# Linux Server Hardening Checklist # Checklist : - [ ] 1. Encrypt Data Communication for Linux Server - All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates. - GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories. - SSH / RSYNC / SFTP for file transfer - SSL whenever it's possible ---- - [ ] 2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services - Commands and transferred files can be captured by anyone on the same network using a packet sniffer. - Use instead OpenSSH , SFTP, or FTPS (FTP over SSL) ---- - [ ] 3. Minimize Software to Minimize Vulnerability ```bash yum list installed yum list packageName ``` or ```bash dpkg --list dpkg --info packageName ``` ---- - [ ] 4. One Network Service Per System, VM or Container Run each exposed service isolated via VM, Docker, LXC.. ---- - [ ] 5. Keep Linux Kernel and Software Up to Date ```bash yum update ``` or ```bash apt update && apt upgrade ``` ---- - [ ] 6. Use Linux Security Extensions Use SELinux, Apparmor, Grsecurity when possible. | Feature | SELinux | AppArmor | grsecurity | |--------------------------------------|------------------------------------------------------------|-----------------------------------|------------------------------------------------| | Automated | No (audit2allow and system-config-selinux) | Yes (Yast wizard) | Yes (auto training / gradm) | | Powerful policy setup | Yes (very complex) | Yes | Yes | | Default and recommended integration | CentOS / RedHat / Debian | Suse / OpenSuse / Ubuntu based | Any Linux distribution | | Training and vendor support | Yes (Redhat) | Yes (Novell) | No (community forum and lists) | | Recommend for | Advanced user | New / advanced user | New users | | Feature | Attaches labels to all files, processes and objects | Pathname based system does not require labeling or relabeling filesystem | ACLs | ---- - [ ] 7. Linux User Accounts must respect a strong password policy - Lockout/Error after X retry ```bash passwd -l username ``` - Minimum length - Force to change similar characters - Force no null passwords - Setup password aging For ex, you can directly edit the /etc/shadow file : ```bash {userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}: ``` Where, - Minimum_days: The minimum number of days required between password changes. - Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password). - Warn : The number of days before password is to expire that user is warned that his/her password must be changed. - Expire : Absolute date specifying when the login may no longer be used. ---- - [ ] 8. Ensure No Non-Root Accounts Have UID Set to 0 Only root account have UID 0 with full permissions to access the system. Check with : ```bash awk -F: '($3 == "0") {print}' /etc/passwd ``` ---- - [ ] 9. Disable Root Login Never ever login as root user. You should use sudo to execute root level commands as and when required. ---- - [ ] 10. Physical Server Security - BIOS & Grub password w or w/o MFA ---- - [ ] 11. Disable Unwanted Linux Services Check with : ```bash systemctl list-unit-files ``` This command will list all services installed/deployed. Print a list of services that lists which runlevels each is configured on or off ```bash systemctl list-unit-files --type=service systemctl list-dependencies graphical.target ``` ---- - [ ] 12. Find Listening Network Ports ```bash ss -tulpn netstat -plntu ``` ---- - [ ] 13. Delete X Window Systems (X11) X Window systems on server is not required. ```bash yum groupremove "X Window System" yum group remove "$DE_NAME Desktop" ``` ---- - [ ] 14. Configure Iptable Firewall ---- - [ ] 15. Harden Linux Kernel with /etc/sysctl.conf */etc/sysctl.conf* file is used to configure kernel parameters at runtime. Linux reads and applies settings from */etc/sysctl.conf* at boot time. ---- - [ ] 16. Separate Disk Partitions for Linux System | Partition | Purpose | |-----------|----------------------------------------------------------------------------------------------| | /usr | This is where most executable binaries, the kernel source tree and much documentation go. | | /var | This is where spool directories such as those for mail and printing go. It also contains the error log directory. | | /tmp | This is where most temporary data files are stored by apps. | | /boot | This is where your kernel images and boot loader configuration go. | | /home | This is where users' home directories go. | If the partitions are in one, a script like this one : ```bash #!/bin/sh man bash > $(mktemp) $0 ``` runned with cron or nohup can crash your entire system. A good way of hardening could be , depending on your IS, to add the following option to /etc/fstab file: - nosuid – Do not set SUID/SGID access on this partition - nodev – Do not character or special devices on this partition - noexec – Do not set execution of any binaries on this partition - ro – Mount file system as readonly - quota – Enable disk quota Above options can be set only, if you have a separate partition. Make sure you create a partition as above with special option set on each partition: - /home – Set option nosuid, and nodev with diskquota option - /usr – Set option nodev - /tmp – Set option nodev, nosuid, noexec option must be enabled --- - [ ] 17. Disable IPv6 if Not Using It --- - [ ] 18. Disable Unwanted SUID and SGID Binaries All SUID/SGID bits enabled file can be misused : [https://gtfobins.github.io/](https://gtfobins.github.io/) --- - [ ] 19. Check for World-Writable Files *If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root* ```bash # World writable files directories find / -writable -type d 2>/dev/null find / -perm -222 -type d 2>/dev/null find / -perm -o w -type d 2>/dev/null # World executable folder find / -perm -o x -type d 2>/dev/null # World writable and executable folders find / \( -perm -o w -perm -o x \) -type d 2>/dev/null ``` --- - [ ] 20. Remove Noowner Files Files not owned by any user or group can pose a security problem. Just find them with the following command : ```bash find /dir -xdev \( -nouser -o -nogroup \) -print ``` --- - [ ] 21. Use Centralized Authentication Service IAM / LDAP / SSO .... --- - [ ] 22. Implement Kerberos for Authentication Use Kerberos if available : [https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.4/html/automation_controller_administration_guide/assembly-controller-kerberos-authentication](https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.4/html/automation_controller_administration_guide/assembly-controller-kerberos-authentication) --- - [ ] 22. Configure Logging and Auditing --- - [ ] 23. Monitor Suspicious Logs with Logwatch / Logcheck Read your logs using logwatch command (logcheck). You get detailed reporting on unusual items in syslog via email. --- - [ ] 24. Use System Accounting with auditd --- - [ ] 25. Secure OpenSSH Server --- - [ ] 26. Install and Use Intrusion Detection Systems (IDS) - Install a NIDS - Use AIDE, a HIDS - rkhunter to detect rootkit --- - [ ] 27. Disable USB/Firewire/Thunderbolt Devices Type the following command to disable USB devices on Linux system: ```bash echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf ``` You can use same method to disable firewire and thunderbolt modules: ```bash echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf ``` Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system. --- - [ ] 28. Use fail2ban/denyhost/portsentry for IDS ---