Hardening

March 16, 2026 • Hardening • The internet wants your server.

The internet is a hostile place. Every minute, your server is being scanned, probed, and attacked. Default installations are target practice. If you're not hardening your systems, you're making it easy for the bad guys.

Security is not optional. Every exposed service is a potential entry point. The moment you connect to the internet, you're in the fight.

SSH: Your Front Door

SSH is the first thing hackers try. Don't make it easy:

# Edit SSH config
vim /etc/ssh/sshd_config

# Disable root login
PermitRootLogin no

# Disable password authentication
PasswordAuthentication no

# Use only SSH keys
PubkeyAuthentication yes

# Change default port (security through obscurity, but it helps)
Port 2222

# Restart SSH
systemctl restart sshd

SSH Keys: Passwords Are Weak

Generate keys. Use them. Never use passwords again:

# On your local machine
ssh-keygen -t ed25519 -C "your@email.com"

# Copy to server
ssh-copy-id user@your-server.com

# Test it works, then disable passwords

Firewall: UFW

Block everything. Open only what you need:

# Install
apt install ufw

# Default deny everything
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (your new port!)
ufw allow 2222/tcp

# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Enable
ufw enable

# Check status
ufw status verbose

Fail2Ban: Ban the Bad Guys

When someone tries to brute force your SSH, ban them:

# Install
apt install fail2ban

# Start
systemctl enable fail2ban
systemctl start fail2ban

# It's pre-configured for SSH
# Add more jails in /etc/fail2ban/jail.local

Updates: Patch or Die

Security vulnerabilities are found constantly. Update:

# Debian/Ubuntu
apt update && apt upgrade

# RHEL/CentOS
yum update

# Enable automatic security updates
apt install unattended-upgrades

Users and Sudo

Don't use root. Create users:

# Create user
adduser cjboon

# Add to sudo group
usermod -aG sudo cjboon

# Check who's logged in
who
last
lastlog

System Limits

Prevent resource exhaustion:

# Check limits
ulimit -a

# Edit limits.conf
vim /etc/security/limits.conf

# Add:
* soft nofile 65536
* hard nofile 65536
* soft nproc 4096
* hard nproc 4096

The Point

Hardening is not a product. It's a mindset. Default settings exist for convenience, not security. Every service you run is a risk. Every open port is a potential attack vector.

The goal isn't perfect security - that's impossible. The goal is to be harder to crack than the next guy. Make attackers move on to easier targets.

Security and convenience are opposites. Pick security. You'll sleep better.