The 2025 Linux Hardening Checklist

194 November 6, 2025 November 7, 2025

Table of Contents

  1. ☐ 0-2 min: Update & Reboot
  2. ☐ 2-5 min: Create a Normal User + Disable Root SSH
  3. ☐ 5-8 min: Switch SSH to Key-Only
  4. ☐ 8-12 min: Install Fail2Ban + UFW
  5. ☐ 12-15 min: Harden Kernel in 3 Lines
  6. ☐ 15-18 min: Remove Junk Packages
  7. ☐ 18-22 min: Lock Down Files & Users
  8. ☐ 22-25 min: Enable Auto Updates (Unattended)
  9. ☐ 25-28 min: Install AIDE (File Integrity)
  10. ☐ 28-30 min: Final Scan & Lock

Lock Down Any Server in 30 Minutes

30-minute timer starts NOW.

☐ 0-2 min: Update & Reboot

sudo apt update && sudo apt full-upgrade -y   # Debian/Ubuntu
# sudo dnf upgrade --refresh -y              # RHEL/Fedora
sudo reboot

☐ 2-5 min: Create a Normal User + Disable Root SSH

sudo adduser lock
sudo usermod -aG sudo lock          # Ubuntu
# sudo usermod -aG wheel lock       # RHEL
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Log out → log in as lock.

☐ 5-8 min: Switch SSH to Key-Only

ssh-keygen -t ed25519 -f ~/.ssh/id_lock
cat ~/.ssh/id_lock.pub | ssh lock@IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Test key login, then close old session.

☐ 8-12 min: Install Fail2Ban + UFW

sudo apt install fail2ban ufw -y
sudo ufw allow OpenSSH
sudo ufw enable
sudo systemctl enable fail2ban

☐ 12-15 min: Harden Kernel in 3 Lines

cat <<EOF | sudo tee /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
fs.protected_regular = 2
EOF
sudo sysctl -p /etc/sysctl.d/99-hardening.conf

☐ 15-18 min: Remove Junk Packages

sudo apt purge telnet netcat-openbsd apache2* nginx* -y
sudo apt autoremove -y

☐ 18-22 min: Lock Down Files & Users

sudo chmod 600 /etc/shadow
sudo passwd -l root
sudo chown root:root /boot/grub/grub.cfg
sudo chmod 600 /boot/grub/grub.cfg

☐ 22-25 min: Enable Auto Updates (Unattended)

Ubuntu:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

RHEL:

sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic-install.timer

☐ 25-28 min: Install AIDE (File Integrity)

sudo apt install aide aide-common -y
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo crontab -e
# add: 0 3 * * * /usr/bin/aide --check | mail -s "AIDE" admin@yourdomain

☐ 28-30 min: Final Scan & Lock

sudo ufw status verbose
sudo ss -tulnp | grep :22
sudo systemctl is-enabled sshd fail2ban
echo "Server locked. Grab coffee."

Done.
Your server now survives 99 % of script-kiddie scans.

Bookmark this page. Run it on every new box.
30 minutes today = zero breaches tomorrow.

Related Posts:

Tags: ,