Skip to main content
This guide is designed to help you secure a Linux server through practical, actionable steps. Before diving into the technical details, it’s important to understand what this guide covers, how it’s structured, and the use-case it addresses.

About This Guide

This guide…
This is a work in progress that continues to evolve as new security practices emerge and community members contribute.

What This Guide IS

  • Focused on at-home Linux servers - All concepts apply to larger/professional environments, but those use-cases call for more advanced and specialized configurations that are out-of-scope
  • Distribution agnostic - Works with most Linux distributions, though examples primarily use Debian-based commands
  • Organized logically - Sections are ordered in a way that makes sense (e.g., securing SSH before installing a firewall)
  • Easy to follow - Provides copy-and-paste code snippets that you can use directly (with minor modifications)

What This Guide IS NOT

This guide assumes you already know the basics of Linux. It does not teach you how to install Linux, use the command line, or perform basic system administration tasks.
  • Not a Linux tutorial - Check Linux Journey if you’re new to Linux
  • Not comprehensive security training - Doesn’t cover all aspects of system security (e.g., physical security is out of scope)
  • Not a deep dive into tools - Covers bare necessities to get you started and make you hungry to learn more
  • Not required to be followed in order - Though recommended, as some sections depend on previous ones

Approach

1

Understand the context

Each section explains why something matters before showing you how to do it
2

Follow practical steps

Code snippets and commands are provided that you can adapt to your needs
3

Verify your work

While snippets automate changes, you should verify they worked as expected
Keep your favorite text editor handy - you’ll need to modify some commands before pasting them (e.g., usernames, paths, etc.).

My Use-Case

There are many types of servers and different use-cases. While this guide aims to be as generic as possible, some things may not apply to all scenarios. Use your best judgment when going through this guide. To help put context to many of the topics covered, here’s the reference configuration:

Hardware

  • Desktop class computer
  • Single NIC (network interface card)

Network

  • Consumer grade router
  • Dynamic WAN IP from ISP
  • IPv4 for WAN and LAN
  • NAT on the LAN

Access

  • SSH access from remote locations
  • Unknown computers and networks
  • Friends’ houses, coffee shops, etc.

Security Goal

  • Secure remote administration
  • Protection from internet threats
  • Defense in depth approach
If your use-case differs significantly (e.g., you have a static IP, multiple NICs, or only access from a known location), some recommendations may need adjustment.

Editing Configuration Files - For The Lazy

I am very lazy and do not like to edit files by hand if I don’t need to. I also assume everyone else is just like me. 😊 So, when and where possible, this guide provides code snippets to quickly do what is needed, like add or change a line in a configuration file.

How the Snippets Work

The code snippets use basic Linux commands:

echo

Outputs text that can be redirected to files

cat

Concatenates and displays file contents

sed

Stream editor for find/replace operations

awk

Pattern scanning and text processing

grep

Searches for patterns in text
How these commands work in detail is out of scope - the man pages are your friend if you want to learn more.

Important Caveats

The code snippets do not validate/verify the change went through. You need to verify that the line was actually added or changed.
Not all changes can be automated with code snippets. Some changes require manual editing:
  • INI-style configuration files where context matters
  • Complex multi-line configurations
  • Files that require specific formatting
For these cases, use your favorite Linux text editor (nano, vim, vi, etc.).

Before Using Snippets

1

Backup first

The guide includes backup commands before each change - always run them
2

Review the command

Understand what the snippet does before running it
3

Modify as needed

Replace usernames, paths, or values specific to your setup
4

Verify after

Check that the change was applied correctly
All steps in this guide include backup commands before making changes. Never skip the backup step!

Key Principles

Distribution Agnostic

This guide works with most Linux distributions, but there are some considerations:
  • Package managers differ - Examples use apt (Debian/Ubuntu), but other distros use yum, dnf, pacman, etc.
  • File paths may vary - Check your distribution’s documentation if you encounter issues
  • Default configurations differ - Some distros have different defaults
The guide is tested primarily on Debian. If you find something that doesn’t work on your distribution, contributions are welcome!

Security First

  • Minimal installation - Only install what you absolutely need
  • Defense in depth - Multiple layers of security
  • Assume breach - Plan for what happens if one layer fails
  • Keep updated - Security patches are critical

Practical Focus

This guide prioritizes:
  1. Effectiveness - Does it actually improve security?
  2. Practicality - Can it be implemented by most users?
  3. Maintainability - Can you keep it running long-term?
Read through the entire guide before starting. Your specific use-case might require skipping certain sections or changing the order.

Build docs developers (and LLMs) love

Get started for freeTalk to us