thelinuxvault guide

Hardening Linux: Best Practices for System Administrators

Linux is renowned for its stability, flexibility, and security, making it the backbone of servers, cloud infrastructure, and embedded systems worldwide. However, out-of-the-box Linux installations are not inherently "secure"—they often prioritize usability over strict security. **Linux hardening** is the process of securing a Linux system by reducing its attack surface, mitigating vulnerabilities, and enforcing security policies. For system administrators, this proactive approach is critical to protecting sensitive data, preventing unauthorized access, and ensuring compliance with industry regulations. This blog explores actionable, detailed best practices for hardening Linux systems. Whether you manage a single server or a fleet of machines, these steps will help you build a robust security foundation.

Table of Contents

  1. Introduction
  2. 1. Keep the System Updated
  3. 2. Secure User Accounts and Access Control
  4. 3. Strengthen Authentication Mechanisms
  5. 4. Harden File System Permissions
  6. 5. Secure Network Configuration
  7. 6. Minimize and Secure Services
  8. 7. Implement Logging and Monitoring
  9. 8. Harden the Linux Kernel
  10. 9. Physical Security Considerations
  11. 10. Regular Security Audits and Maintenance
  12. Conclusion
  13. References

1. Keep the System Updated

Why? Outdated software is the single largest vector for attacks. Vulnerabilities in the kernel, libraries, or applications are frequently patched in updates.

Best Practices:

  • Automate updates: Use tools like unattended-upgrades (Debian/Ubuntu) or dnf-automatic (RHEL/CentOS) to ensure critical security patches are applied automatically. 
    # Install unattended-upgrades on Ubuntu  
sudo apt install unattended-upgrades  
sudo dpkg-reconfigure -plow unattended-upgrades  # Enable automatic updates
  • Prioritize security repositories: Enable official security repos (e.g., deb http://security.ubuntu.com/ubuntu focal-security main).
  • Reboot after kernel updates: Kernel patches require a reboot to take effect. Use tools like kexec for minimal downtime or schedule reboots during maintenance windows.
  • Audit updates: Periodically review update logs (e.g., /var/log/apt/history.log or /var/log/dnf.log) to ensure patches are applied successfully.

2. Secure User Accounts and Access Control

Why? Weak user account practices (e.g., default passwords, overprivileged users) are a common entry point for attackers.

Best Practices:

  • Enforce the principle of least privilege: Users should only have the permissions necessary to perform their roles.
  • Disable root login: Prevent direct root access via the console or SSH. Use sudo for administrative tasks instead. 
    # Lock the root account (prevent password login)  
sudo passwd -l root
  • Strengthen password policies: Use pam_pwquality to enforce complexity (length, mixed case, symbols) and expiration.
    Edit /etc/security/pwquality.conf: 
    minlen = 12  
dcredit = -1  # Require at least 1 digit  
ucredit = -1  # Require at least 1 uppercase  
lcredit = -1  # Require at least 1 lowercase  
ocredit = -1  # Require at least 1 symbol  
maxrepeat = 3  # Prevent repeated characters
  • Account lockout: Use pam_faillock to lock accounts after failed login attempts.
    Edit /etc/pam.d/common-auth (Ubuntu) or /etc/pam.d/system-auth (RHEL): 
    auth    required    pam_faillock.so preauth silent audit deny=5 unlock_time=300  
auth    [success=1 default=ignore]      pam_unix.so  
auth    [default=die]   pam_faillock.so authfail audit deny=5 unlock_time=300
  • Remove unused accounts: Delete dormant or unnecessary accounts (e.g., ftp, games). 
    # List inactive accounts (last login > 90 days)  
lastlog | grep -v "Never logged in" | awk '$4 < (date +%Y-%m-%d -d "90 days ago" | cut -d- -f3)'

3. Strengthen Authentication Mechanisms

Why? Passwords alone are vulnerable to brute-force or phishing attacks. Multi-factor authentication (MFA) and secure protocols add layers of protection.

