Secure Your Home Server Checklist: Complete 2026 Guide

Imagine leaving your front door unlocked, windows open, and valuables in plain sight—that’s how most home servers start out. They’re functional but dangerously exposed.

Home servers are becoming increasingly common for hosting personal websites, media servers, file storage, and home automation. In 2026, with cyberattacks targeting home networks more than ever, securing your home server isn’t just smart—it’s essential.

This step-by-step checklist will walk you through every aspect of home server security, from basic setup to advanced protection. Whether you’re running a Raspberry Pi, an old PC, or a dedicated server, these practices will keep your data safe.

Understanding Home Server Risks

Who’s Targeting Home Servers?

What Are They After?

• Personal photos and documents
• Login credentials
• Home network access
• Computing resources (cryptomining)
• IoT device control

The Complete Security Checklist

🟢 Level 1: Basic Security (Must-Do)

These are essential steps everyone should complete.

1. Change Default Passwords

The Problem: Default credentials are published online and easily exploitable.

What to do:

# Change router default password
# 1. Find router IP (usually 192.168.1.1 or 10.0.0.1)
# 2. Log in with default credentials (usually admin/admin)
# 3. Change to a strong password

# Change server passwords
# For Ubuntu/Debian:
sudo passwd root
sudo passwd your-username

# For all services (SSH, FTP, etc.)
# Change each service's default credentials

Password Tips:

• Use at least 12 characters
• Include uppercase, lowercase, numbers, and symbols
• Don’t use personal information
• Use a password manager

2. Enable firewall

The Problem: Open ports invite attacks.

What to do (Using UFW - uncomplicated firewall):

# Install UFW
sudo apt update
sudo apt install ufw -y

# Set default policies (deny all incoming, allow outgoing)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (critical - don't lock yourself out!)
sudo ufw allow ssh
# Or if using custom SSH port
sudo ufw allow 2222/tcp

# Allow necessary services
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw allow 53        # DNS

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

What to do (Router Firewall):

1. Log into your router
2. Find “Firewall” or “Security” settings
3. Enable firewall if not already enabled
4. Disable “Respond to Ping from WAN”
5. Disable “Remote Management”

3. Use Strong SSH Configuration

The Problem: Default SSH settings are vulnerable to brute-force attacks.

What to do:

# Backup SSH config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Apply these settings:
Port 2222                     # Change from default port 22
PermitRootLogin no            # Prevent root login
PasswordAuthentication no     # Use keys only
PubkeyAuthentication yes      # Enable key authentication
MaxAuthTries 3                # Limit login attempts
ClientAliveInterval 300       # Idle timeout
ClientAliveCountMax 0         # Force disconnect on idle
AllowUsers your-username      # Limit to specific users

# Test configuration
sudo sshd -t

# Restart SSH
sudo systemctl restart sshd

Create SSH Keys:

# On your local computer (not the server!)
# Generate a new key pair
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub your-username@your-server-ip -p 2222

# Test connection
ssh your-username@your-server-ip -p 2222

# Disable password authentication now (if not done)
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

4. Enable Automatic Security Updates

The Problem: Outdated software contains known vulnerabilities.

What to do:

# Install unattended-upgrades
sudo apt install unattended-upgrades -y

# Configure
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Edit configuration
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

# Ensure these lines are present:
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESM:${distro_codename}";
};

Unattended-Upgrade::Package-Blacklist {
    # Add packages you don't want auto-updated
    # "docker-ce";
};

Unattended-Upgrade::AutoFixInterruptedDpkg true;
Unattended-Upgrade::MinimalSteps true;

# Enable automatic removal of old kernels
Unattended-Upgrade::Remove-Unused-Dependencies true;
Unattended-Upgrade::Automatic-Reboot false;
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

# Check status
sudo systemctl status unattended-upgrades

# View logs
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

5. Install [Fail2ban](/blog/cybersecurity/fail2ban-guide-2026)

The Problem: Attackers continuously try to brute-force login.

