{"id":82504,"date":"2026-03-05T10:59:56","date_gmt":"2026-03-05T15:59:56","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/blog\/?p=82504"},"modified":"2026-03-03T11:05:00","modified_gmt":"2026-03-03T16:05:00","slug":"server-hardening-best-practices-dedicated-servers","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/blog\/server-hardening-best-practices-dedicated-servers\/","title":{"rendered":"Server Hardening Best Practices for Dedicated Servers"},"content":{"rendered":"\n
\"Server<\/figure>\n\n\n

A freshly provisioned dedicated server is not a secure server. Default configurations are designed for broad compatibility, not minimal attack surface. Every open port that shouldn’t be open, every default credential that wasn’t changed, every world-readable file with sensitive content is an exposure waiting to be discovered.Server hardening is the process of reducing that attack… <\/p><\/div>\n\n\n

Start with the Attack Surface Inventory<\/strong><\/h2>\n\n\n\n

Before changing anything, know what’s running:<\/p>\n\n\n\n

# All listening ports\n\nss -tlnp\n\n# Running services\n\nsystemctl list-units --type=service --state=running\n\n# SUID\/SGID files (privilege escalation candidates)\n\nfind \/ -perm \/6000 -type f 2>\/dev\/null\n\n# World-writable directories\n\nfind \/ -xdev -type d -perm -0002 2>\/dev\/null<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Document what each open port and running service is for. If you can’t immediately answer “why is this port open,” that’s the first thing to investigate.<\/p>\n\n\n\n
SSH Hardening<\/strong><\/h2>\n\n\n\n
SSH is the primary administrative access vector on Linux servers \u2014 and the primary target for brute-force attacks. Hardening SSH closes off the most common attack path before any other configuration.<\/p>\n\n\n\n
Edit \/etc\/ssh\/sshd_config and enforce these settings:<\/p>\n\n\n\n
# Disable password authentication entirely\n\nPasswordAuthentication no\n\nChallengeResponseAuthentication no\n\n# Disable root login over SSH\n\nPermitRootLogin no\n\n# Use a non-standard port (reduces automated scan noise)\n\nPort 2222\n\n# Limit SSH to specific users\n\nAllowUsers deploy_user admin_user\n\n# Reduce authentication timeout window\n\nLoginGraceTime 30\n\nMaxAuthTries 3\n\n# Disable legacy protocol features\n\nProtocol 2\n\nX11Forwarding no\n\nAllowAgentForwarding no\n\nAllowTcpForwarding no\n\n# Keep-alive settings to terminate idle sessions\n\nClientAliveInterval 300\n\nClientAliveCountMax 2<\/code><\/pre>\n\n\n\n
Key-based authentication is mandatory once password authentication is disabled. Generate keys on your local machine with ssh-keygen -t ed25519 and copy the public key to ~\/.ssh\/authorized_keys on the server before disabling passwords.<\/p>\n\n\n\n
Apply the changes: systemctl restart sshd. Verify you can still connect via key before closing your current session.<\/p>\n\n\n\n
NIST Special Publication 800-123<\/a> provides comprehensive guidance on SSH configuration in production environments, including key management practices.<\/p>\n\n\n\n
Firewall Configuration with nftables<\/strong><\/h2>\n\n\n\n
Modern Linux distributions use nftables as the preferred firewall framework. A minimal ruleset for a web server:<\/p>\n\n\n\n
#!\/usr\/sbin\/nft -f\n\nflush ruleset\n\ntable inet filter {\n\n\u00a0\u00a0\u00a0\u00a0chain input {\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type filter hook input priority 0; policy drop;\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Accept established\/related connections\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ct state established,related accept\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Accept loopback\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0iif lo accept\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Accept ICMP (ping) - limit rate\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0icmp type echo-request limit rate 5\/second accept\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0icmpv6 type echo-request limit rate 5\/second accept\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# SSH on custom port\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tcp dport 2222 ct state new limit rate 10\/minute accept\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# HTTP and HTTPS\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tcp dport { 80, 443 } accept\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Log and drop everything else\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0log prefix \"Dropped: \" drop\n\n\u00a0\u00a0\u00a0\u00a0}\n\n\u00a0\u00a0\u00a0\u00a0chain forward {\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type filter hook forward priority 0; policy drop;\n\n\u00a0\u00a0\u00a0\u00a0}\n\n\u00a0\u00a0\u00a0\u00a0chain output {\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type filter hook output priority 0; policy accept;\n\n\u00a0\u00a0\u00a0\u00a0}\n\n}<\/code><\/pre>\n\n\n\n
Save to \/etc\/nftables.conf and enable: systemctl enable –now nftables. The default policy is drop on inbound \u2014 only explicitly allowed traffic gets through.<\/p>\n\n\n\n
For servers running cPanel\/WHM, cPanel manages its own firewall rules. Use ConfigServer Security & Firewall (CSF), which integrates with WHM and provides a UI for rule management without overriding cPanel’s required ports.<\/p>\n\n\n\n
User Account Management<\/strong><\/h2>\n\n\n\n
