← Back to articles

5 Basic Concepts to Secure Your Linux Server Right After Installation

2 Jul 2025 • Security • 7 min read

Goal of this article: You've just installed a Linux server for the first time (on a VPS or physical machine) and don't know where to start to secure it? This guide is for you. I'll walk you through 5 essential steps to protect your server right after installation.

1. Create a non-root user with sudo

On Linux, the root user has full control over the system. But logging in directly as root is dangerous: a single typo can break your system, and it's also a top target for attackers.

Debian / Ubuntu:

adduser admin
usermod -aG sudo admin

CentOS / Fedora / RHEL:

adduser admin
passwd admin
usermod -aG wheel admin

Then log in with the new user:

ssh admin@YOUR_SERVER_IP

2. Secure SSH (and disable root login)

Most attacks on the internet target the SSH service. It's crucial to:

  • disable root login
  • disable password authentication
  • enforce SSH key login

1. Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Add or modify the following lines:

PermitRootLogin no
PasswordAuthentication no

3. Generate an SSH key pair on your local machine:

ssh-keygen -t ed25519

4. Copy your public key to the server:

ssh-copy-id admin@YOUR_SERVER_IP

5. Restart the SSH service:

# Debian / Ubuntu
sudo systemctl restart ssh

# CentOS / Fedora / RHEL
sudo systemctl restart sshd

3. Enable a firewall

A firewall protects your server by blocking unwanted connections. By default, everything is blocked — you only allow what's necessary (like SSH).

Debian / Ubuntu (UFW):

sudo apt update
sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

CentOS / Fedora / RHEL (firewalld):

sudo dnf install firewalld
sudo systemctl enable firewalld --now
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

4. Enable automatic updates

Security patches are released regularly. To avoid missing them, you should automate updates.

Debian / Ubuntu:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

CentOS / RHEL / Fedora:

sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

5. Enable SSH brute-force protection (Fail2ban)

Fail2ban monitors SSH login attempts and blocks IPs that fail too many times. It's simple, lightweight, and effective.

Debian / Ubuntu:

sudo apt install fail2ban

CentOS / Fedora / RHEL:

sudo dnf install fail2ban
sudo systemctl enable --now fail2ban

Then configure a basic jail file:

sudo nano /etc/fail2ban/jail.local

Add this:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log     # or /var/log/secure for CentOS/RHEL
maxretry = 5

Restart Fail2ban:

sudo systemctl restart fail2ban

Conclusion

Congratulations! By following these 5 steps, you've already secured your server against the most common threats:

  • No more direct root login
  • SSH key authentication only
  • Active firewall
  • Automatic updates
  • SSH brute-force protection enabled