Field notes · Security

Linux server hardening in 2026: the order that matters, the controls that earn their keep, and a score for your fleet.

A Linux server ships configured for convenience, and the internet finds the convenient defaults within minutes. Hardening is the systematic work of replacing those defaults with controls that resist the automated attacks every exposed server faces, in an order that front-loads the highest-impact moves. Here is that order, the controls worth the effort, the lockout mistake that ends careers, and a score you can run against your own server.

Published 12 June 2026 · Argus Root security practice · ~27 min read

Have your fleet hardened and run Score your server →

Linux server hardening is the systematic reduction of a server's attack surface, replacing the convenience-first defaults every server ships with by secure configuration, automated protection and continuous monitoring. It matters because the threat is automated and immediate: bots scan the entire internet continuously for weak SSH, exposed ports and outdated software, and an unhardened server connected to the internet is found and probed within minutes to hours, not days. The work has a natural order, and following it front-loads the risk reduction. SSH lockdown comes first, because SSH is the most attacked remote surface and disabling password authentication closes the single largest attack vector in half an hour. A default-deny firewall and automated blocking with fail2ban or CrowdSec come next, then automatic patching, then kernel sysctl hardening, then the detection layer of auditd, file integrity monitoring and centralised logging. Underneath the steps sit the CIS Benchmarks, the industry-standard reference that turns hardening from opinion into an auditable target, and the tools, OpenSCAP and Lynis, that measure how far you have got. The one rule that overrides all the others is procedural rather than technical: never lock yourself out of the server you are hardening, because the most common serious mistake in the whole exercise is severing your own access. This note walks the order, the controls that earn their keep, the compliance connection, and a hardening score you can run against your own machine.

Why the defaults are a liability, and the clock you are racing.

Hardening feels optional until you understand what is happening to an exposed server in the first hour of its life, which reframes it as urgent rather than housekeeping.

Every Linux server boots with a configuration designed to make it work easily, not to make it safe. SSH accepts password authentication so a new administrator can log in without setting up keys. Services install themselves listening on open ports because that is what makes them function out of the box. Kernel parameters are tuned for broad compatibility rather than restrictive safety. Each of those defaults is a reasonable convenience and a standing liability, and together they describe a server that is, the moment it has a public address, an open invitation to the automated scanners that never stop combing the internet for exactly these conditions.

The clock is the part that surprises people. The attacker is not a person who singled you out; it is a script probing every address in existence, and modern campaigns are automated and increasingly assisted by tooling that identifies vulnerable environments within minutes. A fresh server with default SSH and no firewall will see brute-force attempts almost immediately and can be compromised within hours if password authentication is open and the password is weak. A large share of successful intrusions exploit nothing sophisticated, just basic misconfigurations that hardening would have closed, which is the encouraging half of the picture: the same automation that makes the threat immediate also makes it generic, so the standard hardening steps that defeat the generic attack defeat the overwhelming majority of what an ordinary server faces. Hardening is not about stopping a nation-state; it is about not being the open door the scanners are built to find, and that goal is entirely achievable with discipline and an afternoon.

First, and most important: lock down SSH.

If you do one thing, do this, because SSH is the front door, it is attacked more than anything else, and the fix is fast and decisive.

SSH is the highest-value remote attack surface on a Linux server, the service an attacker most wants to break because it grants a shell, and consequently the most relentlessly probed. Three changes do most of the work. Disable root login over SSH, so that an attacker who guesses or steals a password still cannot land directly as the all-powerful account, forcing them through a named user and a privilege-escalation step that gives you more chances to detect and block them. Disable password authentication entirely and require SSH keys, which is the decisive move, because password authentication is the single largest SSH attack vector, the thing brute-force and credential-stuffing attacks exist to exploit, and a server that only accepts cryptographic keys is simply not vulnerable to password guessing at all. And restrict which users may connect over SSH, so the surface is the few accounts that genuinely need remote access rather than every account on the system.

