Skip to main content

Linux Server Hardening Checklist

Checklist :

  • 1. Encrypt Data Communication for Linux Server
  • All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
  • GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.
  • SSH / RSYNC / SFTP for file transfer
  • SSL whenever it's possible
  • 2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services
  • Commands and transferred files can be captured by anyone on the same network using a packet sniffer.
  • Use instead OpenSSH , SFTP, or FTPS (FTP over SSL)
  • 3. Minimize Software to Minimize Vulnerability
yum list installed
yum list packageName

or

dpkg --list
dpkg --info packageName
  • 4. One Network Service Per System, VM or Container

Run each exposed service isolated via VM, Docker, LXC..

  • 5. Keep Linux Kernel and Software Up to Date
yum update

or

apt update && apt upgrade
  • 6. Use Linux Security Extensions

Use SELinux, Apparmor, Grsecurity when possible.

Feature SELinux AppArmor grsecurity
Automated No (audit2allow and system-config-selinux) Yes (Yast wizard) Yes (auto training / gradm)
Powerful policy setup Yes (very complex) Yes Yes
Default and recommended integration CentOS / RedHat / Debian Suse / OpenSuse / Ubuntu based Any Linux distribution
Training and vendor support Yes (Redhat) Yes (Novell) No (community forum and lists)
Recommend for Advanced user New / advanced user New users
Feature Attaches labels to all files, processes and objects Pathname based system does not require labeling or relabeling filesystem ACLs

  • 7. Linux User Accounts must respect a strong password policy

  • Lockout/Error after X retry

passwd -l username
  • Minimum length
  • Force to change similar characters
  • Force no null passwords
  • Setup password aging For ex, you can directly edit the /etc/shadow file :
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:

Where,

  • Minimum_days: The minimum number of days required between password changes.
  • Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
  • Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
  • Expire : Absolute date specifying when the login may no longer be used.
  • 8. Ensure No Non-Root Accounts Have UID Set to 0 Only root account have UID 0 with full permissions to access the system. Check with :
awk -F: '($3 == "0") {print}' /etc/passwd
  • 9. Disable Root Login Never ever login as root user. You should use sudo to execute root level commands as and when required.
  • 10. Physical Server Security
  • BIOS & Grub password w or w/o MFA
  • 11. Disable Unwanted Linux Services

Check with :

systemctl list-unit-files

This command will list all services installed/deployed.

Print a list of services that lists which runlevels each is configured on or off

systemctl list-unit-files --type=service
systemctl list-dependencies graphical.target
  • 12. Find Listening Network Ports
ss -tulpn
netstat -plntu
  • 13. Delete X Window Systems (X11) X Window systems on server is not required.
yum groupremove "X Window System"
yum group remove "$DE_NAME Desktop"
  • 14. Configure Iptable Firewall
  • 15. Harden Linux Kernel with /etc/sysctl.conf

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time.

  • 16. Separate Disk Partitions for Linux System
Partition Purpose
/usr This is where most executable binaries, the kernel source tree and much documentation go.
/var This is where spool directories such as those for mail and printing go. It also contains the error log directory.
/tmp This is where most temporary data files are stored by apps.
/boot This is where your kernel images and boot loader configuration go.
/home This is where users' home directories go.

If the partitions are in one, a script like this one :

#!/bin/sh
man bash > $(mktemp)
$0

runned with cron or nohup can crash your entire system.

A good way of hardening could be , depending on your IS, to add the following option to /etc/fstab file:

  • nosuid – Do not set SUID/SGID access on this partition
  • nodev – Do not character or special devices on this partition
  • noexec – Do not set execution of any binaries on this partition
  • ro – Mount file system as readonly
  • quota – Enable disk quota

Above options can be set only, if you have a separate partition.

Make sure you create a partition as above with special option set on each partition:

  • /home – Set option nosuid, and nodev with diskquota option
  • /usr – Set option nodev
  • /tmp – Set option nodev, nosuid, noexec option must be enabled
  • 17. Disable IPv6 if Not Using It
  • 18. Disable Unwanted SUID and SGID Binaries

All SUID/SGID bits enabled file can be misused : https://gtfobins.github.io/

  • 19. Check for World-Writable Files

If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root

# World writable files directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

# World executable folder
find / -perm -o x -type d 2>/dev/null

# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
  • 20. Remove Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command :

find /dir -xdev \( -nouser -o -nogroup \) -print
  • 21. Use Centralized Authentication Service

IAM / LDAP / SSO ....

  • 22. Implement Kerberos for Authentication

Use Kerberos if available : https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.4/html/automation_controller_administration_guide/assembly-controller-kerberos-authentication

  • 22. Configure Logging and Auditing
  • 23. Monitor Suspicious Logs with Logwatch / Logcheck

Read your logs using logwatch command (logcheck). You get detailed reporting on unusual items in syslog via email.

  • 24. Use System Accounting with auditd
  • 25. Secure OpenSSH Server

  • 26. Install and Use Intrusion Detection Systems (IDS)

  • Install a NIDS

  • Use AIDE, a HIDS

  • rkhunter to detect rootkit

  • 27. Disable USB/Firewire/Thunderbolt Devices

Type the following command to disable USB devices on Linux system:

echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf

You can use same method to disable firewire and thunderbolt modules:

echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf

Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.

  • 28. Use fail2ban/denyhost/portsentry for IDS
Back to top