Skip to main content

Linux Server Hardening

1. Encrypt Data Communication for Linux Server - [ ]

All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.

  • GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.
  • SSH / RSYNC / SFTP for file transfer
  • SSL whenever it's possible

2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services

  • Commands and transferred files can be captured by anyone on the same network using a packet sniffer.
  • Use instead OpenSSH , SFTP, or FTPS (FTP over SSL)

3. Minimize Software to Minimize Vulnerability

yum list installed
yum list packageName

or

dpkg --list
dpkg --info packageName

4. One Network Service Per System, VM or Container

Run each exposed service isolated via VM, Docker, LXC..

5. Keep Linux Kernel and Software Up to Date

6. Use Linux Security Extensions

7. SELinux

8. Linux User Accounts and Strong Password Policy

9. Set Up Password Aging for Better Security

10. Restrict Use of Previous Passwords

11. Lock User Accounts After Login Failures

12. Verify No Accounts Have Empty Passwords

13. Ensure No Non-Root Accounts Have UID Set to 0

14. Disable Root Login

15. Physical Server Security

16. Disable Unwanted Linux Services

17. Find Listening Network Ports

18. Delete X Window Systems (X11)

19. Configure Iptables and TCPWrappers Based Firewall

20. Harden Linux Kernel with /etc/sysctl.conf

21. Separate Disk Partitions for Linux System

22. Implement Disk Quotas

23. Disable IPv6 if Not Using It

24. Disable Unwanted SUID and SGID Binaries

25. Check for World-Writable Files

26. Remove Noowner Files

27. Use Centralized Authentication Service

28. Implement Kerberos for Authentication

29. Configure Logging and Auditing

30. Monitor Suspicious Logs with Logwatch / Logcheck

31. Use System Accounting with auditd

32. Secure OpenSSH Server

33. Install and Use Intrusion Detection Systems (IDS)

34. Disable USB/Firewire/Thunderbolt Devices

35. Disable Unused Services

36. Use fail2ban/denyhost for IDS

37. Secure Apache/PHP/Nginx Server

38. Protect Files, Directories, and Email

39. Perform Regular Backups

40. Additional Recommendations and Conclusion

Back to top