Network Hardening Checklist

This is a practical checklist — not exhaustive, not theoretical. The 12 things every network you operate should have. Use it for new builds, audits, or when you inherit someone else’s mess.

1. Default-deny firewall rules

At the network edge AND on every host. Every port closed unless explicitly opened. Easy to forget — many cloud setups default to “allow all from VPC” which is too permissive.

# Linux: ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 443
sudo ufw enable

2. Network segmentation

Workstations, servers, IoT, guest, management — each on its own VLAN with controlled access between. Single-flat-network is the breach amplifier.

3. Strong SSH config (servers)

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers alice bob
ClientAliveInterval 300
Protocol 2
X11Forwarding no

4. Updates automated

Unpatched systems are the most common entry point. Automate security updates.

# Debian/Ubuntu
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# RHEL/Fedora
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

5. Centralized logging

Logs on the compromised host can be erased. Ship them to a central server (or SIEM) where attackers can’t reach.

• rsyslog / syslog-ng to a central log server
• Filebeat → Elasticsearch / Loki / Splunk
• journald with remote storage

6. MFA on every administrative account

Cloud consoles, SSH (via PAM module), VPN, GitHub, banking — anything important. Hardware keys (YubiKey, Titan) for highest-value accounts. SMS codes are weak but better than nothing.

7. Network monitoring

If you can’t see traffic, you can’t notice anomalies. Run at minimum:

• NetFlow/sFlow data from your routers
• Suricata or Zeek on a SPAN port
• Alerts for unusual outbound destinations or sudden traffic spikes

8. DNS hygiene

• Use trustworthy resolvers (1.1.1.1, 9.9.9.9, your own with DoH/DoT)
• Block known-malicious domains (Pi-hole, NextDNS, AdGuard)
• SPF, DKIM, DMARC on your sending domains
• DNSSEC where supported

9. Backup and recovery tested

Backups you’ve never restored from are not backups. Periodically:

• Restore a random file from a random backup, verify integrity
• Do a full disaster recovery drill once a year
• Keep at least one offline / immutable backup (defends against ransomware)

10. Egress filtering

Most networks allow ALL outbound. This makes exfiltration and C2 callbacks trivial. Restrict outbound to only required protocols and destinations:

• Workstations: HTTP/S, DNS, NTP — that’s mostly it
• Servers: only specific outbound destinations they actually need
• Block direct outbound to non-standard ports

11. Disable services you don’t use

• SNMP if you’re not monitoring (and if you are, use SNMPv3 with auth)
• Telnet, FTP, RSH — never
• SMB v1 — disable everywhere
• UPnP on your router (auto-opens ports without your knowledge)
• Wi-Fi WPS
• Default vendor accounts on appliances

12. Document everything

Network diagram, IP allocation, firewall rules with justification, access list of who has admin to what, dependencies between systems. Without this, every change is a roll of the dice and incident response takes 10x longer.

Bonus: regular checks

Weekly

• Review failed login attempts
• Check for new outbound destinations in flow logs
• Verify backups completed

Monthly

• Review user access lists
• Run external port scans on yourself (nmap from outside)
• Patch verification

Quarterly

• Tabletop incident response exercise
• Review and prune firewall rules
• External penetration test (get fresh eyes)

The mindset

Assume breach. Design for containment. Test your assumptions. The team that’s most secure is the one that’s been compromised before and learned from it — not the one that has never been touched.

What to learn next

That covers security. Next big section: diagnostic tools you’ll reach for daily. Starting with ping and traceroute. Up next.