1️⃣ Keep the System Fully Updated
Most successful attacks exploit known vulnerabilities that already have available patches — but the server was never updated.
Always keep the kernel and installed packages up to date, especially on sensitive systems.
Commands:
⚠️ Kernel updates may require a reboot.
2️⃣ Disable Root Login via SSH
The root account is well-known and heavily targeted.
Create a regular user, grant sudo privileges, and disable root SSH access.
3️⃣ Change the Default SSH Port
Port 22 is constantly hit by brute-force scans.
Changing it does not replace real security, but it reduces automated attack noise.
4️⃣ Use SSH Keys Instead of Passwords
SSH keys are vastly more secure than passwords and practically impossible to brute-force.
After confirming key-based login works, disable password authentication.
In sshd_config:
5️⃣ Enable Firewall (UFW or Firewalld)
Golden rule:
If a service is not needed → disable it.
If a service is needed → open only its required port.
Example using UFW:
⚠️ Always allow SSH before enabling the firewall.
6️⃣ Install Fail2Ban
Fail2Ban detects repeated failed login attempts and automatically bans attacking IP addresses.
7️⃣ Enable Mandatory Access Control (SELinux or AppArmor)
Adds an extra security layer that restricts what applications can access.
RHEL/CentOS → SELinux
Ubuntu/Debian → AppArmor
Example (SELinux):
8️⃣ Use File Integrity Monitoring (AIDE or OSSEC)
These tools detect unauthorized changes to critical system files and alert you immediately.
9️⃣ Disable Unused Services
Every running service increases the attack surface.
List running services and disable anything unnecessary.
🔟 Enable Logging and Auditing
Logs are the first place you investigate during suspicious activity.
Use auditd to track sensitive system actions.
Final Notes (Very Important)
Changing SSH ports is not real security, only noise reduction
SSH keys + firewall + fail2ban provide strong baseline protection
Always test backups — backups save businesses
Security is a process, not a one-time setup