thelinuxvault guide

Linux Security Hardening: A Comprehensive Checklist

Linux is renowned for its robust security architecture, but no system is impervious to threats. Whether you’re running a personal server, a cloud instance, or an enterprise-grade infrastructure, **security hardening**—the process of securing a system by reducing its attack surface and strengthening its defenses—is critical. This blog provides a detailed, actionable checklist to fortify your Linux environment against common vulnerabilities, unauthorized access, and malicious attacks. By following these steps, you’ll significantly reduce risk and ensure compliance with security best practices.

Table of Contents

  1. System Updates & Patching
  2. User & Access Management
  3. Network Security
  4. File System Security
  5. Service Hardening
  6. Logging & Monitoring
  7. Kernel Security
  8. Physical Security
  9. Third-Party Software
  10. Incident Response Plan
  11. Conclusion
  12. References

1. System Updates & Patching

Outdated software is one of the most common entry points for attackers. Regular updates patch known vulnerabilities in the OS, kernel, and applications.

Key Steps:

  • Enable Automatic Updates: Use tools like unattended-upgrades (Debian/Ubuntu) or dnf-automatic (RHEL/CentOS) to automate security patches. 
    # Debian/Ubuntu: Install and configure unattended-upgrades  
sudo apt install unattended-upgrades  
sudo dpkg-reconfigure -plow unattended-upgrades
  • Update Kernel Regularly: The kernel is the core of the OS; outdated kernels are prone to exploits (e.g., Spectre/Meltdown). Use apt upgrade (Debian) or yum update kernel (RHEL).
  • Verify Package Integrity: Use debsums (Debian) or rpm -V (RHEL) to check for tampered files: 
    sudo debsums -c  # List corrupted Debian packages

2. User & Access Management

Misconfigured user accounts are a major risk. Limit privileges and enforce strict access controls.

Key Steps:

  • Disable Root Login: Prevent direct root access via SSH and physical consoles. Use sudo for administrative tasks.
    • Edit /etc/ssh/sshd_config: PermitRootLogin no
    • Restrict physical root login: Set root shell to /usr/sbin/nologin in /etc/passwd.
  • Enforce Strong Passwords: Use PAM (Pluggable Authentication Modules) to enforce complexity.
    • Edit /etc/pam.d/common-password (Debian) or /etc/pam.d/system-auth (RHEL): 
      password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
    • Set password expiration: chage -M 90 -W 14 <username> (force change every 90 days, warn 14 days prior).
  • SSH Hardening:
    • Use SSH keys instead of passwords: ssh-keygen (client), ssh-copy-id user@server (copy key to server).
    • Disable password authentication: Edit /etc/ssh/sshd_config: PasswordAuthentication no
    • Limit SSH users: AllowUsers alice [email protected]/24 (only allow Alice and Bob from 192.168.1.0 subnet).
    • Change default SSH port (e.g., Port 2222) to reduce brute-force attempts.
  • Two-Factor Authentication (2FA): Add 2FA for SSH using libpam-google-authenticator: 
    sudo apt install libpam-google-authenticator  
google-authenticator  # Run as user to generate QR code
    • Edit /etc/pam.d/sshd: auth required pam_google_authenticator.so

3. Network Security

Limit exposure by securing network interfaces and blocking unnecessary traffic.

Key Steps:

  • Enable a Firewall: Use ufw (simple) or iptables (advanced) to filter traffic. 
    # UFW example: Allow SSH (port 2222) and HTTP/HTTPS, deny all else  
sudo ufw default deny incoming  
sudo ufw default allow outgoing  
sudo ufw allow 2222/tcp  
sudo ufw allow 80/tcp  
sudo ufw allow 443/tcp  
sudo ufw enable
  • Close Unused Ports: Identify open ports with ss -tuln or netstat -tuln, then disable associated services.
  • Disable IPv6 (If Unused): Edit /etc/sysctl.conf to block IPv6: 
    net.ipv6.conf.all.disable_ipv6 = 1  
net.ipv6.conf.default.disable_ipv6 = 1
    Run sudo sysctl -p to apply.
  • Use Secure Protocols: Replace insecure protocols (Telnet, FTP, HTTP) with SSH, SFTP, or HTTPS. For example, configure Nginx/Apache to redirect HTTP to HTTPS.

4. File System Security

Protect critical files and directories from tampering or unauthorized access.

