15 Essential Steps to Secure a New Linux Dedicated Server
Securing a new dedicated server immediately after provisioning is critical to prevent cyber attacks. The essential first steps include configuring SSH key authentication, disabling root login, setting up a firewall (UFW) alongside Fail2Ban, enabling swap memory, and installing SSL certificates.
Whether you are hosting high-traffic websites or complex applications on MIG servers, securing your infrastructure from day one ensures maximum uptime. Follow this step-by-step Linux server hardening guide to properly configure your new machine
Table of Contents
- Step 1: Log in via SSH
- Step 2: Update and Upgrade the Operating System
- Step 3: Create a New Sudo User
- Step 4: Secure SSH Access
- Step 5: Configure a Basic Firewall
- Step 6: Install Fail2Ban
- Step 7: Set Hostname and Timezone
- Step 8: Enable Automatic Security Updates
- Step 9: Configure Swap Memory
- Step 10: Enable Time Synchronization
- Step 11: Configure Monitoring
- Step 12: Set Up Automated Backups
- Step 13: Verify DDoS Protection
- Step 14: Install SSL/TLS Certificates
- Step 15: Application-Specific Hardening
Prerequisites
- A newly provisioned Linux Dedicated Server (Ubuntu/Debian based)
- The server's public IP address & root password.
- A terminal or SSH client
Step 1 Log in via SSH
SSH (Secure Shell) is the industry-standard cryptographic network protocol for operating network services securely over an unsecured network. It is the only secure way to initially access your remote server.
Open your terminal and log in as the default root administrator:
ssh root@your_server_ip
(Accept the host key warning and enter your root password).
Step 2 Update and Upgrade the Operating System
Newly provisioned servers usually come with the base installation of an OS. Because outdated software packages contain known vulnerabilities that hackers exploit using automated bots, updating ensures you have the latest security patches before installing anything else.
apt update && apt upgrade -y
reboot
Step 4 Create a New Sudo User
The root user has absolute power, meaning a single typo in a command can destroy
the entire operating system. Creating a standard user with sudo privileges adds a
crucial layer of safety by forcing you to explicitly authorize destructive or administrative
commands.
Replace sysadmin with your preferred username:
adduser sysadmin
usermod -aG sudo sysadmin
Step 4 Secure SSH Access (Keys & Port)
Since Port 22 is constantly scanned by malicious scripts, changing the default port stops automated noise. More importantly, while passwords can be guessed or brute-forced, cryptographic SSH Keys cannot. Disabling password authentication completely eliminates brute-force login risks.
Open a new terminal on your local machine and run:
ssh-keygen -t ed25519
ssh-copy-id sysadmin@your_server_ip
Once the key is successfully copied, return to your server terminal and open the SSH configuration file:
nano /etc/ssh/sshd_config
Modify the file to reflect these highly secure settings:
Port 2244
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Save the file and restart the SSH service:
systemctl restart ssh
Step 5 Configure a Basic Firewall (UFW)
A firewall acts as a digital bouncer that blocks all incoming traffic by default. You must explicitly open only the ports your applications need, keeping hackers out of unused internal services.
ufw allow 2244/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
Check the status to verify your rules:
ufw status
Step 6 Install Fail2Ban
Even on a custom port, determined attackers might find your SSH service. Fail2Ban acts as an active defense mechanism by monitoring server logs. If an IP address fails to log in multiple times, Fail2Ban temporarily blocks suspicious IP addresses for a configurable period at the firewall level.
apt install fail2ban -y
systemctl start fail2ban
systemctl enable fail2ban
Step 7 Set the Hostname and Timezone
Setting a clear hostname prevents you from running commands on the wrong machine when managing multiple servers. Additionally, configuring the correct local timezone is essential for reading security logs and troubleshooting database transaction times accurately.
hostnamectl set-hostname server1
timedatectl set-timezone America/New_York
Step 8 Enable Automatic Security Updates
"Zero-day" vulnerabilities are discovered constantly, and you might not be online to manually patch your server when a critical exploit is released. Unattended upgrades ensure your server automatically patches essential security flaws in the background.
apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades
To verify that the service is actively running:
systemctl status unattended-upgrades
Step 9 Configure Swap Memory
If your server runs out of physical RAM, the Linux kernel will aggressively kill running processes (like your database or web server) to survive. Swap memory provides a safety net by using your hard drive as temporary RAM overflow.