The sequence to do this safely is as important as the changes themselves, because this is exactly where people lock themselves out. Ensure every user who needs access has deployed their public key and confirmed a key-based login works before you disable passwords. Back up the SSH configuration first. Validate the new configuration with sshd -t before restarting the daemon, because a syntax error on restart can refuse all logins. Keep your current administrative session open and untouched, and confirm a fresh login succeeds in a separate terminal before you close it. Only then is the change safe. Changing the SSH port can be layered on top as noise reduction, since moving off the default port cuts the volume of automated scanning that reaches your logs and makes genuine attempts easier to spot, but it is obscurity rather than security and never a substitute for key-only authentication. SSH lockdown takes about thirty minutes and returns the highest immediate risk reduction of any hardening task, which is why it comes first.

Accounts, sudo, and the principle of least privilege.

SSH controls who can connect; account hygiene controls what they can do once inside, and it is where a small compromise becomes a total one if the privilege boundaries are loose.

The governing idea is least privilege: every account should have exactly the access its role requires and no more, so that a compromised account is a contained problem rather than a catastrophic one. In practice that means no shared accounts, so every action traces to a named person and a stolen credential cannot hide in a crowd; no routine use of root, with administrators working as named users and escalating through sudo for the specific commands that need it, which both records who did what and limits the blast radius of a mistake or a compromise; and sudo permissions scoped tightly rather than granted wholesale, so that a user who needs to restart one service is not handed the keys to the entire system. A periodic audit of who has access to what, and the removal of accounts for people who have left or roles that have changed, keeps the access list matching reality, because the accounts that cause incidents are usually the forgotten ones nobody remembered to remove.

Multi-factor authentication closes the gap that key-only SSH alone leaves, and in 2026 it is increasingly expected rather than optional, because passwords and even keys can be stolen while a second factor is far harder to capture. Adding MFA to SSH and to privileged escalation means that a stolen key or credential is not, by itself, enough to get in or to gain root, which raises the bar on exactly the attacks that bypass the perimeter controls. For the accounts that matter most, the administrative and the privileged, MFA is the control that assumes the first factor will eventually be compromised and ensures that assumption is survivable. Strong password policy still applies to the credentials that remain, but the direction of travel is unmistakable: passwords alone no longer provide adequate protection, and the accounts with power over the system are exactly the ones that should require more than a single secret to use. Least privilege limits what a compromised account can reach; MFA makes the account harder to compromise in the first place; and together they ensure that getting a foothold on the server is not the same as owning it.

The firewall and the blocker: shrink the surface, punish the probes.

With SSH locked down, the next layer is controlling what can reach the server at all, and automatically penalising the things that try to break in.

The firewall posture that matters is default-deny on inbound traffic: block everything by default, then open only the specific ports the server's role requires. With a tool like ufw or nftables you set the incoming policy to deny, allow outgoing, and then explicitly permit SSH from trusted sources, HTTP and HTTPS for a web server, and nothing else, every open port being an attack surface you have to justify rather than one left open by oversight. Ports for internal services like a database should never face the public internet; they are restricted to the specific application servers that use them, so a database listens only to its application tier and is invisible to everyone else. The default-deny posture inverts the dangerous default, where a port is open unless someone closed it, into the safe one, where a port is closed unless someone justified opening it, and that inversion is most of what a firewall is for.

On top of the firewall sits automated blocking, because a default-deny firewall still has to leave SSH and your web ports open, and those open ports get attacked. Fail2ban watches authentication and service logs and temporarily bans the IP addresses that show brute-force or scanning behaviour, automatically updating firewall rules to lock them out, and production servers commonly see a large reduction in successful intrusion attempts after it is deployed with sensible jail settings, a short ban escalating with repeat offences. In 2026 it has a modern counterpart in CrowdSec, which adds a collaborative dimension: behaviour seen attacking one participant feeds a shared intelligence signal that can pre-emptively block that source for others, turning individual defence into collective defence. Either tool addresses the same reality, that manual log review cannot keep pace with automated attacks, so the blocking has to be automated too. Firewall to shrink the surface, automated blocker to punish the probes against what remains, is the network layer in two moves.

Patching and minimisation: close the doors you don't need.

Two of the highest-value controls are also the least glamorous: keeping software current, and removing what should not be running at all.

