Hardening systems

Key takeaways Hardening is removing what you don’t need and locking down what you do. Four moves carry most of the value: shrink the attack surface, patch, apply least privilege, and set secure defaults. A hardened system is one of several layers — hardening sits inside defense in depth, not on its own.

Out of the box, most systems ship to be easy, not safe: extra software installed, services running, ports open, default passwords set. Hardening is the work of turning that convenient-but-exposed default into something an attacker struggles to get a foothold on. It is methodical, not clever — a checklist you run and then maintain.

Reduce the attack surface

The attack surface is everything an attacker could poke at: installed programs, running services, open network ports, user accounts, exposed features. The bigger it is, the more chances something has a flaw. So the first move is to make it smaller.

  • Uninstall unused software. If it isn’t needed, remove it — code that isn’t there can’t be exploited.
  • Disable services you don’t use. A database, web server, or remote-access daemon left running is an open door even if you never use it.
  • Close ports nothing needs. Pair this with a firewall so only the services you actually offer are reachable.

Every removed thing is one less vulnerability to track, patch, and worry about. The cheapest way to secure something is for it not to be there at all.

Patch and update

Most breaches don’t use exotic, unknown flaws. They abuse known flaws that were already fixed — the patch existed, but the system was never updated. The window between “fix released” and “you applied it” is exactly when attackers strike, because the fix also tells them what to attack.

So keep the operating system and all installed software current. On Linux this is largely handled for you by package management — one command updates the whole system. Automate it where you can, and check regularly where you can’t. Patching is unglamorous and it is one of the highest-impact things you will ever do.

Least privilege

Least privilege means every user and every service runs with only the rights it genuinely needs — and nothing more. A web server that only needs to read some files should not run as root or administrator, because if it’s ever compromised, the attacker inherits exactly the powers it had.

  • Don’t run services as root/admin when a limited account will do.
  • Give user accounts the minimum access for their job.
  • Grant extra rights only when needed, and take them back afterward.

This is the same principle behind authorization and access control, applied to the machine itself. On Linux, file permissions are the everyday tool for enforcing it. When a limited account is breached, the blast radius stays small.

Secure configuration

Defaults are chosen to get you running, not to keep you safe. Hardening replaces the risky ones:

  • Change every default password. Default credentials are public knowledge and the first thing attackers try.
  • Require strong authentication and prefer keys over passwords. For remote access, key-based SSH beats a password every time, and MFA raises the bar further.
  • Turn on a firewall so the network side matches the services you actually run.
  • Enable logging. You can’t notice an attack you never recorded — monitoring and logs turn a silent compromise into something you can see and respond to.

Use a baseline

You don’t have to invent all of this yourself. Established hardening guides — most famously the CIS Benchmarks — give you a peer-reviewed checklist of secure settings for a specific operating system or product: what to disable, which options to change, what to enable. Someone has already done the thinking; you follow it.

The workflow is simple: pick the baseline for your system, apply it once, and then keep it that way. Systems drift over time as software is added and settings change, so hardening is not a one-time event — it’s a state you return the system to and maintain.

Quick check: the cheapest, highest-impact hardening step is usually what?

Recap

  • Hardening is removing what you don’t need and locking down what you do.
  • Shrink the attack surface: uninstall unused software, disable services, close ports.
  • Patch: most breaches abuse known, already-fixed flaws — stay current.
  • Least privilege: run users and services with only the rights they need, not as root/admin.
  • Secure defaults: change default passwords, prefer keys and MFA, firewall on, logging on.
  • Use a baseline like the CIS Benchmarks, apply it once, then keep the system there.

Next up: secure coding