Server Hardening Basics: How to Lock Down a Machine Before It Gets Attacked

A fresh server on the internet is a target within minutes. Server hardening is the set of habits that shrink the ways in. Learn what hardening means, the layers it covers, and a practical checklist you can apply to any machine — explained from the ground up.

Published November 2, 202612 min readBy ACY Partner Indonesia
Server hardening — reducing the attack surface of a machine layer by layer
300 × 250Ad Space AvailablePlace your ad here

The moment a server has a public IP address, it stops being yours alone. Within minutes, automated scanners from all over the internet start knocking on its door — trying default passwords, probing common ports, looking for software with known holes. This isn’t paranoia; it’s just the background noise of being online. Anyone who has watched a fresh server’s logs for an hour has seen it happen.

Server hardening is how you answer that reality. It’s not one tool or one setting — it’s a collection of deliberate choices that make a machine harder to break into. The goal isn’t to build an impenetrable fortress (nothing online is truly that). The goal is to remove the easy ways in, so an attacker has to work much harder, and the automated bots that make up most attacks simply move on to a softer target.

What hardening actually means

To “harden” something is to reduce its attack surface — the total set of points where someone could try to get in or cause harm. Every open port, every running service, every user account, every piece of installed software is a potential door. Some of those doors you need. Many of them you don’t, and they’re open simply because that’s the default.

Hardening is the process of going through all of those doors and asking a simple question for each one: do I actually need this open? If the answer is no, you close it. If the answer is yes, you make sure it’s locked properly. That’s the whole philosophy, repeated across every layer of the system.

It helps to picture the difference between the default state and a hardened state:

  DEFAULT SERVER                    HARDENED SERVER
  ─────────────                     ────────────────
  many ports open          ──►      only ports you use
  password login           ──►      key-based login only
  root logs in directly    ──►      root login disabled
  everything up to date?   ──►      auto-updates on
  one big admin account    ──►      least-privilege users
  no failed-login limit    ──►      brute-force protection

Notice that none of this is exotic. There’s no special security product you have to buy. Hardening is mostly about turning off what you don’t need and configuring what’s left sensibly. The hardest part is just remembering to do it — and doing it before the machine goes live, not after something goes wrong.

Hardening is a layered habit, not a one-time switch

You’ll often hear security people talk about “defense in depth.” The idea is that no single protection should be the only thing standing between an attacker and your data. If one layer fails — a password leaks, a service has a bug — the next layer should still slow the attacker down. Hardening works the same way: each step here is one layer, and they’re strongest stacked together. Skipping one isn’t fatal, but every layer you add buys you real safety.

Start with the principle of least privilege

Before any specific setting, there’s a mindset that ties all of hardening together: least privilege. It means every user, every process, and every service should have exactly the access it needs to do its job — and nothing more. A program that only reads files shouldn’t be able to delete them. A user who manages one website shouldn’t have control over the entire machine.

The reason this matters so much is damage control. When something does get compromised — and over a long enough time, something always tries — least privilege limits how far the damage spreads. If an attacker breaks into a low-privilege account, they’re stuck in a small box. If they break into an account that can do anything, they own the server.

This is why the very first hardening move on most servers is to stop using the all-powerful root account for day-to-day work. Instead, you create a normal user, give it the ability to run administrative commands only when needed (via sudo), and lock direct root access down. To go deeper on how users and permissions work underneath this, the article on users and groups in Linux lays out the model, and file permissions covers who’s allowed to touch what.

# create a regular working user
adduser jane

# give that user the ability to run admin commands when needed
usermod -aG sudo jane

# now Jane logs in as herself and uses 'sudo' only when she
# actually needs admin power — not for everything

Lock down how people log in

The single most attacked door on a typical server is the remote login service: SSH, the protocol you use to get a command line on a machine from somewhere else. If you do nothing else, securing SSH gives you the biggest return. (If the protocol itself is new to you, the SSH basics article walks through how it works.)

