Basic server security hardening tips for Ubuntu and AlmaLinux
When you deploy a fresh Linux Virtual Private Server (VPS), it is immediately exposed to the public internet, where automated bots constantly scan for vulnerabilities. Leaving your server with its default configurations makes it an easy target for brute-force login attacks.
Securing your infrastructure doesn't have to be complicated. Follow these essential security hardening steps to safeguard your Ubuntu or AlmaLinux server instantly.
Step 1: Update the Repository and Core System Packages
Before applying any security loops, ensure your server is running the latest patches and kernels to eliminate known software exploits.
For Ubuntu:
Bash
sudo
apt update && sudo apt upgrade -y
For AlmaLinux:
Bash
sudo
dnf update -y
Step 2: Change the Default SSH Port
By default, SSH traffic flows through Port 22. Automated brute-force scripts target this specific port all day long. Changing it to a custom random port reduces malicious scan noise by up to 95%.
Open the SSH configuration file using the nano text editor:
Bash
sudo
nano /etc/ssh/sshd_config
Locate the line that says #Port 22 or Port 22.
Remove the # character (if present) and change the number to a custom value between 1024 and 65535 (e.g., 2285).
Important: Do not close your current terminal window yet! If you close it before configuring your firewall in Step 3, you could lock yourself out of your own server.
Step 3: Configure a Host-Based Firewall
You must close all server ports by default and only open the ones required for your specific workflows (like your new SSH port, HTTP, and HTTPS).
On Ubuntu (Using UFW - Uncomplicated Firewall):
Bash
# Allow your custom SSH port (Replace 2285 with your actual port)
sudo ufw allow 2285/tcp
# Allow standard web traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable the firewall routing profile
sudo ufw enable
On AlmaLinux (Using Firewalld):
Bash
# Start and enable the firewall system service
sudo systemctl start firewalld
sudo systemctl enable firewalld
# Allow your custom SSH port (Replace 2285 with your actual port)
sudo firewall-cmd --permanent --add-port=2285/tcp
# Allow standard web traffic
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
# Reload the firewall engine to apply changes
sudo firewall-cmd --reload
Step 4: Restart SSH and Test the Connection
Now it is safe to apply your new SSH port settings:
Bash
For Ubuntu
sudo systemctl restart ssh
For AlmaLinux
sudo systemctl restart sshd
How to safely verify your access: Open a completely separate, new terminal session on your computer and attempt to log in using the custom port parameters:
Bash
ssh
root@your_server_ip -p 2285
If you log in successfully, you can safely close your old root terminal thread session.
Step 5: Install Fail2ban to Block Brute-Force Attacks
Fail2ban is an automated intrusion prevention system framework that monitors system access log text traces. If an IP address fails to log in multiple times, Fail2ban dynamically instructs the server firewall to block that IP address entirely.
On Ubuntu:
Bash
sudo
apt install fail2ban -y
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
On AlmaLinux:
Bash
Enable the EPEL repository first
sudo dnf install epel-release -y
sudo dnf install fail2ban -y
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
The default configurations will automatically protect your SSH environment by banning abusive IPs for 10 minutes after 5 failed login attempts.
Summary Checklist for Enhanced Hardening:
- Use Strong Passwords: Ensure your root password is at least 16 characters long and contains uppercase letters, lowercase letters, numbers, and symbols.
- Disable Root Login (Optional Advanced Step): For production systems, creating a standard user account with sudo privileges and switching
PermitRootLogintonoinside yoursshd_configadds an incredible layer of security isolation.
Need Advanced Enterprise Hardening? If you are running enterprise-grade financial or data processing scripts and require advanced setups like SSH Key-Based Authentication or a Web Application Firewall (WAF) deployment, please Open a Premium Ticket inside your CeylonServers client room portal. Our dedicated server security administrators will audit and harden your environment partition manually!