What to do:

# Install Fail2ban
sudo apt install fail2ban -y

# Create custom configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit configuration
sudo nano /etc/fail2ban/jail.local

# Add/modify these settings:
[DEFAULT]
bantime = 3600          # Ban for 1 hour
findtime = 600          # Count attempts over 10 minutes
maxretry = 5            # Ban after 5 failures
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24  # Whitelist

[sshd]
enabled = true
port = 2222            # Your custom SSH port
logpath = /var/log/auth.log
maxretry = 3

# Restart Fail2ban
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

# Check status
sudo fail2ban-client status
sudo fail2ban-client status sshd

6. Use VPN for Remote Access

The Problem: Exposing services directly to the internet is dangerous.

What to do:

Option A: WireGuard (Recommended)

# Install WireGuard
sudo apt install wireguard -y

# Generate keys
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

# Create configuration
sudo nano /etc/wireguard/wg0.conf

# Add:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = YOUR_PRIVATE_KEY

[Peer]
PublicKey = YOUR_PEER_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

# Start WireGuard
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Option B: Tailscale (Simpler)

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale
sudo tailscale up

# Get your IP
sudo tailscale ip -4

# Install on all your devices for secure access

🟡 Level 2: Intermediate Security

These steps add significant protection for your home server.

7. Disable Unnecessary Services

The Problem: Extra services create more attack vectors.

What to do:

# List all running services
systemctl list-units --type=service --state=running

# Check listening ports
sudo ss -tulpn

# Stop and disable unnecessary services
sudo systemctl stop service-name
sudo systemctl disable service-name

# Common services to consider disabling:
# - FTP (unless needed)
# - Telnet (always disable)
# - RDP (use SSH instead)
# - SNMP (unless needed)
# - CUPS (if no printing needed)

# Check open ports
sudo netstat -tulpn

8. Set Up File Integrity Monitoring

The Problem: You don’t know if files have been tampered with.

What to do (Using Tripwire):

# Install Tripwire
sudo apt install tripwire -y

# Accept default answers

# Initialize the database (create baseline)
sudo tripwire --init

# Check for changes
sudo tripwire --check

# After system updates, update baseline
sudo tripwire --update-policy

# View reports
sudo twprint -m r -r /var/lib/tripwire/report/*.twr

# Schedule regular checks
sudo crontab -e
# Add:
0 3 * * * /usr/sbin/tripwire --check --quiet

Using AIDE (Alternative):

# Install AIDE
sudo apt install aide -y

# Initialize database
sudo aideinit

# Run check
sudo aide --check

# Schedule regular checks
sudo crontab -e
# Add:
0 4 * * * /usr/bin/aide --check | mail -s "AIDE Report" your-email@example.com

9. Implement Log Monitoring

The Problem: You might miss security events without proper monitoring.

What to do:

# Install Logwatch
sudo apt install logwatch -y

# Test run
sudo logwatch --detail High --mailto your-email@example.com

# Configure daily report
sudo nano /etc/cron.daily/00logwatch
# Add:
/usr/sbin/logwatch --output mail --mailto your-email@example.com --detail High

# View logs in real-time
sudo journalctl -f
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/syslog

# Check for suspicious activities
# Failed login attempts
sudo journalctl -u sshd | grep "Failed password"

# Successful logins (look for unusual times)
sudo last

# Sudo usage
sudo grep "sudo:" /var/log/auth.log

# Create alert for suspicious events
sudo nano /usr/local/bin/security-alerts.sh

Alert Script:

#!/bin/bash
# security-alerts.sh

# Check for failed SSH attempts in last 15 minutes
FAILED=$(journalctl -u sshd --since "15 minutes ago" | grep "Failed password" | wc -l)
if [ $FAILED -gt 10 ]; then
    echo "ALERT: $FAILED failed SSH attempts in 15 minutes" | \
        mail -s "SSH Attack Detected" your-email@example.com
fi

# Check for root login
ROOT_LOGIN=$(last root | head -1 | grep -v "still")
if [ -n "$ROOT_LOGIN" ]; then
    echo "ALERT: Root login detected at $(date)" | \
        mail -s "Root Login Alert" your-email@example.com
fi

# Make executable
sudo chmod +x /usr/local/bin/security-alerts.sh

# Add to crontab
sudo crontab -e
# Add:
*/15 * * * * /usr/local/bin/security-alerts.sh

10. Use HTTPS for Web Services

The Problem: HTTP traffic is unencrypted and can be intercepted.

