Back to all guides
AdvancedDefense18 min read

root@css:~$ ./harden.sh --dry-run

Hardening Your Linux System

Apply layered defenses to a Linux machine: updates, a host firewall, SSH hardening, and automatic security patching.

What you'll learn

  • >Reduce your attack surface methodically
  • >Configure a host firewall with sane defaults
  • >Harden SSH against common attacks

Hardening means systematically removing weaknesses before an attacker finds them. Security is layered — no single setting is enough, but together these steps dramatically raise the cost of compromising a machine.

1. Patch and update

Unpatched software is the most common way systems get breached. Keep everything current.

bash
# Debian / Ubuntu / Kali
sudo apt update && sudo apt full-upgrade -y

# Arch / BlackArch
sudo pacman -Syu

2. Configure a host firewall

A default-deny firewall blocks everything inbound except what you explicitly allow. UFW (Uncomplicated Firewall) makes this approachable.

bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp        # allow SSH (only if you need it)
sudo ufw enable
sudo ufw status verbose

3. Harden SSH

SSH is the most commonly attacked service on internet-facing machines. Edit /etc/ssh/sshd_config and apply these settings.

output
PermitRootLogin no            # never log in directly as root
PasswordAuthentication no     # require SSH keys, not passwords
Port 2222                     # optional: move off the default port
MaxAuthTries 3                # limit guessing attempts
Recommended sshd_config changes
bash
# Generate a strong key pair on your client, then copy it up
ssh-keygen -t ed25519 -C "you@example.com"
ssh-copy-id -p 2222 user@server
# Restart SSH to apply server changes
sudo systemctl restart sshd

// warning: Before disabling password login, confirm key-based login works in a separate session. Otherwise you can lock yourself out of a remote machine.

4. Automate security updates

bash
# Debian/Ubuntu: enable unattended security upgrades
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades
  1. 1Fully update your system.
  2. 2Enable a default-deny firewall and allow only required ports.
  3. 3Switch SSH to key-only authentication and disable root login.
  4. 4Turn on automatic security updates and reboot to confirm everything still works.

// tip: Re-run the Nmap tutorial against your machine after hardening. You should see fewer open ports — proof your changes reduced the attack surface.

// ethics_notice: Practice only on systems you own or are explicitly authorized to test. These materials are for education and defense.

Next tutorial

Privacy Basics: Browsing with Tor & VPNs