Every user account is a potential compromise vector. Dedicate attention to:<\/p>\n\n\n\n
Disable unused system accounts<\/strong>: Check \/etc\/passwd for accounts with login shells that shouldn’t have them. Set their shell to \/sbin\/nologin:<\/p>\n\n\n\n
usermod -s \/sbin\/nologin unused_account<\/p>\n\n\n\n
Remove unnecessary sudo privileges<\/strong>: visudo to review \/etc\/sudoers. Each line granting NOPASSWD sudo is a privilege escalation path if that account is compromised. Require password for all sudo operations in production.<\/p>\n\n\n\n
Use role-based user accounts<\/strong>: Application services should run as their own dedicated system user with minimal permissions. The web server shouldn’t run as root. MySQL shouldn’t run as root. Create application-specific users:<\/p>\n\n\n\n
useradd -r -s \/sbin\/nologin -d \/var\/www\/app appuser\n\nchown -R appuser:appuser \/var\/www\/app<\/code><\/pre>\n\n\n\n
Audit last logins regularly<\/strong>: lastlog | grep -v Never shows accounts that have been used to log in. Accounts you didn’t expect to see in that output warrant investigation.<\/p>\n\n\n\n
Kernel Hardening via sysctl<\/strong><\/h2>\n\n\n\n
Several kernel parameters reduce the attack surface for network-level exploits:<\/p>\n\n\n\n
# \/etc\/sysctl.d\/99-hardening.conf\n\n# Disable IP source routing (used in some spoofing attacks)\n\nnet.ipv4.conf.all.accept_source_route = 0\n\nnet.ipv4.conf.default.accept_source_route = 0\n\n# Disable ICMP redirect acceptance\n\nnet.ipv4.conf.all.accept_redirects = 0\n\nnet.ipv4.conf.default.accept_redirects = 0\n\n# Enable reverse path filtering (anti-spoofing)\n\nnet.ipv4.conf.all.rp_filter = 1\n\n# Disable ping broadcasts\n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\n# Log martian packets (packets with impossible source addresses)\n\nnet.ipv4.conf.all.log_martians = 1\n\n# Disable IPv6 if not in use\n\nnet.ipv6.conf.all.disable_ipv6 = 1\n\n# Kernel pointer hiding\n\nkernel.kptr_restrict = 2\n\nkernel.dmesg_restrict = 1<\/code><\/pre>\n\n\n\n
Apply with sysctl -p \/etc\/sysctl.d\/99-hardening.conf.<\/p>\n\n\n\n
File System Security<\/strong><\/h2>\n\n\n\n
Set correct permissions on sensitive directories:<\/strong><\/p>\n\n\n\n
chmod 750 \/root\n\nchmod 644 \/etc\/passwd\n\nchmod 640 \/etc\/shadow\n\nchmod 600 \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
Mount options that reduce privilege escalation risks<\/strong>:<\/p>\n\n\n\n
Edit \/etc\/fstab to add noexec, nosuid, and nodev to partitions that shouldn’t contain executable files:<\/p>\n\n\n\n
\/dev\/sdb1 \/var\/tmp ext4 defaults,noexec,nosuid,nodev 0 2<\/p>\n\n\n\n
Audit file integrity with AIDE<\/strong>: AIDE (Advanced Intrusion Detection Environment)<\/a> creates a database of file checksums and can alert when files change unexpectedly. Initialize with aide –init, then run aide –check periodically or via cron. Unexpected changes to system binaries, libraries, or configuration files indicate a compromise.<\/p>\n\n\n\n
Software and Package Management<\/strong><\/h2>\n\n\n\n
Keep packages current<\/strong>: Unpatched vulnerabilities in the kernel, OpenSSL, glibc, and other system libraries are the most common path to server compromise after weak credentials.<\/p>\n\n\n\n
# CentOS\/AlmaLinux\/Rocky Linux\n\ndnf update --security -y\n\n# Ubuntu\/Debian\n\napt-get upgrade -y<\/code><\/pre>\n\n\n\n
Automate security updates: dnf-automatic (RHEL family) or unattended-upgrades (Debian family) can be configured to automatically apply security patches while leaving major version upgrades for manual review.<\/p>\n\n\n\n
Audit installed packages<\/strong>: Remove packages that were installed for testing and never removed. Each installed package is a potential vulnerability. rpm -qa (RHEL) or dpkg -l (Debian) lists everything installed.<\/p>\n\n\n\n
Remove development tools from production servers<\/strong>: Compilers, debuggers, and package build tools don’t belong on production servers. An attacker who gains limited access can use them to compile exploit code. Remove gcc, make, and similar tools if they’re present.<\/p>\n\n\n\n
Intrusion Detection and Log Monitoring<\/strong><\/h2>\n\n\n\n
Fail2Ban<\/strong> monitors log files and blocks IPs that exhibit suspicious patterns \u2014 repeated failed SSH logins, Nginx 4xx error floods, and other abuse signals. Fail2Ban<\/a> is installable via the package manager on all major Linux distributions and works with any log file format.<\/p>\n\n\n\n
Log centralization<\/strong>: Shipping logs to a remote syslog server means that even if the server is compromised and local logs are wiped, you retain the audit trail. rsyslog supports remote logging natively. For teams already running an ELK stack (Elasticsearch, Logstash, Kibana) or a managed log aggregation service, configure the server’s rsyslog.conf to forward to the central receiver.<\/p>\n\n\n\n
Monarx malware detection<\/strong>: InMotion’s Premier Care bundle includes Monarx<\/a>, a file-scanning malware detection engine designed specifically for web hosting environments. Monarx detects web shell uploads, malicious PHP injections, and cryptocurrency miners \u2014 the most common malware targeting Linux servers in web hosting contexts. It runs at the kernel level without the performance impact of traditional antivirus solutions.<\/p>\n\n\n\n
Scheduling Regular Audits<\/strong><\/h2>\n\n\n\n
Hardening at provisioning time degrades over time if not maintained. Set a quarterly review cycle covering:<\/p>\n\n\n\n