What to do (Using Let’s Encrypt):

# Install Certbot
sudo apt install certbot python3-certbot-nginx -y
# For Apache: python3-certbot-apache

# Install certificates
sudo certbot --nginx -d your-domain.com
# Or for Apache:
sudo certbot --apache -d your-domain.com

# For wildcard certificates
sudo certbot certonly --manual --preferred-challenges dns -d *.your-domain.com

# Auto-renew
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

# Test renewal
sudo certbot renew --dry-run

Manual SSL Setup:

# Generate self-signed certificate
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key

# Configure Nginx
sudo nano /etc/nginx/sites-available/default

# Add:
server {
    listen 443 ssl;
    server_name your-server-ip;
    
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
    
    # Strong SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    # Redirect HTTP to HTTPS
    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name your-server-ip;
    return 301 https://$server_name$request_uri;
}

11. backup Your Data

The Problem: Ransomware can make your data inaccessible.

What to do:

Local Backups:

# Create backup script
sudo nano /usr/local/bin/backup.sh

#!/bin/bash
# backup.sh

BACKUP_DIR="/backup"
DATE=$(date +%Y%m%d)

# Create backup directory
mkdir -p $BACKUP_DIR/$DATE

# Backup important data
rsync -av /home/ $BACKUP_DIR/$DATE/home/
rsync -av /var/www/ $BACKUP_DIR/$DATE/www/
rsync -av /etc/ $BACKUP_DIR/$DATE/etc/

# Backup databases
mysqldump --all-databases > $BACKUP_DIR/$DATE/mysql-backup.sql

# Compress
tar -czf $BACKUP_DIR/$DATE.tar.gz $BACKUP_DIR/$DATE/

# Remove old backups (keep 7 days)
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete

echo "Backup completed on $(date)" >> /var/log/backup.log

# Make executable
sudo chmod +x /usr/local/bin/backup.sh

# Schedule daily backup
sudo crontab -e
# Add:
0 1 * * * /usr/local/bin/backup.sh

Remote Backups (Off-site):

# Using rsync to remote server
rsync -avz -e "ssh -p 2222" /backup/ user@remote-server:/backup/

# Using cloud storage (rclone)
# Install rclone
sudo apt install rclone -y

# Configure (Google Drive, Dropbox, etc.)
rclone config

# Sync to cloud
rclone sync /backup/ remote:backup-folder/

# Schedule remote backup
# Add to cron:
0 2 * * * rclone sync /backup/ remote:backup-folder/

🟠 Level 3: Advanced Security

These steps provide enterprise-level protection for your home server.

12. Implement Intrusion Detection

The Problem: Attackers might get in without you knowing.

What to do (Using OSSEC):

# Install OSSEC
wget https://github.com/ossec/ossec-hids/archive/master.zip
unzip master.zip
cd ossec-hids-master
./install.sh

# Choose:
# 1. Local installation
# Enable email notifications

# Configure OSSEC
sudo nano /var/ossec/etc/ossec.conf

# Add email settings:
<global>
    <email_notification>yes</email_notification>
    <email_to>youremail@domain.com</email_to>
    <smtp_server>smtp.gmail.com</smtp_server>
    <email_from>ossec@domain.com</email_from>
</global>

# Start OSSEC
sudo /var/ossec/bin/ossec-control start

# Check status
sudo /var/ossec/bin/ossec-control status

Using Snort (Network IDS):

# Install Snort
sudo apt install snort -y

# Configure
sudo dpkg-reconfigure snort

# Test configuration
sudo snort -T -i eth0 -c /etc/snort/snort.conf

# Start Snort
sudo systemctl start snort
sudo systemctl enable snort

# View alerts
sudo tail -f /var/log/snort/alert

13. Isolate Services with Containers

The Problem: One compromised service can affect the entire system.

What to do:

Using Docker:

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

# Add user to docker group
sudo usermod -aG docker $USER

# Run services in isolated containers
# Example: Run Pi-hole (DNS blocking)
docker run -d \
    --name pihole \
    -e TZ="America/New_York" \
    -v "$(pwd)/etc-pihole:/etc/pihole" \
    -v "$(pwd)/etc-dnsmasq.d:/etc/dnsmasq.d" \
    --dns=127.0.0.1 --dns=1.1.1.1 \
    --restart=unless-stopped \
    --hostname pi.hole \
    -p 53:53/tcp -p 53:53/udp \
    -p 8053:80/tcp \
    pihole/pihole:latest

# Example: Run Home Assistant
docker run -d \
    --name homeassistant \
    --restart=unless-stopped \
    -v /path/to/config:/config \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -p 8123:8123 \
    homeassistant/home-assistant:latest

14. Set Up Port Knocking

The Problem: Open ports are always visible to scanners.

