Linux Server Security Hardening: 20-Point Checklist for 2026
Complete 20-point Linux server security hardening checklist. Covers SSH, firewall, updates, file permissions, monitoring, and more with practical commands.
Securing a Linux server requires a systematic approach that covers every layer of the stack — from kernel parameters and network configuration to application security and access control. Whether you are provisioning a new VPS, hardening a dedicated server, or auditing an existing hosting environment, a structured checklist ensures nothing is overlooked.
This 20-point server security checklist covers the essential hardening measures for Linux servers in 2026. Each point includes the rationale, practical implementation commands, and how VistoShield Server Edition automates or simplifies the process. The checklist is ordered roughly by priority, with the most critical items first.
1. Keep the System Updated
Unpatched software is the single largest attack surface on most servers. Security vulnerabilities are discovered and disclosed regularly, and patches are typically available within hours or days. Every day you delay updates, you are running software with known, publicly documented vulnerabilities that attackers actively exploit.
# Debian/Ubuntu
apt update && apt upgrade -y
# RHEL/AlmaLinux/Rocky
dnf update -y
# Enable automatic security updates
# Debian/Ubuntu:
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
# RHEL-family:
dnf install dnf-automatic
systemctl enable --now dnf-automatic-install.timerVistoShield integration: The Security Scanner checks for outdated software versions on WordPress installations and flags known CVEs in installed plugins and themes.
2. Configure a Firewall
A properly configured firewall is your primary network defense. It should follow the principle of default deny — block all incoming traffic except what is explicitly needed.
On modern distributions, use nftables directly or through a management tool. See our detailed nftables vs iptables comparison for technical background.
# Basic nftables policy: deny all, allow specific ports
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input iif lo accept
nft add rule inet filter input tcp dport { 22, 80, 443 } accept
nft add rule inet filter input dropVistoShield integration: VistoShield Server Edition manages the firewall configuration with native nftables support, auto-detecting services and configuring appropriate port access. It replaces manual nftables/iptables management with a managed security layer.
3. Harden SSH Access
SSH is the primary remote access method and the most attacked service on most servers. Hardening SSH dramatically reduces your exposure.
# /etc/ssh/sshd_config recommended settings:
# Disable root login
PermitRootLogin no
# Use SSH key authentication only
PasswordAuthentication no
PubkeyAuthentication yes
# Limit SSH to specific users
AllowUsers deployer admin
# Use a non-standard port (optional, reduces noise)
Port 2222
# Disable empty passwords
PermitEmptyPasswords no
# Set idle timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0
# Use strong algorithms only
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Restart SSH after changes
systemctl restart sshdVistoShield integration: VistoShield monitors SSH authentication failures and blocks brute force attackers at the firewall level. Progressive lockouts escalate ban durations for repeat offenders.
4. Implement Brute Force Protection
Even with SSH key authentication, other services (mail, FTP, WordPress, DirectAdmin) accept password authentication and are targeted by automated brute force tools. Server-level brute force detection monitors log files for authentication failures and blocks offending IPs.
VistoShield integration: Built-in brute force detection across all services — SSH, FTP, SMTP, POP3, IMAP, DirectAdmin, and WordPress. See our WordPress brute force protection guide for application-level details.
5. Disable Unnecessary Services
Every running service is a potential attack surface. Audit your server and disable anything not actively needed.
# List all running services
systemctl list-units --type=service --state=running
# List all listening ports
ss -tlnp
# Disable unnecessary services (examples)
systemctl disable --now cups # Printing (rarely needed on servers)
systemctl disable --now avahi-daemon # mDNS (desktop feature)
systemctl disable --now bluetooth # Bluetooth (irrelevant on servers)
systemctl disable --now rpcbind # RPC/NFS (if not using NFS)Each open port and running service is an entry point. A web hosting server typically needs only HTTP(S), SSH, mail, DNS, FTP, and the control panel. Everything else should be disabled.
6. Configure Fail-Secure DNS
DNS resolution is foundational to security. A compromised DNS configuration can redirect traffic, enable man-in-the-middle attacks, or leak information about your infrastructure.
# Use trusted DNS resolvers in /etc/resolv.conf
nameserver 1.1.1.1 # Cloudflare
nameserver 9.9.9.9 # Quad9 (malware filtering)
# Prevent resolv.conf from being overwritten
chattr +i /etc/resolv.confConsider running a local recursive resolver (Unbound) for better privacy and cache performance on busy servers.
7. Secure File Permissions
Incorrect file permissions are a common vulnerability, especially in shared hosting environments where multiple users share the same server.
# Set restrictive permissions on sensitive files
chmod 600 /etc/ssh/sshd_config
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /root
# WordPress permissions (per-site)
find /path/to/wordpress -type d -exec chmod 755 {} \;
find /path/to/wordpress -type f -exec chmod 644 {} \;
chmod 400 /path/to/wordpress/wp-config.php
# Ensure no world-writable files
find / -xdev -type f -perm -0002 -ls
# Ensure no SUID/SGID binaries that should not have it
find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -lsVistoShield integration: The Security Scanner checks WordPress file permissions and flags insecure configurations like world-writable files, writable wp-config.php, and exposed sensitive files.