Key Steps:

  • Set Proper Permissions: Use chmod and chown to restrict access. For example: 
    sudo chmod 600 /etc/shadow  # Only root can read/write shadow passwords  
sudo chown root:root /etc/sudoers  # Ensure sudoers is owned by root
  • Immutable Files: Mark critical files (e.g., /etc/passwd, /etc/ssh/sshd_config) as immutable with chattr to prevent tampering: 
    sudo chattr +i /etc/passwd
    (Use chattr -i to revert.)
  • Encrypt File Systems: Use LUKS (Linux Unified Key Setup) to encrypt disks/partitions. For existing systems, encrypt /home or use ecryptfs.
  • Mount Options: Secure /tmp, /var/tmp, and /dev/shm by adding noexec,nosuid,nodev to /etc/fstab: 
    tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0

5. Service Hardening

Disable unnecessary services and secure critical ones (e.g., web servers, databases).

Key Steps:

  • Disable Unused Services: Stop and mask services not needed (e.g., cups, telnetd): 
    sudo systemctl stop cups  
sudo systemctl disable cups  
sudo systemctl mask cups  # Prevent accidental startup
  • Harden Web Servers:
    • For Nginx: Edit /etc/nginx/nginx.conf to disable server tokens (server_tokens off;) and enable HTTPS with strong ciphers.
    • For Apache: Use mod_security WAF and restrict ServerSignature in /etc/apache2/conf-available/security.conf.
  • Isolate Services: Use chroot jails, Docker containers, or systemd-nspawn to limit service access to the host system.

6. Logging & Monitoring

Detect breaches early with robust logging and real-time alerts.

Key Steps:

  • Centralized Logging: Aggregate logs from multiple servers using rsyslog or syslog-ng. Forward logs to a central server for analysis.
  • Audit System Activity: Use auditd to monitor file access, user actions, and process execution: 
    sudo apt install auditd  
sudo auditctl -w /etc/passwd -p wa -k passwd_changes  # Log writes/appends to passwd
    View logs with ausearch -k passwd_changes.
  • Log Rotation: Configure logrotate to prevent log files from consuming disk space (default in most distros).
  • Real-Time Alerts: Use fail2ban to block brute-force attacks on SSH/HTTP: 
    sudo apt install fail2ban  
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    Edit jail.local to set bantime and thresholds (e.g., ban IPs after 5 failed SSH attempts).

7. Kernel Security

Secure the kernel to mitigate low-level exploits.

Key Steps:

  • Configure sysctl Parameters: Edit /etc/sysctl.conf to enable security-focused kernel settings: 
    # Prevent IP spoofing  
net.ipv4.conf.all.rp_filter = 1  
# Block SYN floods  
net.ipv4.tcp_syncookies = 1  
# Disable ICMP redirects  
net.ipv4.conf.all.accept_redirects = 0
  • Enable AppArmor/SELinux:
    • SELinux (RHEL/CentOS): Set to enforcing mode in /etc/selinux/config.
    • AppArmor (Debian/Ubuntu): Enable profiles for critical services (e.g., apache2, sshd): 
      sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd
  • Disable Unused Kernel Modules: Blacklist risky modules (e.g., USB storage) in /etc/modprobe.d/blacklist.conf: 
    blacklist usb-storage

8. Physical Security

Even secure systems are vulnerable if physical access is unrestricted.

Key Steps:

  • BIOS/UEFI Password: Set a password to prevent unauthorized changes to boot settings.
  • Disk Encryption: Use LUKS to encrypt the entire disk. During OS installation, select “encrypt disk” or use cryptsetup post-install.
  • Secure Boot: Enable Secure Boot in BIOS/UEFI to block unsigned bootloaders (prevents rootkits).

9. Third-Party Software

Third-party apps (e.g., Docker, Node.js) can introduce vulnerabilities.

Key Steps:

  • Vet Sources: Only install software from official repos or trusted PPAs. Avoid random .deb/.rpm files.
  • Minimize Dependencies: Use apt autoremove or yum autoremove to uninstall unused packages.
  • Audit Regularly: Scan for outdated software with apt list --upgradable (Debian) or yum check-update (RHEL).

10. Incident Response Plan

Prepare for breaches with a documented plan.

Key Steps:

  • Backup Data: Use rsync, borgbackup, or cloud backups (e.g., AWS S3) with encryption. Test restores regularly.
  • Document Procedures: Outline steps to isolate affected systems, analyze logs, and notify stakeholders.
  • Practice Drills: Simulate breaches to test response times and identify gaps.

Conclusion

Linux security hardening is an ongoing process, not a one-time task. Regularly audit your system (use tools like lynis or chkrootkit), stay updated on vulnerabilities (via CVE Details), and adapt your checklist to new threats. By following this guide, you’ll significantly reduce your attack surface and protect your data.

References