Your dedicated server is only as secure as its configuration. Out of the box, most Linux distributions ship with convenience-first defaults — open ports, permissive access policies, and minimal logging. That's fine for a test environment. For production? It's an invitation.
Server hardening is the process of reducing the attack surface of your system by eliminating unnecessary services, tightening access controls, and adding layers of defense. It's not glamorous, but it's the single most impactful thing you can do after provisioning a new server.
This guide covers 10 essential hardening steps that every dedicated server should have in place. Whether you're running Ubuntu, Debian, CentOS, or Rocky Linux, these principles apply universally.
1. Lock Down SSH Access
SSH is the front door to your server. It's also the most attacked service on any internet-facing Linux machine. Thousands of automated bots scan for open SSH ports every hour, attempting brute-force attacks with common credentials.
Essential SSH hardening steps:
• Disable root login: Set PermitRootLogin no in /etc/ssh/sshd_config. Create a regular user with sudo privileges instead.
• Use key-based authentication only: Set PasswordAuthentication no and use SSH key pairs. This eliminates brute-force password attacks entirely.
• Change the default port: Moving SSH from port 22 to a non-standard port (e.g., 2222 or higher) won't stop a determined attacker, but it eliminates 99% of automated scanning noise.
• Limit SSH users: Use AllowUsers or AllowGroups to restrict which accounts can SSH in.
• Set idle timeout: Configure ClientAliveInterval 300 and ClientAliveCountMax 2 to disconnect idle sessions.
After making changes, always restart the SSH service and test from a second terminal before closing your current session. Locking yourself out of your own server is embarrassingly common — and entirely preventable.
2. Configure a Firewall
A properly configured firewall is non-negotiable. The principle is simple: deny everything by default, then allow only what's needed.
For most dedicated servers, ufw (Uncomplicated Firewall) or firewalld provides a clean interface over iptables or nftables:
• Allow only the ports your services actually use (SSH, HTTP/HTTPS, your application ports)
• Block all inbound traffic by default
• Rate-limit SSH connections to slow down brute-force attempts
• Consider geo-blocking if your service only serves specific regions
• Log dropped packets for security monitoring
If you're running a high-traffic server, SwissLayer's dedicated servers include network-level DDoS protection that works alongside your OS-level firewall for defense in depth.
3. Keep Your System Updated
Unpatched software is the number one attack vector for server compromises. The vast majority of successful attacks exploit known vulnerabilities that already have patches available.
Implement automatic security updates:
• On Debian/Ubuntu: Install and configure unattended-upgrades to automatically apply security patches
• On RHEL/CentOS/Rocky: Use dnf-automatic with apply_updates = yes for security updates
• Schedule regular full updates during maintenance windows
• Subscribe to security mailing lists for your distribution
Automatic security updates are a reasonable trade-off for most servers. The risk of a zero-day exploit on an unpatched system far outweighs the occasional (and rare) update that breaks something.
4. Install and Configure Fail2Ban
Fail2Ban monitors log files for repeated authentication failures and automatically bans offending IP addresses. It's lightweight, effective, and should be running on every server.
• Monitor SSH, web server, and mail server logs
• Set reasonable ban times (start with 1 hour, increase for repeat offenders)
• Configure maxretry to 3-5 attempts before banning
• Whitelist your own IP addresses to avoid locking yourself out
• Enable email notifications for ban events so you stay aware of attack patterns
Fail2Ban pairs perfectly with SSH key-based authentication. Even if an attacker somehow discovers your SSH port, they'll be banned after a handful of failed attempts before they can try anything meaningful.
5. Remove Unnecessary Services and Packages
Every running service is a potential attack vector. Every installed package is code that might contain vulnerabilities. The principle of least functionality means your server should run only what it needs to do its job — nothing more.
• Audit running services: systemctl list-units --type=service --state=running
• Disable services you don't need (FTP, Telnet, CUPS, Avahi, Bluetooth stacks)
• Remove unused packages: apt autoremove or dnf autoremove
• Check for listening ports: ss -tulnp — if you don't recognize a port, investigate it
• Disable IPv6 if you're not using it (one less attack surface)
6. Set Up Proper User Management
Poor user management is responsible for more security incidents than most people realize. Follow these principles:
• Principle of least privilege: Every user account should have only the permissions it needs. No more.
• Use sudo instead of root: The root account should be used only for emergency recovery. Day-to-day administration happens through sudo with proper logging.
• Enforce strong passwords: Install libpam-pwquality and configure minimum length (12+ characters), complexity requirements, and password history.
• Set password expiration: Use chage to require periodic password changes for interactive accounts.