Best Practices:

  • Harden SSH: SSH is a critical entry point—secure it with these settings in /etc/ssh/sshd_config: 
    PermitRootLogin no               # Disable root login  
PasswordAuthentication no        # Disable password auth  
PubkeyAuthentication yes         # Enable SSH keys  
AuthorizedKeysFile .ssh/authorized_keys  
Ciphers [email protected],[email protected],aes256-ctr  # Strong ciphers  
MACs [email protected],[email protected]  # Strong MACs  
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256  # Secure key exchange  
AllowUsers alice bob             # Restrict SSH access to specific users
    Restart SSH: sudo systemctl restart sshd.
  • Use SSH keys: Generate 4096-bit RSA or Ed25519 keys for authentication. 
    ssh-keygen -t ed25519 -C "[email protected]"  # Generate Ed25519 key (more secure than RSA)  
ssh-copy-id [email protected]          # Copy public key to server
  • Enable MFA: Use tools like Google Authenticator or Duo Security for SSH and sudo. 
    # Install Google Authenticator PAM module  
sudo apt install libpam-google-authenticator  
google-authenticator  # Run as user to configure MFA
    Edit /etc/pam.d/sshd to require MFA: 
    auth    required    pam_google_authenticator.so

4. Harden File System Permissions

Why? Misconfigured file permissions can expose sensitive data (e.g., /etc/shadow) or allow privilege escalation.

Best Practices:

  • Avoid overly permissive permissions: Never use 777 (read/write/execute for all). Restrict files to 600 (user-only) or 644 (user read/write, group/others read). 
    # Find world-writable files (audit and fix)  
find / -type f -perm -0002 -ls 2>/dev/null
  • Secure critical system files: Set strict permissions for /etc/passwd, /etc/shadow, and /etc/sudoers: 
    sudo chmod 644 /etc/passwd  
sudo chmod 000 /etc/shadow  # Readable only by root  
sudo chmod 440 /etc/sudoers
  • Immutable files: Use chattr to make critical files (e.g., sshd_config) immutable to prevent tampering. 
    sudo chattr +i /etc/ssh/sshd_config
  • File Integrity Monitoring (FIM): Deploy tools like AIDE or Tripwire to detect unauthorized file changes. 
    # Install AIDE  
sudo apt install aide  
sudo aideinit  # Generate initial database  
sudo aide --check  # Run a check (schedule via cron)
  • Partitioning: Use separate partitions for /tmp, /var, and /home with security flags:
    Edit /etc/fstab: 
    /dev/sda5  /tmp  ext4  defaults,noexec,nosuid,nodev  0  2  
/dev/sda6  /var  ext4  defaults,nosuid  0  2
    • noexec: Prevent execution of binaries.
    • nosuid: Disable setuid binaries.
    • nodev: Block device files.

5. Secure Network Configuration

Why? Unrestricted network access exposes the system to remote attacks. Firewalls, port restrictions, and secure protocols are essential.

Best Practices:

  • Enable a firewall: Use ufw (simple) or iptables (advanced) with a default-deny policy. 
    # UFW example (allow SSH and HTTP, deny all else)  
sudo ufw default deny incoming  
sudo ufw default allow outgoing  
sudo ufw allow 22/tcp   # SSH  
sudo ufw allow 443/tcp  # HTTPS  
sudo ufw enable
    For iptables: 
    sudo iptables -P INPUT DROP  
sudo iptables -P FORWARD DROP  
sudo iptables -P OUTPUT ACCEPT  
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  # Allow existing connections  
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT  # Allow SSH
  • Bind services to localhost: Configure services (e.g., databases, monitoring tools) to listen only on 127.0.0.1 unless remote access is required.
    Example for PostgreSQL (postgresql.conf): 
    listen_addresses = 'localhost'
  • Disable IPv6 (if unused): Attackers may exploit IPv6 vulnerabilities if it’s enabled but unconfigured.
    Edit /etc/sysctl.conf: 
    net.ipv6.conf.all.disable_ipv6 = 1  
net.ipv6.conf.default.disable_ipv6 = 1
    Apply: sudo sysctl -p.
  • Use TCP Wrappers: Restrict access to services via /etc/hosts.allow and /etc/hosts.deny. 
    # /etc/hosts.deny (deny all by default)  
ALL: ALL  

# /etc/hosts.allow (allow SSH from trusted IP)  
sshd: 192.168.1.0/24

6. Minimize and Secure Services

Why? Every running service increases the attack surface. Unused services consume resources and introduce risks.

Best Practices:

  • Disable unused services: Stop and disable unnecessary daemons (e.g., telnet, cups, avahi-daemon). 
    # List enabled services (systemd)  
sudo systemctl list-unit-files --type=service --state=enabled  
# Disable a service  
sudo systemctl disable --now cups
  • Harden systemd services: Use systemd’s security directives in service files (e.g., /etc/systemd/system/myservice.service): 
    [Service]  
PrivateTmp=yes           # Isolate /tmp for the service  
ProtectSystem=strict     # Read-only access to /usr, /boot, /etc  
NoNewPrivileges=yes      # Prevent privilege escalation  
User=nonroot             # Run as a non-root user
  • Minimize installed packages: Remove unneeded software to reduce vulnerabilities. 
    # Find orphaned packages (Debian/Ubuntu)  
sudo apt autoremove --purge  
# Find unused packages (RHEL/CentOS)  
sudo dnf repoquery --unneeded --resolve
  • Isolate services: Use chroot, LXC, or Docker to isolate high-risk services (e.g., web servers) from the host system.

