Get AI summaries of any video or article — Sign up free
5 Steps to Secure Linux (protect from hackers) thumbnail

5 Steps to Secure Linux (protect from hackers)

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Enable unattended-upgrades so security patches install automatically instead of relying on manual updates.

Briefing

Securing a Linux server isn’t about a single magic setting—it’s about stacking practical defenses that close the most common entry points. The core takeaway is a five-step hardening routine: keep the system patched automatically, stop using the root account for SSH, replace password logins with SSH keys, tighten SSH daemon settings (including a non-default port), and then enforce a firewall that only allows the ports you truly need. Together, these steps dramatically reduce the odds that routine scanning and brute-force attempts turn into a breach.

The process starts with updates, because unpatched systems remain the easiest target. After creating or selecting a Linux VM (the walkthrough uses a Debian 10 instance on Lenode), the routine moves to SSH access and then enables unattended upgrades. It also includes manual update commands (apt update and apt upgrade) as a fallback. The key move is installing unattended-upgrades and configuring it to automatically download and install stable updates, so security fixes land without relying on memory.

Next comes account hygiene: root login over the internet is treated as a hard “no.” Instead of logging in as root, a new user is created and added to the sudo group so administrative tasks still work when prefixed with sudo. The walkthrough demonstrates the difference in permissions by showing that commands fail without sudo, then succeed when sudo is used—effectively granting “root powers” only for specific commands.

The third hardening layer replaces password authentication with SSH public/private keys. The routine creates a .ssh directory with locked-down permissions (chmod 700), generates a 4096-bit key pair (ssh-keygen -b 4096), and uploads the public key to the server’s authorized_keys using scp (or the simpler ssh-copy-id flow). After that, SSH logins proceed without entering a server password, eliminating the brute-force risk that comes with passwords.

Step four locks down SSH itself by editing /etc/ssh/sshd_config. The walkthrough changes the SSH port from the default 22 to a high, random port (example: 717), forces IPv4-only, disables root login (PermitRootLogin no), and turns off password authentication (PasswordAuthentication no). It then restarts sshd and tests connectivity using the custom port to avoid accidentally locking itself out.

Finally, the firewall becomes the perimeter. The routine checks open ports with ss -tulpn, installs ufw (Uncomplicated Firewall), allows only the custom SSH port, and enables ufw so everything else is blocked by default. It demonstrates the effect by installing Apache 2, confirming port 80 is reachable only after explicitly allowing it through ufw. To reduce visibility, it also blocks ICMP echo requests (ping) by editing /etc/ufw/before.rules and then reloading rules and rebooting to ensure the change takes effect.

The closing message is blunt: nothing is unhackable. But these best-practice controls—patching, least privilege, key-based SSH, hardened sshd settings, and a default-deny firewall—address the most common failure modes that lead to real-world compromises.

Cornell Notes

The hardening routine focuses on reducing the most common ways attackers gain access to Linux servers: unpatched software, unsafe authentication, and overly permissive network exposure. It first enables automatic security updates using unattended-upgrades so fixes arrive without manual intervention. It then avoids root SSH logins by creating a non-root user with sudo privileges and switching authentication from passwords to SSH key pairs (4096-bit keys). Next, it edits /etc/ssh/sshd_config to disable root login, turn off password authentication, and move SSH to a non-default port (example 717). Finally, it installs ufw, allows only required ports, and blocks ping (ICMP) to reduce server visibility.

Why is enabling automatic updates treated as the first security step?

Because many compromises rely on known vulnerabilities that remain exploitable until patches are applied. The routine installs unattended-upgrades and configures it to automatically download and install stable updates. It also provides manual commands—apt update to check repository status and apt upgrade to apply updates—so there’s an emergency path, but the main goal is to remove the “we’ll patch later” failure mode.

What’s the security benefit of creating a non-root user and using sudo instead of logging in as root?

Root has “god-like” privileges, so any compromise of that account becomes a full system takeover. By creating a limited user and adding it to the sudo group, the server still supports administrative tasks, but only when commands are explicitly prefixed with sudo. The walkthrough demonstrates this by showing that a command fails without sudo (“command not found” due to permissions), then works once sudo is used.

How do SSH keys reduce risk compared with password-based SSH logins?

Passwords can be brute-forced or guessed. SSH keys use a public/private key pair: the server stores the public key in authorized_keys, while the private key stays with the client. Logging in requires possession of the private key, so attackers can’t simply try many passwords. The routine generates a 4096-bit key pair (ssh-keygen -b 4096), uploads the public key via scp/ssh-copy-id, and then verifies that SSH works without entering a password.

Why change the SSH port and disable password/root login in sshd_config?

Changing the SSH port from 22 to a high custom port reduces noise from default-port scanning. Disabling root login (PermitRootLogin no) prevents direct root access over SSH. Turning off password authentication (PasswordAuthentication no) forces key-based authentication only. Together, these settings reduce both the likelihood of successful guessing and the impact of misused credentials.

What does ufw add after sshd is hardened, and how does it affect exposed services?

ufw enforces a default-deny network policy so only explicitly allowed ports can be reached. The routine allows the custom SSH port (e.g., 717) and enables ufw, then tests that SSH works while other access attempts fail. When Apache 2 is installed, port 80 becomes listening, but it remains unreachable until ufw allows it—showing that “listening” and “reachable” are different. It also blocks ICMP ping by editing /etc/ufw/before.rules, reducing server visibility.

Review Questions

  1. Which specific commands and configuration changes ensure security updates happen automatically, and what manual commands are provided as a fallback?
  2. How does the workflow verify that sudo privileges work correctly for the non-root user?
  3. After changing sshd to disable password authentication and root login, what test confirms the server still accepts SSH connections on the custom port?

Key Points

  1. 1

    Enable unattended-upgrades so security patches install automatically instead of relying on manual updates.

  2. 2

    Never SSH directly as root; create a non-root user and grant temporary administrative power via sudo.

  3. 3

    Replace password authentication with SSH public/private keys (generate 4096-bit keys and upload the public key to authorized_keys).

  4. 4

    Harden /etc/ssh/sshd_config by disabling root login, turning off PasswordAuthentication, and moving SSH to a non-default port.

  5. 5

    Use ufw to enforce a default-deny firewall posture and allow only required ports (e.g., the custom SSH port and any service ports you intentionally expose).

  6. 6

    Reduce server visibility by blocking ICMP echo requests (ping) through ufw rule changes and ensuring the rules take effect (reload/reboot as needed).

Highlights

The routine’s biggest risk reduction comes from stacking defenses: automatic patching + least-privilege SSH + key-based authentication + locked-down sshd + default-deny firewall.
Switching PasswordAuthentication to no forces SSH logins to rely on keys, eliminating brute-force password attempts for SSH.
Moving SSH off port 22 (example 717) doesn’t replace real security, but it cuts down default-port scanning noise.
ufw can block traffic even when a service is listening—Apache can run on port 80 while still being unreachable until ufw allows it.
Blocking ping (ICMP) is treated as a visibility hardening step, not a primary access control.

Topics

  • Linux Server Hardening
  • SSH Key Authentication
  • Unattended Upgrades
  • ufw Firewall
  • sshd_config Security

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library