Basic server security hardening tips for Ubuntu and AlmaLinux

June 07, 2026 Cloud VPS and Dedicated Server Management

When you deploy a fresh Linux Virtual Private Server (VPS), it is immediately exposed to the public internet, where automated bots constantly scan for vulnerabilities. Leaving your server with its default configurations makes it an easy target for brute-force login attacks.

Securing your infrastructure doesn't have to be complicated. Follow these essential security hardening steps to safeguard your Ubuntu or AlmaLinux server instantly.

Step 1: Update the Repository and Core System Packages

Before applying any security loops, ensure your server is running the latest patches and kernels to eliminate known software exploits.

For Ubuntu:

Bash

sudo apt update && sudo apt upgrade -y

For AlmaLinux:

Bash

sudo dnf update -y

Step 2: Change the Default SSH Port

By default, SSH traffic flows through Port 22. Automated brute-force scripts target this specific port all day long. Changing it to a custom random port reduces malicious scan noise by up to 95%.

Open the SSH configuration file using the nano text editor:

Bash

sudo nano /etc/ssh/sshd_config

Locate the line that says #Port 22 or Port 22.

Remove the # character (if present) and change the number to a custom value between 1024 and 65535 (e.g., 2285).

Important: Do not close your current terminal window yet! If you close it before configuring your firewall in Step 3, you could lock yourself out of your own server.

Step 3: Configure a Host-Based Firewall

You must close all server ports by default and only open the ones required for your specific workflows (like your new SSH port, HTTP, and HTTPS).

On Ubuntu (Using UFW - Uncomplicated Firewall):

Bash

# Allow your custom SSH port (Replace 2285 with your actual port)

sudo ufw allow 2285/tcp

# Allow standard web traffic

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

# Enable the firewall routing profile

sudo ufw enable

On AlmaLinux (Using Firewalld):

Bash

# Start and enable the firewall system service

sudo systemctl start firewalld

sudo systemctl enable firewalld

# Allow your custom SSH port (Replace 2285 with your actual port)

sudo firewall-cmd --permanent --add-port=2285/tcp

# Allow standard web traffic

sudo firewall-cmd --permanent --add-service=http

sudo firewall-cmd --permanent --add-service=https

# Reload the firewall engine to apply changes

sudo firewall-cmd --reload

Step 4: Restart SSH and Test the Connection

Now it is safe to apply your new SSH port settings:

Bash

For Ubuntu

sudo systemctl restart ssh

For AlmaLinux

sudo systemctl restart sshd

How to safely verify your access: Open a completely separate, new terminal session on your computer and attempt to log in using the custom port parameters:

Bash

ssh root@your_server_ip -p 2285

If you log in successfully, you can safely close your old root terminal thread session.

Step 5: Install Fail2ban to Block Brute-Force Attacks

Fail2ban is an automated intrusion prevention system framework that monitors system access log text traces. If an IP address fails to log in multiple times, Fail2ban dynamically instructs the server firewall to block that IP address entirely.

On Ubuntu:

Bash

sudo apt install fail2ban -y

sudo systemctl start fail2ban

sudo systemctl enable fail2ban

On AlmaLinux:

Bash

Enable the EPEL repository first

sudo dnf install epel-release -y

sudo dnf install fail2ban -y

sudo systemctl start fail2ban

sudo systemctl enable fail2ban

The default configurations will automatically protect your SSH environment by banning abusive IPs for 10 minutes after 5 failed login attempts.

Summary Checklist for Enhanced Hardening:

  • Use Strong Passwords: Ensure your root password is at least 16 characters long and contains uppercase letters, lowercase letters, numbers, and symbols.
  • Disable Root Login (Optional Advanced Step): For production systems, creating a standard user account with sudo privileges and switching PermitRootLogin to no inside your sshd_config adds an incredible layer of security isolation.

Need Advanced Enterprise Hardening? If you are running enterprise-grade financial or data processing scripts and require advanced setups like SSH Key-Based Authentication or a Web Application Firewall (WAF) deployment, please Open a Premium Ticket inside your CeylonServers client room portal. Our dedicated server security administrators will audit and harden your environment partition manually!