G Unit SolutionsG Unit Solutions
Security

Linux Server Hardening for Small Teams: The Practical Baseline

A new server is not a secure server. This baseline covers the controls we want in place before production traffic arrives.

June 20, 2026
G Unit Solutions
7 min read

A Linux server can look quiet and still be one mistake away from trouble. Hardening is not about making the system exotic. It is about removing easy paths in, making changes visible, and keeping recovery possible.

This is the baseline we want before a server handles real customer traffic.

1. Start with access control

Most incidents start with access that is too broad, too old, or too easy to guess.

Minimum baseline:

  • Disable password login for SSH and use keys only
  • Disable direct root login
  • Use individual user accounts, not shared admin accounts
  • Put admin users in a controlled sudo group
  • Remove unused users and old keys
  • Require MFA where the surrounding platform supports it

Good SSH hardening is boring. That is the point. Nobody should be able to log in with an old password from a forgotten laptop.

2. Close everything you do not use

A server should not expose services just because a package installed them.

Check listening ports:

ss -tulpn

Then make a simple rule: only required public services are reachable from the internet. Everything else is local, private, or blocked.

Typical public ports:

  • 80 and 443 for web traffic
  • 22 only if SSH must be public, preferably restricted by IP or VPN
  • Application ports only behind a reverse proxy

3. Patch with a maintenance window

Automatic updates are useful, but production servers need a plan. Kernel updates, database packages, and runtime upgrades can affect availability.

A sane patch routine includes:

  • Security updates applied quickly
  • Regular maintenance windows for riskier updates
  • Reboot tracking
  • Rollback notes for critical services
  • A person responsible for checking the result

The dangerous state is not “manual updates.” The dangerous state is “nobody knows whether updates are happening.”

4. Add basic runtime protection

Hardening reduces attack surface. Runtime protection helps when something still reaches the server.

Useful controls:

  • Host firewall with default-deny thinking
  • CrowdSec or similar behavior-based blocking
  • Fail2ban for simple brute-force protection when appropriate
  • Reverse proxy with sane TLS settings
  • Rate limits for sensitive endpoints

These controls should not break normal users. Start conservative, monitor, then tighten.

5. Log what matters

If a server is compromised, missing logs turn a technical problem into guesswork.

At minimum, collect:

  • Authentication logs
  • Sudo activity
  • Web server access and error logs
  • Application errors
  • System resource signals
  • Security alerts from Wazuh, CrowdSec or equivalent tools

Logs should leave the server or at least be shipped to a central place. If an attacker controls the only copy, the evidence is weak.

6. Backups are not finished until restore is tested

A backup job that has never been restored is a hope, not a recovery plan.

For each important service, document:

  • What is backed up
  • Where it is stored
  • How often it runs
  • How long retention lasts
  • Who can restore it
  • When the last restore test succeeded

Small teams do not need enterprise ceremony. They need proof that recovery works.

7. Monitor before users complain

Monitoring should answer three questions:

  1. Is the server reachable?
  2. Is the service healthy?
  3. Are security signals changing?

A practical stack might include Zabbix for infrastructure metrics, Wazuh for host security events, and CrowdSec for hostile traffic signals. The exact tools matter less than the coverage and alert quality.

A simple production checklist

Before launch, confirm:

  • [ ] SSH keys only, root login disabled
  • [ ] Firewall allows only required ports
  • [ ] Updates are scheduled and owned
  • [ ] Backups run and restore was tested
  • [ ] Logs are collected centrally
  • [ ] Monitoring checks service health
  • [ ] Security alerts route to a real person
  • [ ] Admin access is documented

Final thought

Hardening is not a one-time setup task. It is an operating habit. The safest server is the one where access, patches, monitoring and recovery are reviewed continuously, not only after something breaks.

If your team does not have time to run that routine, managed operations are usually cheaper than emergency cleanup.