7. Implement Logging and Monitoring

Why? Without visibility into system activity, you won’t detect breaches until it’s too late.

Best Practices:

  • Centralize logs: Aggregate logs from multiple servers using tools like the ELK Stack (Elasticsearch, Logstash, Kibana) or Graylog for easier analysis.
  • Secure log files: Ensure logs are immutable and protected from tampering. 
    sudo chattr +a /var/log/auth.log  # Append-only mode
  • Monitor critical events: Track failed logins, sudo usage, and file changes with tools like:
    • fail2ban: Blocks IPs with repeated failed SSH attempts. 
      sudo apt install fail2ban  
sudo systemctl enable --now fail2ban
    • auditd: Monitors system calls and file access. 
      # Monitor changes to /etc/passwd  
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
  • Set up alerts: Use tools like Nagios, Zabbix, or Prometheus to trigger alerts for anomalies (e.g., high CPU usage, unusual login times).

8. Harden the Linux Kernel

Why? The kernel is the core of the OS—hardening it reduces low-level vulnerabilities.

Best Practices:

  • Tweak sysctl settings: Edit /etc/sysctl.conf to enable security features: 
    # Disable IP forwarding (if not a router)  
net.ipv4.ip_forward = 0  
# Enable reverse path filtering (prevent spoofing)  
net.ipv4.conf.all.rp_filter = 1  
# Limit SYN flood attacks  
net.ipv4.tcp_syncookies = 1  
net.ipv4.tcp_max_syn_backlog = 1024  
# Disable ICMP redirects  
net.ipv4.conf.all.accept_redirects = 0  
net.ipv6.conf.all.accept_redirects = 0
    Apply changes: sudo sysctl -p.
  • Disable unused kernel modules: Blacklist modules like usb_storage (if no USB devices are needed) or bluetooth.
    Edit /etc/modprobe.d/blacklist.conf: 
    blacklist usb_storage  
blacklist bluetooth
  • Use security modules: Enable SELinux (RHEL/CentOS) or AppArmor (Debian/Ubuntu) for mandatory access control (MAC).
    • SELinux: Set to enforcing mode and use audit2allow to resolve policy denials. 
      sudo setenforce enforcing  
sudo semanage permissive -a httpd_t  # Temporarily allow httpd if needed
    • AppArmor: Enforce profiles for critical apps (e.g., apache2, sshd). 
      sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd

9. Physical Security Considerations

Why? Physical access to a server bypasses most software security measures.

Best Practices:

  • Lock the server room: Restrict physical access with keycards or biometrics.
  • Disable USB ports: Block USB storage via kernel modules or udev rules. 
    # Blacklist usb_storage via modprobe  
echo "blacklist usb_storage" | sudo tee /etc/modprobe.d/block-usb.conf
  • Enable secure boot: Use UEFI Secure Boot to prevent unauthorized firmware or kernel loading.
  • Encrypt disks: Use LUKS to encrypt the entire disk or sensitive partitions (e.g., /home). 
    # Encrypt a partition with LUKS  
sudo cryptsetup luksFormat /dev/sda3  
sudo cryptsetup open /dev/sda3 crypt_home  
sudo mkfs.ext4 /dev/mapper/crypt_home

10. Regular Security Audits and Maintenance

Why? Security is not a one-time task—threats evolve, so your defenses must too.

Best Practices:

  • Run vulnerability scans: Use tools like lynis, OpenVAS, or Nessus to identify weaknesses. 
    # Run a Lynis audit  
sudo lynis audit system
  • Follow CIS Benchmarks: The Center for Internet Security (CIS) provides detailed hardening guidelines for Linux distributions.
  • Stay informed: Subscribe to security mailing lists (e.g., ubuntu-security-announce, oss-security) to learn about new vulnerabilities.
  • Test incident response: Regularly simulate breaches to ensure your team can respond effectively.

Conclusion

Linux hardening is a continuous process that combines proactive configuration, monitoring, and maintenance. By following these best practices, you’ll significantly reduce your system’s attack surface and protect against common threats. Remember: security is layered—no single step guarantees protection, but together, these measures create a robust defense.

Stay vigilant, keep learning, and make security a habit in your daily administration workflow.

References