Essential Linux Server Hardening: SSH, Firewall, and System Tuning

A default Linux server installation is not secure. SSH accepts password authentication, the firewall is often inactive, and kernel parameters are tuned for general use rather than production workloads. Whether you are spinning up a VPS or deploying on-premise infrastructure, hardening should happen before the server sees production traffic.

SSH hardening

The SSH daemon configuration at /etc/ssh/sshd_config controls remote access. The critical settings:

Disable root login:

PermitRootLogin no

Disable password authentication (require SSH keys instead):

PasswordAuthentication no
PubkeyAuthentication yes

Change the default port (reduces automated scan noise, not a security boundary):

Port 2222

Limit authentication attempts and idle sessions:

MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

After editing, restart the daemon with systemctl restart sshd. Always verify you can connect with your key before closing your current session.

Firewall configuration

Linux offers multiple firewall frontends depending on the distribution.

UFW (Ubuntu/Debian):

ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp    # SSH on custom port
ufw allow 443/tcp     # HTTPS
ufw enable

firewalld (RHEL/Fedora/CentOS):

firewall-cmd --set-default-zone=drop
firewall-cmd --zone=public --add-port=2222/tcp --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload

The principle is the same: deny everything by default, then allow only the ports your services require.

Kernel and system tuning

Several sysctl parameters improve performance and security on production servers.

Reduce swappiness (keep more data in RAM, less aggressive swap):

echo "vm.swappiness=10" >> /etc/sysctl.d/99-custom.conf

Enable TCP BBR (Google’s congestion control for better throughput):

echo "net.core.default_qdisc=fq" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.d/99-custom.conf

Disable ICMP redirects (prevents certain MITM attacks):

echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-custom.conf
echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-custom.conf

Apply changes with sysctl --system.

Distro differences to watch for

• Debian/Ubuntu use UFW and apt — SSH config may split across /etc/ssh/sshd_config.d/
• RHEL/Fedora use firewalld and dnf — SELinux may block custom SSH ports until you run semanage port -a -t ssh_port_t -p tcp 2222
• Arch uses neither by default — you install and configure iptables or nftables manually

Generate your hardening script with BaseConf

The BaseConf Linux Configurator lets you select your distribution, toggle SSH, firewall, and kernel settings, and generates a shell script tailored to your distro’s package manager and firewall tool.

1. Choose your distribution — Ubuntu, Debian, Fedora, RHEL, or Arch
2. Toggle security and performance settings
3. Review the generated script line by line
4. Download and run with sudo bash script.sh
5. Revert using the matching undo script

Complete your server setup

Combine Linux hardening with Windows client configuration and macOS workstation setup if you manage a mixed environment. The Build Config page supports cross-platform script generation from a single interface.