Carina Systems — Free Tools

Server Hardening Checklist

Interactive Linux server hardening checklist. Work through it yourself or hand it to a junior. No signup, no tracking, no data stored anywhere.

Your progress

0 of 20 complete

🔐 SSH

Disable root SSH loginPermitRootLogin no — in /etc/ssh/sshd_config
Disable password authentication, use SSH keys onlyPasswordAuthentication no — in /etc/ssh/sshd_config
Change default SSH port from 22Port 2222 — in /etc/ssh/sshd_config
Restart SSH after config changessudo systemctl restart sshd

🔥 Firewall

Enable UFW firewallsudo ufw enable
Allow only required portssudo ufw allow 2222/tcp && sudo ufw allow 80/tcp && sudo ufw allow 443/tcp
Deny all other inbound by defaultsudo ufw default deny incoming

🔄 Updates

Apply all system updatessudo apt update && sudo apt upgrade -y
Enable unattended security upgradessudo apt install unattended-upgrades -y && sudo dpkg-reconfigure unattended-upgrades

👤 Users

Create a non-root sudo usersudo adduser && sudo usermod -aG sudo
Lock the root accountsudo passwd -l root
Remove unused userssudo deluser

📋 Logging

Verify syslog is runningsudo systemctl status syslog
Install and configure fail2bansudo apt install fail2ban -y && sudo systemctl enable fail2ban
sudo last | head -20
Review recent loginssudo last | head -20

🌐 Network

Disable unused network servicessudo systemctl disable
Check for open portssudo ss -tlnp
Enable DNS over HTTPS in FirefoxFirefox Settings → Privacy → DNS over HTTPS → Cloudflare