Recommended Swap Sizes:
| Physical RAM | Recommended Swap Size |
|---|---|
| 1 GB – 2 GB | 2 GB |
| 4 GB | 2 GB – 4 GB |
| 8 GB or more | 4 GB or more (depending on workload) |
To create a 2GB swap file (adjust the 2G value as needed) and enable it:
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
Make it permanent across reboots by adding it to your fstab:
echo '/swapfile none swap sw 0 0' >> /etc/fstab
Step 10 Enable Time Synchronization (NTP)
A server's internal hardware clock drifts over time. If your server's time is out of sync with global standards, SSL certificates may fail to validate, API requests will be rejected, and database replication will break.
timedatectl set-ntp true
Step 11 Configure Server & Performance Monitoring
A server's internal hardware clock drifts over time. If your server's time is out of sync with global standards, SSL certificates may fail to validate, API requests will be rejected, and database replication will break.
Consider these industry-standard infrastructure monitoring tools:
- Netdata: Excellent for real-time, highly visual performance monitoring.
- Zabbix: Ideal for enterprise-level infrastructure alerting.
- Prometheus & Grafana: The best combination for tracking application metrics.
Read Next
How to Install Prometheus and Node ExporterHow to Secure Prometheus with HTTPS and Password
How to Add Linux Target Nodes to Prometheus Monitoring
Step 12 Set Up Automated Backups
Hardware fails, ransomware happens, and humans make mistakes. Because a server is replaceable but your data is not, automated backups are your ultimate insurance policy against catastrophic data loss.
- Implement daily automated backups.
- Store backups offsite (like a remote cloud bucket).
- Regularly test your backup restoration process.
Step 13 Verify DDoS Protection
Distributed Denial of Service (DDoS) attacks overwhelm your server's bandwidth with fake traffic, making it completely inaccessible to real users. Software firewalls cannot stop large-scale volumetric attacks alone.
At MIG servers, you don't have to worry about external mitigation. All our dedicated servers come with built-in DDoS protection up to 250Gbps automatically enabled out of the box, ensuring uninterrupted uptime.
Step 14 Install SSL/TLS Certificates
Unencrypted HTTP traffic can be intercepted and read by malicious third parties. SSL certificates encrypt the data flowing between your server and users, preventing browsers from flagging your site as "Not Secure" and destroying user trust.
Install Let's Encrypt via Certbot to easily generate free SSL certificates for your specific web server.
For Nginx Users:
apt install certbot python3-certbot-nginx -y
For Apache Users:
apt install certbot python3-certbot-apache -y
Step 15 Application-Specific Hardening
Securing the Linux OS is only the first half of the battle. If you install a database with a weak password, or a vulnerable software plugin, hackers will bypass your OS security entirely through the application layer.
- Databases: Always run mysql_secure_installation for MySQL/MariaDB to remove test databases and disable remote root access.
- Docker: Avoid running containers as the root user.
- Control Panels: Configure the built-in brute-force protections in cPanel, Plesk, or Webuzo.
Final Thoughts on Server Hardening
Securing a dedicated server is an ongoing process. By following this 15-step checklist, you have built a fortified environment capable of safely hosting high-performance applications.
At MIG servers, we provide the ultimate foundation with blazing-fast hardware and a robust 250Gbps DDoS-protected network. If you need assistance configuring your server stack, our expert support team is always ready to help you scale securely.