Unpatched software is among the most exploited entry points there is, because the majority of successful attacks weaponise known vulnerabilities for which a fix already existed, and the window an attacker exploits is the gap between a vulnerability becoming public and your servers being patched against it. The control is to shrink that window. Enable unattended security upgrades so that critical security patches apply automatically without waiting on a human, and run a patch review on a regular cadence, weekly or monthly depending on the environment's risk, to catch what automation does not cover. Critical vulnerabilities should be patched as soon as practical rather than queued, because automated attackers begin scanning for a newly disclosed vulnerability within hours of its publication, and a server still unpatched a week later has spent that week in the exploit window.

Minimisation is the other half: every package installed, service running and port open is attack surface, and the surface you remove is surface you never have to defend or patch. A server should run only the services its role requires, with everything else disabled or removed, and only the ports those services need left open. This is partly about reducing what an attacker can reach and partly about reducing what you have to maintain, since an unused service is one more thing that can carry a vulnerability, one more daemon that can be misconfigured, one more port a scanner can find. The discipline pairs with the firewall: minimisation removes the service, the firewall closes the port, and between them the server presents the smallest possible profile to the internet. A hardened server is as much about what is not on it as what is, and the habit of installing only what is needed, and removing what stops being needed, keeps the surface small as the server ages, which is where surface otherwise quietly grows.

Kernel hardening: the invisible layer.

Beneath the visible controls sits a set of kernel parameters that close network and exploitation attacks the defaults leave open, applied once and forgotten.

The Linux kernel exposes a large set of tunable parameters through sysctl, and a handful of them meaningfully harden the system's network and memory behaviour beyond the compatibility-tuned defaults. On the network side, disabling IP source routing and ICMP redirects removes ways an attacker can manipulate how packets reach the server, enabling reverse-path filtering causes the kernel to drop packets with spoofed source addresses, and SYN-flood protections harden against a classic denial-of-service technique. On the exploitation side, ensuring address space layout randomisation is enabled makes memory-corruption exploits substantially harder by randomising where things sit in memory, so an attacker cannot rely on fixed addresses. None of this is visible the way an SSH prompt or a firewall rule is, which is exactly why it is so often skipped, and why skipping it leaves a category of attack open that the visible controls do not touch.

The operational appeal of kernel hardening is that it is close to free. The parameters are written once to the sysctl configuration, persist across reboots, and impose no ongoing cost or day-to-day friction; the server simply behaves more safely at the network and memory level from then on. The CIS Benchmarks specify the recommended values, which removes the guesswork, and applying them is a matter of setting the documented parameters and confirming they took effect. It is the clearest example of a hardening step that is high value precisely because it is invisible and permanent: a one-time configuration that quietly defeats a class of attacks for the life of the server, asking nothing further of you once it is in place. Mandatory access control through SELinux or AppArmor sits in the same invisible-but-valuable category, confining what a compromised service can do even after an attacker is inside, and on distributions where it is enabled by default the right move is to keep it enforcing rather than the common shortcut of disabling it to make an application work.

The detection layer: auditd, integrity monitoring, and logs that leave.

Hardening prevents; this layer is how you know when prevention failed, and it is also where hardening meets compliance.

Prevention is never complete, so a hardened server also needs to record what happens on it and notice when something changes. The Linux audit daemon, auditd, records security-relevant events into a tamper-evident log: who accessed which sensitive files, which privileged commands ran, what changed in critical configuration. That record is what turns an incident from a vague 'something happened' into a precise timeline of what an attacker touched, and it is the forensic foundation of any serious investigation. Alongside it, file integrity monitoring with a tool like AIDE takes a cryptographic snapshot of the filesystem after hardening and checks against it on a schedule, so that a modified system binary, an added backdoor, or an altered configuration file is flagged on the next scan even when nothing else caught it, which is one of the more reliable ways to detect the quiet persistence an attacker establishes after a compromise.