What to do:

# Install knockd
sudo apt install knockd -y

# Configure
sudo nano /etc/knockd.conf

# Add:
[options]
LogFile = /var/log/knockd.log
Interface = eth0

[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 2222 -j ACCEPT
tcpflags = syn

[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 2222 -j ACCEPT
tcpflags = syn

# Start knockd
sudo systemctl enable knockd
sudo systemctl start knockd

# Test (from another machine)
# Knock sequence to open SSH
knock -v your-server-ip 7000 8000 9000
# Now SSH to your server
ssh -p 2222 user@your-server-ip

# Knock to close
knock -v your-server-ip 9000 8000 7000

15. Use a Reverse Proxy

The Problem: Exposing multiple services requires multiple open ports.

What to do (Using Nginx):

# Install Nginx
sudo apt install nginx -y

# Create reverse proxy configuration
sudo nano /etc/nginx/sites-available/your-domain

# Add:
server {
    listen 80;
    server_name your-domain.com;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Proxy to different services via subdomains
    # media.your-domain.com
    # files.your-domain.com
    # home.your-domain.com
}

# Enable site
sudo ln -s /etc/nginx/sites-available/your-domain /etc/nginx/sites-enabled/

# Test and reload
sudo nginx -t
sudo systemctl reload nginx

Using Caddy (Simpler):

# Install Caddy
echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" | sudo tee /etc/apt/sources.list.d/caddy-fury.list
sudo apt update
sudo apt install caddy -y

# Create Caddyfile
sudo nano /etc/caddy/Caddyfile

# Add:
your-domain.com {
    reverse_proxy localhost:8080
}

media.your-domain.com {
    reverse_proxy localhost:8090
}

files.your-domain.com {
    reverse_proxy localhost:8100
}

# Restart Caddy
sudo systemctl restart caddy

16. Implement Network Segmentation

The Problem: One compromised device can access everything.

What to do (Using VLANs on Router):

1. Log into router
2. Create VLANs:
   • VLAN 1: Main network (trusted devices)
   • VLAN 2: IoT devices (smart home)
   • VLAN 3: Guest network
   • VLAN 4: Server network

Firewall Rules:

# Server → Internet: Allow
# Server → Main: Deny
# Server → IoT: Allow (for automation)
# IoT → Server: Deny
# IoT → Internet: Allow
# Guest → Internet: Allow
# Guest → Anything else: Deny

Alternative: Use different subnets:

# Setup network interfaces
sudo nano /etc/netplan/01-netcfg.yaml

# Add:
network:
  version: 2
  ethernets:
    eth0:
      addresses:
        - 192.168.1.10/24  # Trusted network
    eth1:
      addresses:
        - 10.0.0.10/24     # IoT network
    eth2:
      addresses:
        - 172.16.0.10/24   # Guest network

Security Monitoring Dashboard

Setting Up a Simple Dashboard

# Install Netdata (real-time monitoring)
bash <(curl -Ss https://my-netdata.io/kickstart.sh)

# Access dashboard at: http://your-server-ip:19999

# Install Cockpit (web-based server management)
sudo apt install cockpit -y
# Access at: https://your-server-ip:9090

# Install Monitoring with Grafana
# Install dependencies
sudo apt install -y software-properties-common wget
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"
sudo apt update
sudo apt install grafana -y

# Start Grafana
sudo systemctl enable grafana-server
sudo systemctl start grafana-server
# Access at: http://your-server-ip:3000

Emergency Response Plan

What to Do If You Suspect a Breach

1. Immediate Actions (First 5 Minutes):

# 1. Disconnect from network
sudo ifconfig eth0 down

# 2. Check for suspicious processes
ps aux | grep -v root | grep -v user

# 3. Check for suspicious connections (last known state)
sudo last

# 4. Check logs for suspicious activity
sudo journalctl -u sshd | grep -i "failed\|accepted"
sudo grep -i "password" /var/log/auth.log

