One of the best things about Linux is how secure it is out of the box—but that doesn’t mean it’s invincible. Whether you’re running a Linux desktop or managing a server, a few key steps can dramatically improve your system’s security.
In this post, we’ll walk through practical, real-world tips to harden your Linux system and reduce your risk of attacks—without locking yourself out or breaking everything.
1. Keep Your System Updated
This is the easiest—and most important—step.
sudo apt update && sudo apt upgrade # Debian/Ubuntu
sudo dnf update # Fedora
sudo pacman -Syu # Arch
- Enable automatic security updates if you’re running a server.
- Updates patch known vulnerabilities and security bugs.
Pro Tip: Schedule weekly updates and reboot if needed, especially after kernel patches.
2. Use Strong Passwords and Lock Root Access
Disable root login via SSH:
Edit the SSH config file:
sudo nano /etc/ssh/sshd_config
Change or add:
PermitRootLogin no
Then restart SSH:
sudo systemctl restart ssh
Use a regular user + sudo:
adduser youruser
usermod -aG sudo youruser
Use a password manager:
Long, random passwords are much harder to crack—and you won’t need to remember them all.
3. Use SSH Keys Instead of Passwords
SSH keys are more secure than password logins.
Generate keys on your local machine:
ssh-keygen -t ed25519
Copy to server:
ssh-copy-id user@your.server.ip
Then disable password logins:
In /etc/ssh/sshd_config: PasswordAuthentication no
Restart SSH again: sudo systemctl restart ssh
4. Set Up a Firewall (UFW or firewalld)
Firewalls block unwanted traffic and reduce attack surfaces.
Using UFW (Ubuntu/Debian):
sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status
Using firewalld (Fedora/CentOS):
sudo systemctl start firewalld
sudo firewall-cmd –permanent –add-service=ssh
sudo firewall-cmd –reload
5. Install Fail2Ban to Block Brute Force Attacks
Fail2Ban monitors logs and automatically bans IPs trying too many login attempts.
sudo apt install fail2ban # Ubuntu/Debian
sudo dnf install fail2ban # Fedora
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
The default config works well, but you can customize jails for SSH, Apache, Nginx, etc.
6. Audit Your Open Ports
Check what services are listening on which ports:
sudo ss -tuln
Or install nmap to scan your system from another machine:
nmap -sS your.ip.address
Close or firewall any ports you’re not actively using.
7. Enable Automatic Security Updates (Optional)
On Ubuntu/Debian:
sudo apt install unattended-upgrades
Edit:
sudo dpkg-reconfigure –priority=low unattended-upgrades
This is especially useful for unattended servers.
8. Remove Unnecessary Software
The more software you have, the more potential vulnerabilities you expose.
- Uninstall unused packages:
sudo apt remove package-name
sudo apt autoremove
- Avoid running graphical environments on servers unless necessary.
9. Use AppArmor or SELinux for Mandatory Access Control
Ubuntu/Debian: AppArmor
sudo aa-status
Fedora/CentOS: SELinux
Check status:
sestatus
These tools enforce strict rules about what services can access—which reduces damage in case of a compromise.
10. Create Regular Backups (and Store Them Safely)
Security isn’t just about prevention—it’s about recovery too.
- Use
rsync,borg, orresticto automate backups - Store them off-site or on a different machine
- Encrypt your backup files with GPG or built-in tools
Bonus Tips
- Use a VPN if you need remote access
- Lock down web applications (use HTTPS, strong passwords, and update your stack)
- Limit the use of
sudowith/etc/sudoersrules - Watch your logs:
journalctl,/var/log/auth.log, etc.
Hardening your Linux system doesn’t require a full-time IT team. With just a few smart steps, you can lock down your machine and greatly reduce your attack surface.
Start small: keep your system updated, secure your SSH access, and use a firewall. From there, layer in more protections based on your needs.