8. Enable SELinux or AppArmor
Mandatory Access Control (MAC) systems provide an additional security layer beyond traditional Unix permissions. They confine processes to the minimum set of resources they need, limiting the damage from a compromised service.
# Check SELinux status (RHEL-family)
getenforce
# Enable SELinux in enforcing mode
setenforce 1
# Make permanent: edit /etc/selinux/config
# SELINUX=enforcing
# Check AppArmor status (Debian/Ubuntu)
aa-status
# Enable AppArmor
systemctl enable --now apparmorOn RHEL-family systems, SELinux is the standard. On Debian/Ubuntu, AppArmor is the default. Do not disable these systems — learn to work with them. Many security incidents are contained by MAC policies that prevent an exploited service from accessing resources outside its profile.
9. Configure Log Management
Logs are essential for detecting intrusions, diagnosing problems, and forensic analysis after incidents. Ensure logs are properly configured, rotated, and ideally shipped to a remote location where an attacker cannot tamper with them.
# Ensure rsyslog or journald is running
systemctl status rsyslog
# Configure log rotation (typically pre-configured)
cat /etc/logrotate.d/syslog
# Key logs to monitor:
# /var/log/auth.log (or /var/log/secure) - Authentication events
# /var/log/syslog (or /var/log/messages) - System events
# /var/log/kern.log - Kernel events
# Web server access and error logs
# Ship logs to a remote syslog server (rsyslog)
# Add to /etc/rsyslog.conf:
# *.* @@remote-log-server.example.com:514VistoShield integration: VistoShield monitors authentication logs for brute force detection and provides the Activity Log for WordPress-level audit trails.
10. Harden the Kernel
Kernel parameters control low-level networking and security behavior. Proper sysctl configuration mitigates several classes of network attacks.
# /etc/sysctl.d/99-security.conf
# Disable IP forwarding (unless server is a router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirects (prevent MITM)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
# Disable ICMP broadcast responses (prevent smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Apply changes
sysctl -p /etc/sysctl.d/99-security.conf11. Secure the Boot Process
Physical or console access to the boot process can allow an attacker to reset the root password or boot into single-user mode. Set a GRUB password to prevent unauthorized boot modifications.
# Generate a GRUB password hash
grub-mkpasswd-pbkdf2
# Add to /etc/grub.d/40_custom:
# set superusers="admin"
# password_pbkdf2 admin grub.pbkdf2.sha512.10000.HASH_HERE
# Update GRUB
update-grub # Debian/Ubuntu
grub2-mkconfig -o /boot/grub2/grub.cfg # RHEL-family12. Implement Disk Encryption
Full disk encryption (LUKS) protects data at rest, preventing data theft from stolen or decommissioned drives. This is particularly important for compliance-sensitive environments and cloud VPS instances where the underlying storage is managed by a third party.
For new installations, enable LUKS during the OS installation process. For existing servers, encrypting the root filesystem in place is complex; focus on encrypting sensitive data partitions or using encrypted containers for critical data.
13. Configure Email Security
If your server sends email (notifications, password resets, WordPress emails), secure the mail configuration to prevent abuse.
# Restrict SMTP relay (Postfix example)
# /etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# Enable TLS
smtpd_tls_cert_file = /path/to/cert.pem
smtpd_tls_key_file = /path/to/key.pem
smtpd_tls_security_level = may
# Set up SPF, DKIM, and DMARC DNS records for your domainsVistoShield integration: VistoShield monitors SMTP authentication failures for brute force detection and blocks attackers targeting mail services.
14. Harden PHP Configuration
PHP is the most commonly exploited server-side language because it runs most web applications including WordPress. Proper PHP hardening limits what a compromised script can do.
# Key php.ini hardening settings:
# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source
# Hide PHP version
expose_php = Off
# Limit file uploads
file_uploads = On
upload_max_filesize = 10M
# Restrict file access
open_basedir = /home/:/tmp/:/var/tmp/
# Disable remote file inclusion
allow_url_fopen = Off
allow_url_include = Off
# Session security
session.cookie_httponly = On
session.cookie_secure = On
session.use_strict_mode = OnFor hosting servers with multiple users, configure per-user open_basedir restrictions through DirectAdmin or your control panel to prevent one compromised site from accessing another user's files.
15. Set Up Intrusion Detection
File integrity monitoring detects unauthorized changes to system files, configuration files, and application code. This is critical for identifying compromises that bypass network-level defenses.
VistoShield integration: The Security Scanner provides file integrity monitoring for WordPress installations, comparing files against official repository versions and detecting modifications, additions, and deletions.
For system-level file integrity monitoring beyond WordPress, tools like AIDE (Advanced Intrusion Detection Environment) or OSSEC provide comprehensive filesystem change detection.