There are three changes that together transform SSH from a soft target into a hard one:

  • Switch from passwords to SSH keys. A password can be guessed, and bots try millions of them. An SSH key is a long cryptographic pair — a public half that lives on the server and a private half that never leaves your own machine. Guessing one is, for all practical purposes, impossible. Once keys work, you turn password login off entirely.
  • Disable direct root login. Even with a strong password or key, letting root log in remotely means an attacker only needs to break one well-known account. Force everyone to log in as a normal user first, then escalate with sudo. Now an attacker has to guess both a username and get past the login.
  • Consider a non-default port (modestly). SSH listens on port 22 by default, and every bot knows it. Moving it to a different port doesn’t make you secure — a determined attacker can still scan for it — but it dramatically cuts the volume of automated noise hitting your logs. Treat it as tidying, not real protection.
   ATTACKER                         HARDENED SSH
  ──────────                        ────────────
  tries 'root' + password   ──►     root login: refused
  tries common passwords    ──►     passwords: disabled
  brute-forces port 22      ──►     keys only, no guessing in

Don't lock yourself out

This is the classic beginner mistake: you disable password login or change the SSH port, then discover your key isn’t set up correctly — and now you can’t get back in at all. Always test a new SSH connection in a second terminal before closing your current one. If the new session works, you’re safe to log out. If it doesn’t, you still have your original session open to fix things. Keep that habit and you’ll never lock yourself out.

Close every door you’re not using

A fresh server often comes with services already running that you never asked for — a mail daemon, a database listening on the network, leftover sample apps. Each one is a running program that accepts input from outside, which means each one is a potential way in. The fix is two-sided: stop services you don’t need, and block the ports you’re not using with a firewall.

A firewall is simply a gatekeeper that decides which network traffic is allowed to reach your server. The right way to configure one is the deny-by-default approach: block everything, then open only the specific ports your server actually serves on — typically the web ports (80 and 443) and your SSH port. Everything else stays shut. The firewalls article explains the concept, and ports and protocols covers what those numbers actually mean.

# see which services are listening on the network
ss -tulpn

# a sensible default firewall posture:
#   - deny all incoming by default
#   - allow SSH (so you can still get in)
#   - allow web traffic (80 / 443)
#   - allow all outgoing

The mindset here is the same as with login: start from “nothing is allowed” and open only what’s genuinely required. It’s far safer than starting from “everything is allowed” and trying to remember what to close.

Keep the software up to date

A huge share of real-world breaks-ins don’t come from clever new attacks — they come from old, unpatched software with publicly known holes. Once a vulnerability is discovered and a fix is released, the details become public. Attackers then scan the internet for machines that haven’t applied that fix yet. If your server is behind on updates, you’re on that list.

Keeping software current is one of the highest-value, lowest-effort things you can do. On most systems you update everything through the package manager, and you can enable automatic security updates so critical patches land without you having to remember. The package managers article covers how installing and updating works on Linux.

# refresh the list of available updates, then apply them
# (commands vary by distribution; this is the common Debian/Ubuntu form)
apt update
apt upgrade

# many systems can apply security updates automatically —
# turning this on means critical fixes don't wait for you

Updates are boring, which is exactly why they get skipped

There’s no excitement in running an update. It feels like nothing happened. That’s precisely the trap — the work that quietly prevents disasters never looks like it did anything. Set updates to apply automatically where you can, and check in on the machine on a regular schedule. The few minutes this costs you are nothing compared to cleaning up after a server that got owned through a bug fixed months ago.

Watch the doors: logs and intrusion basics

Hardening reduces the ways in, but it doesn’t make you blind to attempts. Servers keep logs — records of who connected, who tried to log in, what failed. Glancing at them tells you what’s hitting your machine, and a sudden flood of failed logins from one address is a clear sign something automated is hammering away.

You don’t have to watch logs by hand around the clock. Tools exist that read the logs for you and react automatically: if an address racks up too many failed login attempts in a short window, it gets temporarily blocked. This single measure neutralizes the most common attack on the internet — the slow, patient brute-force guess — without you lifting a finger. It’s the natural companion to everything above: hardening shuts the easy doors, and automated monitoring watches the ones that remain.

  too many failed logins from one IP


  monitor notices the pattern


  that IP is blocked for a while  ──►  bot gives up, moves on

A practical hardening checklist

You don’t have to do all of this at once, but here’s the order that gives you the most safety for the least effort, roughly from highest impact down:

  1. Create a non-root user and use it for daily work; reserve admin power for sudo.
  2. Set up SSH keys, then disable password login and direct root login.
  3. Turn on a firewall with deny-by-default, opening only the ports you serve on.
  4. Stop and remove services you don’t actually use.
  5. Enable automatic security updates so patches land on their own.
  6. Add brute-force protection that blocks IPs after repeated failed logins.
  7. Check your logs on a regular rhythm so you know what’s hitting the machine.

