Linux Server Hardening Checklist
Checklist :
- 1. Encrypt Data Communication for Linux Server
- All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
- GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.
- SSH / RSYNC / SFTP for file transfer
- SSL whenever it's possible
- 2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services
- Commands and transferred files can be captured by anyone on the same network using a packet sniffer.
- Use instead OpenSSH , SFTP, or FTPS (FTP over SSL)
- 3. Minimize Software to Minimize Vulnerability
yum list installed
yum list packageName
or
dpkg --list
dpkg --info packageName
- 4. One Network Service Per System, VM or Container
Run each exposed service isolated via VM, Docker, LXC..
- 5. Keep Linux Kernel and Software Up to Date
yum update
or
apt update && apt upgrade
- 6. Use Linux Security Extensions
Use SELinux, Apparmor, Grsecurity when possible.
| Feature | SELinux | AppArmor | grsecurity |
|---|---|---|---|
| Automated | No (audit2allow and system-config-selinux) | Yes (Yast wizard) | Yes (auto training / gradm) |
| Powerful policy setup | Yes (very complex) | Yes | Yes |
| Default and recommended integration | CentOS / RedHat / Debian | Suse / OpenSuse / Ubuntu based | Any Linux distribution |
| Training and vendor support | Yes (Redhat) | Yes (Novell) | No (community forum and lists) |
| Recommend for | Advanced user | New / advanced user | New users |
| Feature | Attaches labels to all files, processes and objects | Pathname based system does not require labeling or relabeling filesystem | ACLs |
7. Linux User Accounts must respect a strong password policy
-
Lockout/Error after X retry
passwd -l username
- Minimum length
- Force to change similar characters
- Force no null passwords
- Setup password aging For ex, you can directly edit the /etc/shadow file :
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
Where,
- Minimum_days: The minimum number of days required between password changes.
- Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
- Expire : Absolute date specifying when the login may no longer be used.
- 8. Ensure No Non-Root Accounts Have UID Set to 0 Only root account have UID 0 with full permissions to access the system. Check with :
awk -F: '($3 == "0") {print}' /etc/passwd
- 9. Disable Root Login Never ever login as root user. You should use sudo to execute root level commands as and when required.
- 10. Physical Server Security
- BIOS & Grub password w or w/o MFA
- 11. Disable Unwanted Linux Services
Check with :
systemctl list-unit-files
This command will list all services installed/deployed.
Print a list of services that lists which runlevels each is configured on or off
systemctl list-unit-files --type=service
systemctl list-dependencies graphical.target
- 12. Find Listening Network Ports
ss -tulpn
netstat -plntu
- 13. Delete X Window Systems (X11) X Window systems on server is not required.
yum groupremove "X Window System"
yum group remove "$DE_NAME Desktop"
- 14. Configure Iptable Firewall
- 15. Harden Linux Kernel with /etc/sysctl.conf
/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time.
- 16. Separate Disk Partitions for Linux System
| Partition | Purpose |
|---|---|
| /usr | This is where most executable binaries, the kernel source tree and much documentation go. |
| /var | This is where spool directories such as those for mail and printing go. It also contains the error log directory. |
| /tmp | This is where most temporary data files are stored by apps. |
| /boot | This is where your kernel images and boot loader configuration go. |
| /home | This is where users' home directories go. |
If the partitions are in one, a script like this one :
#!/bin/sh
man bash > $(mktemp)
$0
runned with cron or nohup can crash your entire system.
A good way of hardening could be , depending on your IS, to add the following option to /etc/fstab file:
- nosuid – Do not set SUID/SGID access on this partition
- nodev – Do not character or special devices on this partition
- noexec – Do not set execution of any binaries on this partition
- ro – Mount file system as readonly
- quota – Enable disk quota
Above options can be set only, if you have a separate partition.
Make sure you create a partition as above with special option set on each partition:
- /home – Set option nosuid, and nodev with diskquota option
- /usr – Set option nodev
- /tmp – Set option nodev, nosuid, noexec option must be enabled
- 17. Disable IPv6 if Not Using It
- 18. Disable Unwanted SUID and SGID Binaries
All SUID/SGID bits enabled file can be misused : https://gtfobins.github.io/
- 19. Check for World-Writable Files
If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root
# World writable files directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null
# World executable folder
find / -perm -o x -type d 2>/dev/null
# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
- 20. Remove Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following command :
find /dir -xdev \( -nouser -o -nogroup \) -print
- 21. Use Centralized Authentication Service
IAM / LDAP / SSO ....
- 22. Implement Kerberos for Authentication
Use Kerberos if available : https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.4/html/automation_controller_administration_guide/assembly-controller-kerberos-authentication
- 22. Configure Logging and Auditing
- 23. Monitor Suspicious Logs with Logwatch / Logcheck
Read your logs using logwatch command (logcheck). You get detailed reporting on unusual items in syslog via email.
- 24. Use System Accounting with auditd
- 25. Secure OpenSSH Server
26. Install and Use Intrusion Detection Systems (IDS)
-
Install a NIDS
-
Use AIDE, a HIDS
-
rkhunter to detect rootkit
- 27. Disable USB/Firewire/Thunderbolt Devices
Type the following command to disable USB devices on Linux system:
echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf
You can use same method to disable firewire and thunderbolt modules:
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf
Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.
- 28. Use fail2ban/denyhost/portsentry for IDS