# 5. Create forensic copy
sudo dd if=/dev/sda of=/external/forensic.dd bs=4M status=progress

2. Investigate:

# Check for rootkits
sudo rkhunter --check
sudo chkrootkit

# Check for unauthorized users
sudo cat /etc/passwd | grep -v "/home"

# Check for unexpected cron jobs
sudo cat /var/spool/cron/crontabs/*

# Check for modified files
sudo tripwire --check

3. Recovery Steps:

# 1. Isolate the system from network
# 2. Reset all passwords
# 3. Review all user accounts
# 4. Check and fix system files
# 5. Apply security patches
# 6. Enable additional monitoring
# 7. Review security logs
# 8. Change all sensitive passwords

Printable Security Checklist

✅ Daily Tasks

• Check system logs (5 minutes)
• Review failed login attempts
• Check disk space
• Verify services are running
• Check for unusual network activity

✅ Weekly Tasks

• Review security alerts
• Check for system updates
• Review user accounts
• Check backup status
• Monitor disk usage trends

✅ Monthly Tasks

• Full system audit
• Review firewall rules
• Check SSL certificates
• Update passwords
• Review security policies

✅ Quarterly Tasks

• Full security assessment
• Update incident response plan
• Verify backup restoration
• Review access controls
• Security training/awareness

Common Security Mistakes to Avoid

❌ Don’t Do These:

# 1. Using default ports
# Bad: Port 22 for SSH
# Good: Use a random port like 2222

# 2. Using weak passwords
# Bad: password123
# Good: xK9!mP2$vL8#Qw5

# 3. Disabling the firewall
# Bad: sudo ufw disable
# Good: sudo ufw enable

# 4. Running as root
# Bad: sudo su -
# Good: Use sudo only when needed

# 5. Ignoring updates
# Bad: apt-mark hold package
# Good: apt update && apt upgrade

# 6. Opening ports without need
# Bad: Opening all ports
# Good: Only open what's necessary

# 7. No backup strategy
# Bad: No backups
# Good: Regular automated backups

# 8. Using default credentials
# Bad: admin/admin
# Good: Strong, unique passwords

Quick Reference Card

Essential Commands

# Firewall
sudo ufw status
sudo ufw allow port
sudo ufw deny from ip

# SSH
sudo systemctl restart sshd
ssh user@ip -p port

# Monitoring
sudo journalctl -f
sudo tail -f /var/log/auth.log
sudo fail2ban-client status

# Updates
sudo apt update && sudo apt upgrade
sudo unattended-upgrades

# Users
sudo passwd user
sudo userdel user
sudo last

# Network
sudo ss -tulpn
sudo netstat -tulpn
sudo tcpdump -i eth0

# Docker
docker ps
docker logs container
docker stats

Emergency Contacts

Conclusion

Securing your home server is an ongoing journey, not a one-time task. This checklist provides a solid foundation, but security requires continuous attention and updates.

Remember:

• Start with the basics (Level 1)
• Gradually implement advanced measures
• Regular monitoring is crucial
• Stay informed about new threats
• Backup your data regularly

Your next steps:

1. Complete Level 1 checklist this week
2. Implement Level 2 within the month
3. Plan for Level 3 advanced features
4. Review and update quarterly

Want to learn more about server security? Check out our Complete Linux Security Guide for more comprehensive protection strategies.

Frequently Asked Questions (FAQs)

Q: What’s the minimum security I need for a home server? A: At minimum: change default passwords, enable firewall, use SSH keys, and keep software updated.

Q: Is a home server safe to expose to the internet? A: With proper security measures, yes. But always use a VPN or reverse proxy for remote access.

Q: How do I know if my server has been hacked? A: Look for: unexpected processes, unauthorized logins, unusual network traffic, modified files, or suspicious user accounts.

Q: Should I use a DMZ for my home server? A: Only if you understand the risks. A DMZ can isolate your server but also exposes it completely to the internet.

Q: Can I secure my server without spending money? A: Absolutely! All tools in this guide are free open-source software.

Q: How often should I change my server passwords? A: Change them every 90 days, or immediately if you suspect a breach.