Skip to main content

Linux Server Hardening

  •  1. Encrypt Data Communication for Linux Server
    • - [ ]

  • All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.

    • GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.
    • SSH / RSYNC / SFTP for file transfer
    • SSL whenever it's possible

    •  2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services

    • Commands and transferred files can be captured by anyone on the same network using a packet sniffer.
    • Use instead OpenSSH , SFTP, or FTPS (FTP over SSL)

    •  3. Minimize Software to Minimize Vulnerability

    • yum list installed
yum list packageName

    or

    dpkg --list
dpkg --info packageName

    •  4. One Network Service Per System, VM or Container

    Run each exposed service isolated via VM, Docker, LXC..

    •  5. Keep Linux Kernel and Software Up to Date

    •  6. Use Linux Security Extensions

    •  7. SELinux

    •  8. Linux User Accounts and Strong Password Policy

    •  9. Set Up Password Aging for Better Security

    •  10. Restrict Use of Previous Passwords

    •  11. Lock User Accounts After Login Failures

    •  12. Verify No Accounts Have Empty Passwords

    •  13. Ensure No Non-Root Accounts Have UID Set to 0

    •  14. Disable Root Login

    •  15. Physical Server Security

    •  16. Disable Unwanted Linux Services

    •  17. Find Listening Network Ports

    •  18. Delete X Window Systems (X11)

    •  19. Configure Iptables and TCPWrappers Based Firewall

    •  20. Harden Linux Kernel with /etc/sysctl.conf

    •  21. Separate Disk Partitions for Linux System

  •  22. Implement Disk Quotas

  •  23. Disable IPv6 if Not Using It

  •  24. Disable Unwanted SUID and SGID Binaries

  •  25. Check for World-Writable Files

  •  26. Remove Noowner Files

  •  27. Use Centralized Authentication Service

  •  28. Implement Kerberos for Authentication

  •  29. Configure Logging and Auditing

  •  30. Monitor Suspicious Logs with Logwatch / Logcheck

  •  31. Use System Accounting with auditd

  •  32. Secure OpenSSH Server

  •  33. Install and Use Intrusion Detection Systems (IDS)

  •  34. Disable USB/Firewire/Thunderbolt Devices

  •  35. Disable Unused Services

  •  36. Use fail2ban/denyhost for IDS

  •  37. Secure Apache/PHP/Nginx Server

  •  38. Protect Files, Directories, and Email

  •  39. Perform Regular Backups

  •  40. Additional Recommendations and Conclusion

    • Back to top