The control that ties the detection layer to the rest of your security is forwarding: logs that stay on the server are logs an attacker can delete, so auditd and the rest should ship to a central system, a SIEM such as the Wazuh-based platform covered in our SIEM field note, where they are correlated across your fleet, retained beyond the reach of a single compromised host, and watched by the detection-and-response operation that the MDR field note describes. This is also precisely where hardening meets compliance. The auditd records and integrity monitoring that hardening establishes are the same evidence and the same detection feed that DORA's ICT risk-management framework and NIS2's security obligations require, and the CIS benchmarks hardening aligns to are referenced across PCI DSS, HIPAA and SOC 2. A well-hardened server is therefore simultaneously harder to compromise and easier to evidence as compliant, because the logging and integrity controls that catch an intruder are the same ones an auditor asks to see. Harden to shrink the surface, instrument to catch what gets through, forward so the evidence survives, and the same work serves security and compliance at once.

CIS Benchmarks and measuring the result.

Everything above is a set of practices; the CIS Benchmarks turn it into an auditable target, and the scanning tools turn 'feels secure' into a number you can track.

The Center for Internet Security publishes detailed hardening benchmarks for every major Linux distribution, and they are the industry-standard answer to the question 'how hardened is hardened enough?', referenced by compliance frameworks including PCI DSS, HIPAA and SOC 2. The benchmarks are organised into levels that let you choose how far to go. Level 1 is the practical baseline for most environments, controls with minimal performance or functionality impact that almost any server should meet. Level 2 goes deeper, with stricter controls that provide stronger hardening but may affect functionality, suited to higher-security or regulated environments where the trade-off is worth it. The value of the benchmark is that it replaces opinion with a defined, documented, auditable standard: instead of arguing about whether a server is secure, you state which level you target and measure against it.

Measuring is the step that closes the loop, and it should be done with tools rather than judgement. OpenSCAP, the open-source SCAP implementation, evaluates a system against the CIS benchmark for its distribution, or against DISA STIG or PCI-DSS profiles, and produces a detailed report of exactly which controls pass and which fail, which both shows your current state and gives you a prioritised list to work through. Lynis is a lighter auditing tool that runs quickly, produces a hardening score and concrete recommendations, and is well suited to recording a baseline on day one and tracking improvement over time as you work through the findings. The practice that makes this real is to scan early, record the baseline number, harden against the findings, and re-scan to confirm the score moved, because a hardening effort with no measurement is a hardening effort you cannot prove worked or show to an auditor. The benchmark sets the target; the scanner tells you the distance to it; and the gap between the two is your hardening backlog, made concrete.

The one mistake that ends the afternoon: locking yourself out.

Every experienced administrator has a story about this, and it is worth a section of its own because it is the single most common serious error in the whole exercise.

Hardening means tightening access, and tightening access is exactly how you accidentally remove your own. The classic sequences are familiar and avoidable: disabling password authentication before every user has a working key, so the next login is refused; restarting the SSH daemon after an edit that contains a syntax error, so the daemon refuses to start or rejects all connections; tightening the firewall to a default-deny posture that, in the deny rule, excludes the very source address you are connecting from; or changing the SSH port and forgetting to open the new one in the firewall. Each of these severs your only connection to a remote server, and on a machine you cannot physically reach, recovering from a lockout means console access through the provider, a rescue boot, or in the worst case rebuilding, hours of avoidable pain from a one-line mistake.

The discipline that prevents all of it is simple and non-negotiable, and seasoned operators follow it without exception. Keep one administrative session open and untouched throughout the work, your guaranteed way back in if a change goes wrong. Back up any configuration file before you edit it, so reverting is a copy rather than a reconstruction. Validate before applying: sshd -t checks SSH configuration for syntax errors before a restart, and the equivalent dry-run or test exists for most controls. And after any change to access, confirm a fresh connection works in a separate terminal before you close the session you have and before you consider the change done. The rule that summarises it is to never burn the bridge you are standing on: make the change, prove the new path works, and only then let go of the old one. It costs a few extra minutes per change and it is the difference between a smooth hardening afternoon and an emergency call to the data centre.

Hardening as code: the only way it scales and survives.

Everything described so far can be done by hand on one server. Done by hand, it does not survive contact with a fleet or with time, which is why serious hardening is expressed as code, not as a memory of an afternoon's work.