Run through this once on a new server and you’ve already eliminated the overwhelming majority of automated attacks — the kind that make up most of what any server faces. None of it requires deep expertise. It’s discipline more than genius.

Why this matters even for small projects

It’s tempting to think hardening is only for big companies with sensitive data — that a small blog or a side project isn’t worth attacking. That’s a common and costly assumption. Most attacks aren’t targeted at you specifically. They’re automated sweeps looking for any vulnerable machine, regardless of how small or unimportant it seems. A compromised server is valuable to an attacker no matter what it was for: it can be used to send spam, mine cryptocurrency, store illegal files, or launch attacks on others. Your project’s size doesn’t protect it; only hardening does.

The encouraging flip side is that the bar is low to clear. Because so much of the internet is full of soft, un-hardened targets, doing even the basics here puts you far ahead of the crowd. Bots take the path of least resistance. Make your machine slightly harder than the average, and most of them simply pass you by.

Wrapping up

Here’s the whole picture in one place:

  • Hardening means reducing a server’s attack surface — closing the doors you don’t need and locking the ones you do.
  • It’s built on the principle of least privilege: give every user and process only the access it truly needs, so a single break-in can’t spread far.
  • The biggest wins, in order: a non-root user, SSH keys with password and root login disabled, a deny-by-default firewall, removing unused services, and automatic security updates.
  • Most attacks come from automated bots exploiting old, unpatched software and weak logins — not clever targeting. The basics defeat the vast majority of them.
  • Watching logs and automated brute-force protection cover the doors that stay open.
  • Size is no protection — small projects get attacked too, but the same basic steps protect them just as well.

From here, each piece deserves a closer look on its own. The next natural step is going deeper on the most-attacked door of all — securing SSH properly, from keys to configuration — so the single biggest part of this checklist is rock solid.

Tags:serversecurityhardeninglinuxbeginner
728 × 90Ad Space AvailablePlace your ad here

Related Articles

See All Articles

You Might Also Like

Backup strategies — keeping multiple safe copies of your data
Server / Deployment

Backup Strategies: How to Make Sure You Never Lose Your Data

A backup is only worth as much as your last successful restore. Learn what really counts as a backup, the 3-2-1 rule, full vs incremental vs differential, where to keep copies, how to schedule and test them, and how long to keep them — explained from zero.

Nov 1, 202610 min read
Logs and log management — lines of timestamped events streaming from a server
Server / Deployment

Logs and Log Management: How to Read What Your Server Is Telling You

Your server is constantly talking — through logs. Learn what logs are, the common types you'll meet, how to read and search them, why rotation matters, and how to centralize logs so you can actually find the answer when something breaks.

Oct 31, 202612 min read
Monitoring and uptime — watching a server's health and getting alerted when it goes down
Server / Deployment

Monitoring and Uptime: Knowing Your Server Is Alive Before Your Users Do

Deploying is only half the job — keeping a server healthy is the other half. Learn what monitoring and uptime really mean, how health checks and alerts work, the metrics worth watching, and how to find out something's wrong before your visitors tell you.

Oct 30, 202611 min read
Pointing a domain name at a deployed server using DNS records
Server / Deployment

Domains and Pointing DNS: Connecting a Real Name to Your Deployed Server

Your app is live on a server, but it's only reachable by an IP address. Learn how to point a real domain at it — registrars, the records that matter, www vs the bare domain, propagation, and how to check it actually worked.

Oct 29, 202611 min read
SSL certificates in practice — getting HTTPS working on a live deployment
Server / Deployment

SSL Certificates in Practice: Getting HTTPS Working on a Real Deployment

You know HTTPS keeps traffic encrypted — but how do you actually get a certificate onto a live server and keep it valid? Learn what an SSL certificate really is, how issuance and renewal work, where files live, and the practical gotchas that bite real deployments.

Oct 28, 202610 min read
Environment configuration — the same app reading different settings per environment
Server / Deployment

Environment Configuration: How Apps Know Where They Are and What to Use

The same code runs on your laptop and on a live server, yet it talks to different databases, keys, and URLs. That magic is environment configuration. Learn what config is, why it must live outside your code, how environment variables and .env files work, and how to keep secrets safe — from zero.

Oct 27, 202611 min read