Hardening Linux: Advanced Security Protocols for Web Servers

Deploying a Linux VDS is only the first step. Without a rigorous security posture, your infrastructure is vulnerable to automated brute-force attacks and sophisticated exploits. This guide covers advanced hardening techniques.

1. SSH Hardening (Level 2)

Changing the default port (22) is a basic "security through obscurity" move. For true security, implement the following in /etc/ssh/sshd_config:

# Disable password auth entirely
PasswordAuthentication no

# Limit maximum auth attempts
MaxAuthTries 3

# Disable empty passwords
PermitEmptyPasswords no

# Limit to specific users
AllowUsers admin_username

2. Implementing Fail2Ban with Custom Filters

Fail2Ban is essential, but default filters often miss clever bots. Creating custom filters for nginx-botsearch or wp-login attempts can proactively block attackers before they find a vulnerability.

3. Kernel Hardening (sysctl.conf)

Protect against IP spoofing and certain DoS attacks by tweaking kernel parameters in /etc/sysctl.conf:

# Ignore ICMP redirects (prevents MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

4. Unused Service Auditing

Every running service is a potential entry point. Use netstat -tulpn to audit which ports are open and disable anything unnecessary (e.g., RPCbind, Avahi, or unused mail agents).

5. Automated Security Patching

For Debian/Ubuntu, use unattended-upgrades to ensure that critical security patches are applied automatically without human intervention.

Implementing these layers ensures your VDS infrastructure remains resilient against the evolving threat landscape.