A server hardened manually is hardened at a moment, and moments pass. The next administrator does not know which of the dozens of settings were deliberate; a rebuild loses the configuration entirely; a second server gets a slightly different treatment because the steps were from memory rather than a definition; and drift accumulates invisibly because nothing is comparing the live state to an intended one. The answer is to express the hardened state as code, in a configuration-management or infrastructure-as-code tool, so that the baseline is a definition applied identically to every server, re-applied on a schedule to correct drift, version-controlled so every change is reviewed and reversible, and reproducible so a rebuilt server returns to the exact hardened state without anyone remembering what that was. Automated hardening scripts are a step toward this and a useful one, but a script run once is still a moment; the durable form is a declarative definition that is continuously enforced, so the server is not hardened once but kept hardened.

The honest caveat is that automation does not remove the need for judgement, it relocates it. A generic hardening definition applied blindly can break a working application by closing a port it needed or disabling a service it relied on, because the tool does not know your environment's specific requirements, which services are legitimately needed, which ports must stay open, which users require access. So the pattern that works is to use automation for the repeatable baseline, the SSH configuration, the firewall defaults, the kernel parameters, the audit rules that are the same everywhere, and to layer the environment-specific exceptions on top deliberately and with the same version control, then verify the combined result by scanning against a CIS benchmark rather than trusting the definition. The same logic extends to ephemeral and containerised infrastructure, where the unit of hardening is the image and the orchestration rather than a long-lived server: you harden the base image once, minimise it to only what the workload needs, scan it, and every container built from it inherits that posture, which is hardening-as-code taken to its conclusion, the secure configuration baked in at build time rather than applied after deployment. Whether the target is a fleet of long-lived servers or a stream of short-lived containers, the principle is identical: define the hardened state, apply it consistently, enforce it continuously, and measure it against a benchmark, because the alternative, hardening each thing by hand and hoping it stays that way, is precisely the approach that erodes into the misconfigurations the majority of breaches exploit.

From the side that hardens fleets, not servers.

Hardening one server is an afternoon and a checklist. Hardening a fleet, and keeping it hardened as it grows and drifts, is a different problem, and it is the one we solve.

The controls in this note are the same whether you have one server or a thousand, but the challenge changes entirely with scale. A single hardened server drifts: packages get installed, a port gets opened for a one-off task and never closed, a configuration gets loosened to make something work and never tightened again, and six months later the server that scored well on day one has quietly decayed. Across a fleet, that drift multiplies, and the real discipline is not the initial hardening but keeping every server at the baseline continuously, applying the configuration consistently through automation rather than by hand, scanning regularly with OpenSCAP and Lynis to catch drift, patching on a cadence the whole fleet follows, and forwarding every server's logs to a central system so a gap on one machine is visible. Hardening as a one-time afternoon is achievable by anyone; hardening as a maintained state across a growing fleet is the operational work, and it is where most organisations' posture erodes, not at setup but in the months after, as nobody owns the drift.

That is the lens we bring, because we run sending and hosting infrastructure at scale and harden it as a continuous discipline rather than a launch checklist, with the configuration applied consistently, the drift scanned for, and the logs from every host flowing into detection. The hardening, the SIEM and the detection-and-response are one stack rather than three separate purchases: the SIEM ingests the auditd and integrity logs the hardening produces, the MDR operation acts on what they reveal, and the whole thing is built and run under EU jurisdiction so the telemetry stays where it should, the sovereignty dimension that applies to security data as much as any other. It is also the technical foundation the compliance regimes assume, the configuration management, access control and logging that DORA and NIS2 expect, built from the same work. Where it helps to have a fleet hardened to a CIS baseline and kept there, with the drift caught and the logs watched, by people who run infrastructure for a living, that is the work our server management and managed security practices exist to do.

Questions operators are asking in 2026.

What is Linux server hardening?

Hardening is the process of reducing a Linux server's attack surface and tightening its configuration, by removing what is not needed, restricting access, applying security controls, and monitoring for change. Every server ships with defaults chosen for convenience rather than security: SSH accepting passwords, unnecessary services listening, kernel parameters tuned for compatibility. Hardening systematically replaces those defaults with secure settings, turning a server that an automated scanner could compromise within hours into one that resists the common attacks. It is configuration discipline, not a product you install.

