Setting up a home server with Linux is fun, powerful, and often free — but it’s also easy to overlook some basic security best practices. Whether you’re self-hosting a media server, a small website, or a Nextcloud instance, securing your setup is essential.
This guide covers 10 simple yet often forgotten tips that will help keep your Linux home server safe and sound.
✅ 1. Disable SSH Root Login
Allowing root login over SSH is risky. If someone guesses your password (or brute-forces it), they have full control. Let’s disable it:
sudo nano /etc/ssh/sshd_config
Find the line:
PermitRootLogin yes
Change it to:
PermitRootLogin no
Then restart SSH:
sudo systemctl restart ssh
👉 Use a regular user with sudo rights instead.
✅ 2. Set Up a Basic Firewall with UFW
If your server is connected to the internet, a firewall is a must.
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
You can allow specific ports later:
sudo ufw allow 443 # HTTPS
sudo ufw allow 80 # HTTP
✅ 3. Install Fail2Ban to Stop Brute-Force Attacks
Fail2Ban bans IPs that fail authentication too many times.
sudo apt install fail2ban
sudo systemctl enable fail2ban
The default config already protects SSH, but you can customize /etc/fail2ban/jail.local to harden it further.
✅ 4. Keep Everything Updated (Even Unattended)
Outdated software = open doors. On Debian-based systems:
sudo apt update && sudo apt upgrade
Want automatic updates?
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
✅ 5. Disable Unused Services
List running services:
sudo systemctl list-units --type=service --state=running
If you don’t need something (e.g., cups for printers), disable it:
sudo systemctl disable --now cups.service
Less software running = less attack surface.
✅ 6. Use SSH Keys Instead of Passwords
Passwords are easier to crack than keys. Here’s how to use key-based authentication:
On your client:
ssh-keygen -t ed25519
ssh-copy-id user@your-server-ip
Then, disable password authentication on the server:
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
Restart SSH.
✅ 7. Monitor Login Attempts with last and journalctl
See recent logins:
last
Check failed attempts:
journalctl -xe | grep ssh
Or create a simple script to email you if there are too many failed attempts. A little vigilance goes a long way.
✅ 8. Restrict Sudo Permissions
Not every user should have sudo. Double-check:
getent group sudo
Remove users who don’t need it:
sudo deluser username sudo
✅ 9. Use AppArmor or SELinux (If Available)
Ubuntu uses AppArmor by default. Make sure it’s enabled:
sudo aa-status
You can write custom profiles or use the defaults. It helps isolate processes and reduce damage in case of compromise.
✅ 10. Backup Your Configs and Data
Security isn’t just about keeping the bad guys out — it’s also about recovering when something goes wrong.
- Use
rsyncorborgbackupfor daily/weekly backups - Keep copies off the server (external drive, cloud, or NAS)
- Version control your configs with Git (private repo)
Bonus Tip: Use a Custom SSH Port?
Some admins like to change the SSH port from 22 to something else. It won’t stop a determined attacker but may reduce bot noise.
sudo nano /etc/ssh/sshd_config
Set:
Port 2222
Then:
sudo ufw allow 2222/tcp
sudo systemctl restart ssh
Wrapping Up
Security doesn’t have to be complicated. These 10 simple steps will already put your home Linux server miles ahead of most unsecured boxes on the internet.
Got any of your own tips or want help setting up one of these? Drop a comment or reach out — let’s make the self-hosting world safer together!
Founder of ToolsLib, Designer, Web and Cybersecurity Expert.
Passionate about software development and crafting elegant, user-friendly designs.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!