK: AWS vs Azure vs DigitalOcean

April 17,2026

linux file system comparison ext4 xfs btrfs

The Best Linux Filesystem for Your Production Server in 2026

April 17,2026

Linux bash scripting automation 2026 workflow diagram

Linux Bash Scripting: Automate Your Server in 2026

March 24,2026

About John Britto

John Britto Founder & Chief-Editor @LinuxTeck. A Computer Geek and Linux Intellectual having more than 20+ years of experience in Linux and Open Source technologies.

View all posts by John Britto →

Leave a Reply

Your email address will not be published.

L