• Audit user accounts regularly: Remove accounts for people who no longer need access. Check for unauthorized accounts with awk -F: '$3 >= 1000' /etc/passwd.
7. Enable Comprehensive Logging and Monitoring
You can't defend what you can't see. Proper logging turns your server from a black box into a monitored system where suspicious activity gets flagged before it becomes a breach.
• Centralize logs: Configure rsyslog or journald to aggregate logs. Better yet, ship them to a remote log server so attackers can't cover their tracks by deleting local logs.
• Monitor auth logs: Watch /var/log/auth.log (Debian) or /var/log/secure (RHEL) for failed login attempts, sudo usage, and account changes.
• Set up logwatch or logcheck: Automated daily log summaries catch patterns you'd miss manually.
• Monitor file integrity: Tools like AIDE or Tripwire alert you when critical system files are modified unexpectedly.
• Resource monitoring: Install a lightweight monitoring stack to track CPU, memory, disk, and network anomalies that might indicate compromise.
8. Secure the Network Stack
Linux kernel network parameters can be tuned for security through /etc/sysctl.conf. These changes protect against common network-level attacks:
• Disable IP source routing: net.ipv4.conf.all.accept_source_route = 0
• Enable SYN flood protection: net.ipv4.tcp_syncookies = 1
• Ignore ICMP redirects: net.ipv4.conf.all.accept_redirects = 0
• Log suspicious packets: net.ipv4.conf.all.log_martians = 1
• Disable ICMP broadcast responses: net.ipv4.icmp_echo_ignore_broadcasts = 1
• Enable reverse path filtering: net.ipv4.conf.all.rp_filter = 1
Apply changes with sysctl -p. These are safe, universally recommended settings that don't affect normal server operation but block several categories of network attacks.
9. Implement Disk Encryption and Secure Partitioning
Physical security matters, even in a data center. If a drive is decommissioned, stolen, or improperly wiped, encryption ensures your data remains protected.
• Use LUKS encryption for sensitive data partitions. On SwissLayer's dedicated servers, you have full hardware access to configure encryption exactly as your security policy requires.
• Separate partitions: Mount /tmp, /var, and /home on separate partitions with restrictive mount options (noexec, nosuid, nodev where appropriate).
• Secure shared memory: Add tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 to /etc/fstab to prevent shared memory attacks.
• Set proper permissions: Ensure sensitive files like /etc/shadow and SSH keys have strict permissions (600 or 640).
For businesses handling regulated data, disk encryption is often a compliance requirement. Switzerland's FADP data protection framework emphasizes appropriate technical measures — encryption is one of the most effective.
10. Create and Test Your Backup Strategy
Hardening prevents attacks. Backups ensure recovery when prevention fails. A hardened server without backups is a single point of failure. A compromised server with good backups is a recoverable situation.
• Follow the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 offsite copy
• Automate backups: Manual backups don't happen. Use rsync, borgbackup, or restic with cron scheduling.
• Encrypt backup data: Backups contain everything an attacker wants. Encrypt them.
• Test restores regularly: A backup you've never tested is a backup that might not work. Schedule quarterly restore tests.
• Store backups separately: Backups on the same server they're protecting are useless against ransomware or hardware failure.
"Security isn't a product you install — it's a process you maintain. Hardening is step one. Monitoring, updating, and adapting is the ongoing work that keeps your server safe."
Bonus: Quick Hardening Checklist
Use this checklist after provisioning any new dedicated server:
☐ SSH: Key-only auth, no root login, non-standard port
☐ Firewall: Default deny, allow only required ports
☐ Updates: Automatic security patches enabled
☐ Fail2Ban: Installed and monitoring SSH + web services
☐ Services: Audit and disable unnecessary daemons
☐ Users: Least privilege, strong passwords, sudo logging
☐ Logging: Centralized, monitored, integrity-checked
☐ Network: Kernel parameters tuned for security
☐ Encryption: LUKS for sensitive data, secure mount options
☐ Backups: Automated, encrypted, tested, offsite
Start with a Secure Foundation
Hardening is significantly easier when you start with quality infrastructure. A SwissLayer dedicated server gives you bare-metal hardware in a Swiss data center with network-level DDoS protection, full root access for custom security configurations, and the privacy benefits of Swiss hosting jurisdiction.
Whether you're migrating from a VPS that's outgrown its security limitations or provisioning infrastructure for a compliance-sensitive application, the hardening steps in this guide will help you build a server that's ready for production — and resilient against the threats that come with it.
Need help? Contact SwissLayer to discuss your dedicated server requirements and security needs.