Why does an unhardened server get attacked so quickly?

Because attacks are automated and the internet is scanned continuously. Bots and automated tools probe the entire address space for weak SSH configurations, exposed ports, outdated packages and known-vulnerable applications, and they find a newly exposed default server within minutes to hours, not days. The attacker is not a person who noticed you; it is a script that notices everyone. That is why hardening is not something to schedule for later: a server connected to the internet with default settings is in a race it is losing from the moment it boots, and the window before the first serious probe is measured in minutes.

What is the single most important hardening step?

SSH lockdown, because SSH is the highest-value remote attack surface on a Linux server and the most relentlessly attacked. The core moves are disabling root login over SSH, disabling password authentication entirely in favour of SSH keys, and restricting which users may connect. Password authentication is the single largest SSH attack vector, since it is what brute-force and credential-stuffing attacks target, so removing it once every user has deployed a key closes the door those attacks rely on. It takes thirty minutes and delivers the highest immediate risk reduction of any hardening task.

Should I change the default SSH port?

It helps modestly and is not a security control on its own. Moving SSH off port 22 to a non-standard port cuts the volume of automated scanning noise hitting your logs, because most bots probe the default, which makes genuine attempts easier to spot and reduces fail2ban churn. But it is obscurity, not security: a determined attacker scans all ports, so a non-default port behind password authentication is still exposed. Change the port as noise reduction layered on top of key-only authentication and a firewall, never as a substitute for them.

What is the right firewall posture for a Linux server?

Default-deny on inbound: block everything, then allow only the specific ports the server needs. With a tool like ufw or nftables you set the default incoming policy to deny, allow outgoing, then open only what the role requires, SSH from trusted sources, HTTP and HTTPS for a web server, and nothing else. Database ports should be restricted to the specific application servers that use them rather than left open. The principle is that every open port is an attack surface you must justify, and a default-deny posture forces that justification rather than leaving ports open by oversight.

What is fail2ban and do I still need it in 2026?

Fail2ban monitors authentication and service logs and temporarily bans IP addresses that show brute-force or scanning behaviour, automatically updating firewall rules to block them. It remains valuable: production servers commonly see a large drop in successful intrusion attempts after deploying it with sensible jail settings. In 2026 it has a modern alternative in CrowdSec, which adds collaborative, community-sourced threat intelligence so a behaviour seen attacking one participant can pre-emptively block that source for others. Either way, automated log-driven blocking is a baseline control, because manual log review cannot keep pace with automated attacks.

What are kernel hardening parameters?

Kernel-level settings, applied through sysctl, that tighten network and memory behaviour beyond the defaults. Common ones disable IP source routing and ICMP redirects, enable reverse-path filtering to drop spoofed packets, protect against SYN floods, and ensure address space layout randomisation is on to make memory-corruption exploits harder. These are not visible in the way SSH or a firewall are, but they close a class of network-level and exploitation attacks the defaults leave open. They are applied once, persist across reboots when written to the sysctl configuration, and cost nothing in day-to-day operation.

What is auditd and why does it matter for compliance?

The Linux audit daemon, auditd, records security-relevant events, who accessed which files, which privileged commands ran, changes to critical configuration, into a tamper-evident log. It matters for two reasons. Operationally, it is how you reconstruct what an attacker did after an incident, the forensic record that turns 'something happened' into a precise timeline. For compliance, regimes and frameworks expect this kind of auditing, and the logs are the evidence that you can detect and investigate, which is exactly what DORA, NIS2 and standards like SOC 2 ask you to demonstrate. Forwarded to a central system, those logs also feed your detection.

What is file integrity monitoring?

File integrity monitoring, with a tool like AIDE, takes a cryptographic snapshot of your filesystem after hardening is complete and then checks against it on a schedule, reporting any change to tracked files. Its value is detecting tampering and persistence: an attacker who modifies a system binary, adds a backdoor, or alters a configuration file leaves a change the integrity monitor flags on its next run, even if nothing else noticed. It establishes a known-good baseline and turns any deviation from it into an alert, which is one of the more reliable ways to catch the quiet, post-compromise activity that other controls miss.

