Skip to main content

Linux Server Hardening

- [ ]1. Encrypt Data Communication for Linux Server - [ ]

  • All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.

    • GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.

    • SSH / RSYNC / SFTP for file transfer

    • SSL whenever it's possible

    2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services

    • Commands and transferred files can be captured by anyone on the same network using a packet sniffer.
    • Use instead OpenSSH , SFTP, or FTPS (FTP over SSL)

    3. Minimize Software to Minimize Vulnerability

    yum list installed
yum list packageName

    or

    dpkg --list
dpkg --info packageName

    4. One Network Service Per System, VM or Container

    Run each exposed service isolated via VM, Docker, LXC..

    5. Keep Linux Kernel and Software Up to Date

    6. Use Linux Security Extensions

    7. SELinux

    8. Linux User Accounts and Strong Password Policy

    9. Set Up Password Aging for Better Security

    10. Restrict Use of Previous Passwords

    11. Lock User Accounts After Login Failures

    12. Verify No Accounts Have Empty Passwords

    13. Ensure No Non-Root Accounts Have UID Set to 0

    14. Disable Root Login

    15. Physical Server Security

    16. Disable Unwanted Linux Services

    17. Find Listening Network Ports

    18. Delete X Window Systems (X11)

    19. Configure Iptables and TCPWrappers Based Firewall

    20. Harden Linux Kernel with /etc/sysctl.conf

    21. Separate Disk Partitions for Linux System

    22. Implement Disk Quotas

    23. Disable IPv6 if Not Using It

    24. Disable Unwanted SUID and SGID Binaries

    25. Check for World-Writable Files

    26. Remove Noowner Files

    27. Use Centralized Authentication Service

    28. Implement Kerberos for Authentication

    29. Configure Logging and Auditing

    30. Monitor Suspicious Logs with Logwatch / Logcheck

    31. Use System Accounting with auditd

    32. Secure OpenSSH Server

    33. Install and Use Intrusion Detection Systems (IDS)

    34. Disable USB/Firewire/Thunderbolt Devices

    35. Disable Unused Services

    36. Use fail2ban/denyhost for IDS

    37. Secure Apache/PHP/Nginx Server

    38. Protect Files, Directories, and Email

    39. Perform Regular Backups

    40. Additional Recommendations and Conclusion

Back to top