Back to Blog
team@tinypod.app

Linux Server Hardening Checklist for Self-Hosters

A fresh Linux server is wide open. This checklist covers every hardening step from SSH keys to automatic updates.

linuxsecurityhardeningserver

Initial Setup (First 10 Minutes)


1. Update Everything

apt update && apt upgrade -y


Start with a fully patched system.


2. Create a Non-Root User

adduser deploy

usermod -aG sudo deploy


Never use root for daily operations.


3. Set Up SSH Keys

On your local machine, generate a key pair if you don't have one:

ssh-keygen -t ed25519


Copy the public key to the server:

ssh-copy-id deploy@your-server


4. Harden SSH

Edit /etc/ssh/sshd_config:

  • PermitRootLogin no
  • PasswordAuthentication no
  • PubkeyAuthentication yes
  • MaxAuthTries 3

    • Restart SSH: systemctl restart sshd


    5. Configure Firewall

    ufw default deny incoming

    ufw default allow outgoing

    ufw allow 22 (or your custom SSH port)

    ufw allow 80

    ufw allow 443

    ufw enable


    Ongoing Hardening


    6. Install fail2ban

    apt install fail2ban


    Ban IPs after failed login attempts. Default config is good for SSH.


    7. Enable Automatic Security Updates

    apt install unattended-upgrades

    dpkg-reconfigure unattended-upgrades


    Security patches apply automatically. No manual intervention needed.


    8. Set Up Log Monitoring

    Critical logs to watch:

  • /var/log/auth.log: SSH login attempts
  • /var/log/syslog: System events
  • Container logs: Application-level events

    • 9. Disable Unnecessary Services

    List running services: systemctl list-units --type=service

    Disable anything you don't need.


    10. Configure Time Synchronization

    timedatectl set-ntp on


    Accurate time is important for SSL certificates and log correlation.


    Advanced


    11. Kernel Parameters

    Harden network settings in /etc/sysctl.conf:

  • Disable IP forwarding (unless routing)
  • Enable SYN flood protection
  • Disable ICMP redirects

    • 12. File System

  • Set noexec on /tmp
  • Restrict permissions on sensitive files
  • Enable audit logging for critical directories

    • TinyPod Servers


    TinyPod servers come pre-hardened with these settings. SSH key-only access, firewall configured, fail2ban active, and automatic security updates enabled.