What are CIS Benchmarks?

The Center for Internet Security publishes detailed hardening benchmarks for every major Linux distribution, and they are the industry-standard reference for server hardening, referenced by compliance frameworks including PCI DSS, HIPAA and SOC 2. They are organised into levels: Level 1 recommendations are practical for most environments with minimal performance impact, while Level 2 provides deeper hardening that may affect functionality and suits higher-security needs. The benchmarks turn hardening from opinion into a checklist with a defined, auditable target, which is why aligning to them is the usual answer to 'how hardened is hardened enough?'

How do I measure how hardened a server is?

Scan it against a benchmark rather than guessing. OpenSCAP, the open-source SCAP implementation, evaluates a system against CIS benchmarks, DISA STIG profiles or PCI-DSS requirements and produces a detailed compliance report of what passes and what fails. Lynis is a lighter auditing tool that produces a hardening score and concrete recommendations, useful for recording a baseline and tracking improvement over time. Running one of these gives you a measured starting point and a way to show progress, which is far more useful than a subjective sense that the server is 'pretty secure'.

What is the most common and dangerous hardening mistake?

Locking yourself out. The single most frequent serious error is changing SSH configuration, disabling password auth before keys are in place, restarting the daemon with a syntax error, tightening the firewall to exclude your own access, and severing your only connection to a remote server. The discipline that prevents it is simple and non-negotiable: keep one administrative session open while you work, validate SSH config with sshd -t before restarting, back up the config first, and confirm a fresh login works in a separate terminal before you close the session you have. Never burn the bridge you are standing on.

How often should I patch a Linux server?

Critical and security patches as soon as practical, with a regular cadence for the rest. Unpatched software is one of the most exploited entry points, and the bulk of successful attacks exploit known issues for which a fix already existed, so timely patching is among the highest-value controls. Enable unattended security upgrades so critical fixes apply automatically, and run a review weekly or monthly depending on the environment's risk. The goal is to shrink the window between a vulnerability becoming public and your servers being protected, because automated attackers weaponise disclosed vulnerabilities within that window.

Does hardening replace the need for monitoring and detection?

No, they are complementary layers. Hardening reduces the attack surface and prevents the common compromises; monitoring and detection catch what gets through and what hardening cannot prevent, like a stolen valid credential or a zero-day. A hardened server with no monitoring is a stronger door with nobody watching it; a monitored server with no hardening is a watched door left wide open. The mature posture does both: harden to shrink the surface, then forward logs and run detection so that the intrusions hardening did not stop are seen and responded to quickly.

Can I just run a hardening script and be done?

A script is a good start and a poor finish. Automated hardening scripts apply a baseline quickly and consistently, which is genuinely useful, but every environment has unique requirements a generic script cannot know: which services are legitimately needed, which ports must stay open, which users require access. Applied blindly, a script can break a working application or leave gaps it was not written to cover. Use scripts for the repeatable baseline, then review and customise for the specific server, and verify the result by scanning against a benchmark rather than trusting that the script did what you assumed.

How does hardening relate to compliance like DORA and NIS2?

Hardening is part of the technical foundation those regimes assume. DORA's ICT risk-management framework and NIS2's security obligations both expect appropriate technical controls, configuration management, access control, logging, and the CIS benchmarks hardening aligns to are referenced across compliance frameworks. Crucially, the auditd logs and integrity monitoring that hardening establishes are also the evidence and the detection feed those regimes require, so a well-hardened fleet is simultaneously more secure and easier to evidence as compliant. Hardening is where security posture and compliance posture are built from the same work.

Server management & managed security

Harden the fleet, then keep it hardened.

We lock down SSH, set the firewall to default-deny, automate the blocking and the patching, apply the kernel and CIS controls, stand up auditd and integrity monitoring, and forward every host's logs into detection, then keep the whole fleet at that baseline as it grows, scanning for drift and acting on it. The initial hardening is an afternoon; keeping it hardened is the job, and the one we do.

Talk to our server practice More field notes →

SSH first, keys not passwords Default-deny, patch fast, minimise Never burn the bridge you stand on