Server hardening reduces the attack surface so fewer services and misconfigurations can be exploited. Focus on: updates, SSH security, firewall, and running only what you need.
Updates
- Keep the OS and packages updated; apply security patches on a schedule (or automate).
- Reboot when required after kernel or critical updates.
SSH
- Disable root login over SSH; use a dedicated user and sudo.
- Use key-based auth only; disable password authentication.
- Restrict AllowUsers or AllowGroups if possible.
- Consider fail2ban or similar to limit brute-force.
Firewall
- Allow only the ports and sources you need (e.g. 22 from admin IPs, 80/443 from anywhere).
- Deny by default; explicit allow list for inbound.
Minimal services
- Run only the services you need; disable or uninstall the rest.
- Turn off unused listeners (e.g. old PHP-FPM pools, dev servers).
Summary
Harden by: updating OS and packages, securing SSH (keys, no root), firewall (allow only needed), and minimal services. Strong passwords or keys everywhere; monitor and review access.