# Install AIDE (Debian/Ubuntu)
apt install aide
aideinit
# Run an integrity check
aide --check16. Configure Backup Strategy
Backups are your last line of defense. A solid backup strategy follows the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored off-site.
- Automate daily backups of databases and weekly full filesystem backups
- Store backups on a separate server or cloud storage service
- Test restoration regularly — an untested backup is not a backup
- Encrypt backup data in transit and at rest
- Retain backups for at least 30 days to allow recovery from undetected compromises
17. Implement Rate Limiting
Rate limiting prevents abuse across all server services — not just the firewall, but also at the web server and application level.
# Nginx rate limiting for WordPress
# Define zone in http block:
limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=wplogin:10m rate=1r/s;
# Apply in server block:
location / {
limit_req zone=global burst=20 nodelay;
}
location = /wp-login.php {
limit_req zone=wplogin burst=3 nodelay;
}VistoShield integration: VistoShield provides per-endpoint rate limiting with configurable thresholds at the server level, complementing web server rate limiting with firewall-level enforcement.
18. Manage User Accounts
Audit user accounts regularly and enforce the principle of least privilege.
# List all users with shell access
grep -v '/nologin\|/false' /etc/passwd
# Check for UID 0 accounts (root equivalents)
awk -F: '$3 == 0 {print $1}' /etc/passwd
# Lock unused accounts
usermod -L username
# Set password aging policy
chage -M 90 -W 14 username
# Ensure no accounts have empty passwords
awk -F: '$2 == "" {print $1}' /etc/shadow19. Secure the Web Server
Whether running Nginx or Apache, web server hardening reduces information leakage and attack surface.
# Nginx security headers (/etc/nginx/conf.d/security.conf)
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Hide server version
server_tokens off;
# Apache equivalents (.htaccess or httpd.conf)
ServerTokens Prod
ServerSignature Off
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"VistoShield integration: The VistoShield Firewall module adds WordPress-specific request filtering on top of web server configuration, providing defense-in-depth.
20. Establish a Monitoring and Audit Routine
Security is not a one-time task. Establish a regular monitoring and audit schedule.
| Frequency | Task |
|---|---|
| Daily | Review security alerts and blocked IP logs |
| Daily | Check for failed system updates |
| Weekly | Review user login activity and new accounts |
| Weekly | Verify backup completion and test restoration |
| Monthly | Full WordPress security audit (see our security audit guide) |
| Monthly | Review and rotate access credentials |
| Quarterly | Comprehensive server security audit |
| Quarterly | Review and update firewall rules |
VistoShield integration: The Activity Log provides continuous monitoring of WordPress activity. The Security Scanner runs scheduled integrity checks. The server-level dashboard shows firewall events, blocked IPs, and threat trends.
Hardening Checklist Summary
| # | Item | VistoShield Covers |
|---|---|---|
| 1 | System updates | Scanner flags outdated WordPress |
| 2 | Firewall configuration | Full firewall management |
| 3 | SSH hardening | Brute force protection |
| 4 | Brute force protection | Multi-service detection |
| 5 | Disable unnecessary services | Manual task |
| 6 | DNS security | Manual task |
| 7 | File permissions | Scanner checks WP permissions |
| 8 | SELinux/AppArmor | Manual task |
| 9 | Log management | Log monitoring + Activity Log |
| 10 | Kernel hardening | Manual task |
| 11 | Boot security | Manual task |
| 12 | Disk encryption | Manual task |
| 13 | Email security | SMTP brute force protection |
| 14 | PHP hardening | Manual task |
| 15 | Intrusion detection | File integrity monitoring |
| 16 | Backup strategy | Manual task |
| 17 | Rate limiting | Server-level rate limiting |
| 18 | User account management | Manual task |
| 19 | Web server hardening | WordPress WAF rules |
| 20 | Monitoring and audit | Dashboard + Activity Log + Scanner |
Key Takeaways
Server hardening is not a single action but a layered process. Each point in this checklist addresses a specific attack vector, and the cumulative effect of implementing all 20 points is a dramatically reduced attack surface.
- Start with the highest-impact items: System updates, firewall, and SSH hardening provide the most security improvement per effort invested.
- Automate where possible: VistoShield Server Edition automates firewall management, brute force detection, and threat intelligence — covering 10 of the 20 checklist items.
- Defense in depth: No single measure is sufficient. Layer your defenses so a failure in one layer is caught by another.
- Audit regularly: Security configurations drift over time. Scheduled audits catch misconfigurations before attackers do.
- WordPress needs application-level protection: Server hardening alone does not protect WordPress from application-layer threats. Deploy the VistoShield WordPress Edition for comprehensive WordPress security.
For WordPress-specific security auditing, continue to our WordPress security audit guide. For firewall details, see our nftables vs iptables comparison. Visit the VistoShield documentation for installation and configuration guides.