Shrink the attack surface and raise the cost of an intrusion — the hardening mindset, OS and account hardening, authentication and access control, network hardening, endpoint defense, the logging detection depends on, and validating the baseline. Linux-focused; the principles are universal.
Before you start
You will harden a real system, so work on a disposable Linux VM you can snapshot and revert. The examples target Debian/Ubuntu and harden toward the CIS Benchmarks. Familiarity with Linux and the shell helps — see the Linux course.
The Hardening Mindset
Hardening is making a system harder to attack — by removing what isn’t needed and constraining what is. Start with attack surface, least privilege, and a known baseline.
OS & Account Hardening
The operating system is the foundation. Disable what you don’t run, patch what you do, and remove the default and unused accounts attackers try first.
Authentication & Access Control
How users prove who they are and what they can do decides how far an attacker gets. Add MFA, tighten sudo, and grant privilege narrowly and temporarily.
Network Hardening
Control what can talk to what. A default-deny firewall, segmentation, and encrypted traffic contain an attacker to one corner instead of the whole network.
Endpoint Defense
Endpoints are where attacks land and where data lives. Layer prevention (allowlisting, EDR) with the controls that stop code from running and data from walking.
Logging & Auditing
You can’t detect, investigate, or prove anything without logs. Enable the auditing that captures attacker behavior, protect the logs, and ship them somewhere central.
Validating & Maintaining the Baseline
Hardening isn’t one-and-done — configurations drift and new gaps appear. Scan against a benchmark, automate the baseline, and re-check continuously so security holds.