7 CIS Security Best Practices I Apply on Every Linux Server I Set Up

Intro:
CIS Benchmarks are like a checklist for hardening your Linux servers against the most common threats. These best practices aren’t just for compliance — they’re battle-tested techniques that have saved me from misconfigurations, attacks, and downtime. Here are 7 steps I take every time I spin up a new Ubuntu or Red Hat server.

1. 🔐 Disable Root Login via SSH

Why: Root login over SSH is a major target for brute-force attacks.

✅ How:

sudo nano /etc/ssh/sshd_config
# Set this:
PermitRootLogin no

sudo systemctl restart sshd

2. 🧱 Enable and Configure a Host Firewall

Why: Only allow what’s needed, and block everything else by default.

✅ Ubuntu:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable

✅ Red Hat:

sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

3. 🔍 Install and Configure Auditd