If you’re handling financial transactions, healthcare records, or customer payment data, a security breach isn’t just embarrassing—it’s existential. Regulations like PCI-DSS, HIPAA, and GDPR mandate specific security controls, and your customers expect their data to be protected.
This guide covers the security practices that protect production systems across finance, healthcare, and e-commerce—from initial server setup to ongoing monitoring.
Initial Setup Create Non-Root User Never use root directly:
1
2
3
4
5
6
7
# Create user with sudo access
useradd -m -s /bin/bash admin
passwd admin
usermod -aG sudo admin
# Or on RHEL/CentOS
usermod -aG wheel admin
SSH Hardening Edit /etc/ssh/sshd_config:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Disable root login
PermitRootLogin no
# Disable password authentication
PasswordAuthentication no
PubkeyAuthentication yes
# Limit users who can SSH
AllowUsers admin deploy
# Change default port (optional)
Port 2222
# Limit login attempts
MaxAuthTries 3
LoginGraceTime 60
# Disable empty passwords
PermitEmptyPasswords no
# Disable X11 forwarding
X11Forwarding no
# Set idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2
Apply changes:
1
sudo systemctl restart sshd
SSH Key Setup On your local machine:
1
2
3
4
5
# Generate key pair
ssh-keygen -t ed25519 -C "admin@example.com"
# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@server
Firewall Configuration UFW (Ubuntu/Debian) 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Enable UFW
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your custom port if changed)
sudo ufw allow 2222/tcp
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable firewall
sudo ufw enable
# Check status
sudo ufw status verbose
firewalld (RHEL/CentOS) 1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Start and enable
sudo systemctl start firewalld
sudo systemctl enable firewalld
# Add services
sudo firewall-cmd --permanent --add-service= http
sudo firewall-cmd --permanent --add-service= https
sudo firewall-cmd --permanent --add-port= 2222/tcp
# Remove SSH default port
sudo firewall-cmd --permanent --remove-service= ssh
# Reload
sudo firewall-cmd --reload
iptables Direct Rules 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Flush existing rules
iptables -F
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Rate limit SSH
iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
# Save rules (Debian/Ubuntu)
iptables-save > /etc/iptables/rules.v4
Automatic Security Updates Ubuntu/Debian 1
2
3
4
sudo apt install unattended-upgrades
# Configure
sudo dpkg-reconfigure --priority= low unattended-upgrades
Edit /etc/apt/apt.conf.d/50unattended-upgrades:
U } U U n ; n n a a a t t t t " " " " t t e $ $ $ $ e e n { { { { n n d d d d d d d e i i i i e e d s s s s d d - t t t t - - U r r r r U U p o o o o p p g _ _ _ _ g g r i i i i r r a d d d d a a d } } } } d d e : : E E e e : $ $ S S : : : { { M M : : A d d A : A A l i i p $ u u l s s p { t t o t t s d o o w r r : i m m e o o $ s a a d _ _ { t t t - c c d r i i O o o i o c c r d d s _ - - i e e t c R R g n n r o e e i a a o d b b n m m _ e o o s e e c n o o } } o a t t { " - d m - ; s e e " T e n } t i c a - r m u m i u e r e n e i } f " " t - r ; 0 y a a 2 " p - : ; p s 0 s e 0 - c " s u ; e r c i u t r y i " t ; y " ;
RHEL/CentOS 1
2
3
4
5
6
7
8
9
sudo dnf install dnf-automatic
# Edit /etc/dnf/automatic.conf
[ commands]
apply_updates = yes
upgrade_type = security
# Enable timer
sudo systemctl enable --now dnf-automatic.timer
Fail2Ban Protect against brute force attacks:
1
2
3
4
sudo apt install fail2ban
# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local:
1
2
3
4
5
6
7
8
9
10
11
12
13
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
1
2
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd
File System Security Secure Shared Memory Add to /etc/fstab:
t m p f s / r u n / s h m t m p f s d e f a u l t s , n o e x e c , n o s u i d 0 0
Set Permissions 1
2
3
4
5
6
7
8
9
10
# Secure sensitive files
chmod 700 /root
chmod 600 /etc/shadow
chmod 644 /etc/passwd
# Remove world-writable files
find /etc -type f -perm -002 -exec chmod o-w {} \;
# Find SUID binaries and audit
find / -perm -4000 -type f 2>/dev/null
Kernel Hardening Edit /etc/sysctl.conf:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable IP forwarding
net.ipv4.ip_forward = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
# SYN flood protection
net.ipv4.tcp_syncookies = 1
# Ignore ping broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
Apply:
Audit Logging 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo apt install auditd audispd-plugins
# Add audit rules
sudo auditctl -w /etc/passwd -p wa -k identity
sudo auditctl -w /etc/group -p wa -k identity
sudo auditctl -w /etc/shadow -p wa -k identity
sudo auditctl -w /etc/sudoers -p wa -k sudoers
sudo auditctl -w /var/log/auth.log -p wa -k auth_log
# Make rules persistent
sudo cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.bak
sudo auditctl -l > /etc/audit/rules.d/audit.rules
# Restart
sudo systemctl restart auditd
Review Logs 1
2
3
4
# Search audit logs
sudo ausearch -k identity
sudo aureport --auth
sudo aureport --login
Intrusion Detection AIDE (Advanced Intrusion Detection Environment) 1
2
3
4
5
6
7
8
9
10
sudo apt install aide
# Initialize database
sudo aideinit
# Check for changes
sudo aide --check
# Update database after legitimate changes
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Add to crontab for daily checks:
1
0 5 * * * /usr/bin/aide --check | mail -s "AIDE Report" admin@example.com
Security Scanning Lynis 1
2
3
4
5
6
7
sudo apt install lynis
# Run audit
sudo lynis audit system
# View suggestions
sudo cat /var/log/lynis-report.dat
ClamAV 1
2
3
4
5
6
7
8
sudo apt install clamav clamav-daemon
# Update signatures
sudo freshclam
# Scan
sudo clamscan -r /home
sudo clamscan -r --remove /tmp
Network Monitoring 1
2
3
4
5
6
7
8
9
10
11
12
# Install tools
sudo apt install net-tools nethogs iftop
# Monitor connections
sudo netstat -tulpn
sudo ss -tulpn
# Monitor bandwidth per process
sudo nethogs
# Real-time network monitoring
sudo iftop
Security Checklist Script 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/bash
# security-audit.sh
echo "=== Security Audit Report ==="
echo "Date: $( date) "
echo
echo "=== Failed Login Attempts ==="
grep "Failed password" /var/log/auth.log | tail -10
echo
echo "=== Current SSH Sessions ==="
who
echo
echo "=== Listening Ports ==="
ss -tulpn | grep LISTEN
echo
echo "=== Failed Services ==="
systemctl --failed
echo
echo "=== Disk Usage ==="
df -h | grep -E '^/dev'
echo
echo "=== Last Security Updates ==="
grep "install" /var/log/apt/history.log | tail -10
echo
echo "=== Fail2ban Status ==="
sudo fail2ban-client status
Conclusion Linux hardening is an ongoing process:
Regular updates and patching Strong authentication (SSH keys, no root) Firewall rules and Fail2Ban File system and kernel hardening Continuous monitoring and auditing At Sajima Solutions, we secure infrastructure for businesses across the Gulf. Contact us for security consulting and managed services.