How to Secure Linux Servers: Ubuntu, CentOS & RHEL Guide (2026)

You are currently viewing How to Secure Linux Servers: Ubuntu, CentOS & RHEL Guide (2026)

How to Secure Linux Servers: Ubuntu, CentOS & RHEL Guide (2026)

Image by: Sergei Starostin

Table of contents

Introduction

Did you know that 68% of breached Linux servers lacked basic security hardening? As cyber threats evolve, your Ubuntu, CentOS, or RHEL systems require more than default configurations. This comprehensive security hardening guide provides Linux server administrators with battle-tested strategies to fortify systems against modern threats. You’ll learn to implement critical controls like fail2ban intrusion prevention, configure mandatory access controls (SELinux/AppArmor), automate vulnerability scanning, and establish robust security patch management. Whether you’re managing cloud instances or on-premise servers, these step-by-step measures will transform your security posture.

Foundational security measures

Before implementing advanced controls, establish these baseline protections across all distributions. Start with firewall configuration – Ubuntu systems should utilize UFW (Uncomplicated Firewall) while CentOS/RHEL administrators should master firewalld zones. Only allow essential ports (SSH, HTTP/S) and explicitly deny all others. Next, implement SSH security hardening:

  • Disable root login: PermitRootLogin no in /etc/ssh/sshd_config
  • Enforce key-based authentication: PasswordAuthentication no
  • Change default port: Port 2222 (reduces automated bot scans by 65%)

User permission controls require special attention. Implement the principle of least privilege through:

“Regular user accounts should never have unnecessary sudo privileges. Audit existing users with sudo -l and remove administrative rights from non-essential personnel.” – Linux Security Foundation

Finally, enable automatic security updates for critical packages while maintaining change control procedures.

Intrusion prevention with fail2ban

Fail2ban dynamically blocks brute force attacks by monitoring log files and updating firewall rules. Installation varies by distribution:

Ubuntu/Debian systems

  1. sudo apt install fail2ban
  2. Create local config: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

CentOS/RHEL systems

  1. sudo yum install epel-release && sudo yum install fail2ban
  2. Enable: sudo systemctl enable --now fail2ban

Configure protection thresholds in /etc/fail2ban/jail.local:

[sshd]
enabled = true
maxretry = 3
bantime = 1h
findtime = 10m

Monitor banned IPs with fail2ban-client status sshd. For comprehensive protection, extend fail2ban to web applications and database services.

Mandatory access controls

Implement application confinement using distribution-specific MAC frameworks:

SELinux for CentOS/RHEL

Verify status: sestatus. Configure in /etc/selinux/config:

SELINUX=enforcing
SELINUXTYPE=targeted

Critical commands:

  • Check denials: ausearch -m avc -ts recent
  • Modify context: chcon -t httpd_sys_content_t /var/www/html

AppArmor for Ubuntu

Enable: sudo systemctl enable apparmor. Create profiles for critical services:

  1. Install tools: sudo apt install apparmor-utils
  2. Generate profile: aa-genprof /path/to/binary
Security framework Configuration tool Default profile location
SELinux (RHEL/CentOS) semanage, setsebool /etc/selinux/targeted
AppArmor (Ubuntu) aa-genprof, aa-complain /etc/apparmor.d

Automated vulnerability scanning

OpenSCAP provides standardized vulnerability assessments using SCAP (Security Content Automation Protocol). Install across distributions:

Ubuntu

sudo apt install libopenscap8 oscap-scanner

CentOS/RHEL

sudo yum install openscap-scanner scap-security-guide

Scan systems using compliance profiles:

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
--results scan-results.xml \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Critical SCAP profiles by distribution:

Distribution Profile Compliance standard
Ubuntu 22.04 cis_level2_server CIS Benchmark
RHEL 9 cis_server_l1 CIS Level 1
CentOS 7 stig DISA STIG

Schedule weekly scans with cron and integrate findings into your security operations workflow.

Security patch management

Effective patching requires balancing security and stability. Implement these strategies:

Patch classification system

  • Critical: Apply within 24 hours (CVSS ≥ 9.0)
  • High: Apply within 72 hours (CVSS 7.0-8.9)
  • Medium: Apply during next maintenance window

Distribution-specific tools

  1. Ubuntu: Use unattended-upgrades with selective security patching
  2. RHEL: Configure yum-cron with security repository
  3. CentOS: Implement dnf-automatic for stream-lined updates

Always test patches in staging environments using cloned configurations. For critical systems, consider Red Hat Satellite or Ubuntu Landscape for enterprise-scale management. Maintain detailed patch documentation for audits.

Frequently asked questions

How often should I perform vulnerability scans?

Scan production systems weekly and after significant configuration changes. High-risk environments may require continuous monitoring with tools like OpenSCAP daemon.

Should I disable SELinux for application compatibility?

Never disable SELinux – instead, troubleshoot using audit2allow to create custom policies. Disabling removes critical security controls and violates most compliance frameworks.

What’s the difference between fail2ban and firewall rules?

Firewalls enforce static rules, while fail2ban dynamically blocks IPs based on behavior. They work complementarily – firewalls restrict initial access, while fail2ban responds to attack patterns.

Can OpenSCAP automatically remediate findings?

Yes, using oscap xccdf generate fix creates remediation scripts. Always review and test generated fixes in non-production environments first.

Conclusion

Effective Linux server hardening requires layered security: from foundational firewall configurations to advanced controls like SELinux and automated OpenSCAP scanning. By implementing this guide’s fail2ban configurations, mandatory access controls, vulnerability management, and security patch strategies, you’ll significantly reduce attack surfaces across Ubuntu, CentOS, and RHEL environments. Remember that security is continuous – regularly audit configurations, monitor logs, and stay informed about emerging threats. Begin your hardening journey today by conducting a comprehensive security assessment using the tools and techniques outlined here.