Security February 22, 2026 by Greg

Server Security Hardening Checklist: 17 Steps We Take on Every Server

When we deploy a client site to a new server, we don’t just install nginx and call it a day. We run a 17-step security hardening process before any production traffic touches the machine.

Here’s exactly what that looks like.

Authentication & Access (Steps 1-5)

1. Change the SSH port. Default port 22 gets hammered by automated scanners. We move SSH to a non-standard port (we use 34222) and update firewall rules accordingly.

2. Disable root SSH login. Root access via SSH is disabled. All access goes through a named user account with sudo privileges.

3. SSH key-only authentication. Password authentication is disabled entirely. Only Ed25519 SSH keys are accepted.

4. Install and configure fail2ban. After 3 failed login attempts, the source IP is banned for 24 hours. We monitor ban logs weekly.

5. Set up unattended security updates. Critical security patches install automatically. We review non-critical updates manually to avoid breaking changes.

Firewall & Network (Steps 6-10)

6. Configure UFW/iptables. Default deny all incoming. Only ports explicitly needed (SSH, HTTP, HTTPS) are opened.

7. Enable rate limiting. Nginx rate limiting prevents brute-force attacks on web applications: 10 requests per second per IP with burst of 20.

8. Set security headers. Every response includes: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security, Content-Security-Policy, Referrer-Policy.

9. Force HTTPS everywhere. HTTP to HTTPS redirect with HSTS preload. No mixed content. TLS 1.2 minimum, TLS 1.3 preferred.

10. Disable unnecessary services. If it’s not needed, it’s not running. No FTP, no telnet, no SNMP unless explicitly required.

Monitoring & Maintenance (Steps 11-17)

11. Set up log monitoring. Auth logs, nginx access/error logs, and system logs are monitored. Anomalies trigger alerts.

12. Install rootkit detection. rkhunter and chkrootkit run weekly scans with results emailed to our team.

13. Configure automatic backups. Daily snapshots with 14-day retention. Tested monthly to verify restore capability.

14. Set file permissions correctly. Web files owned by the site user, not root. No world-writable directories. Strict umask (022).

15. Disable directory listing. Nginx autoindex off globally. No information leakage through directory browsing.

16. Set up monitoring. Uptime monitoring with 60-second intervals. CPU, memory, and disk alerts at 80% thresholds.

17. Document everything. Every server gets a runbook with access credentials, service configurations, and incident response procedures.

The Result

Across 147 client sites on our managed hosting infrastructure, we’ve had zero breaches, zero data losses, and 99.97% uptime over the past 24 months.

Security isn’t an add-on. It’s built into every server we touch.

Get your server audited — we’ll tell you exactly what needs fixing.

Back to Blog