Skip to main content

Linux Server Hardening

  • 1. Encrypt Data Communication for Linux Server
  • All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
  • GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.
  • SSH / RSYNC / SFTP for file transfer
  • SSL whenever it's possible
  • 2. Avoid Using FTP, Telnet, and Rlogin / Rsh Services
  • Commands and transferred files can be captured by anyone on the same network using a packet sniffer.
  • Use instead OpenSSH , SFTP, or FTPS (FTP over SSL)
  • 3. Minimize Software to Minimize Vulnerability
yum list installed
yum list packageName

or

dpkg --list
dpkg --info packageName
  • 4. One Network Service Per System, VM or Container

Run each exposed service isolated via VM, Docker, LXC..

  • 5. Keep Linux Kernel and Software Up to Date
yum update

or

apt update && apt upgrade
  • 6. Use Linux Security Extensions

Use SELinux, Apparmor, Grsecurity when possible.

FeatureSELinuxAppArmorgrsecurity
AutomatedNo (audit2allow and system-config-selinux)Yes (Yast wizard)Yes (auto training / gradm)
Powerful policy setupYes (very complex)YesYes
Default and recommended integrationCentOS / RedHat / DebianSuse / OpenSuse / Ubuntu basedAny Linux distribution
Training and vendor supportYes (Redhat)Yes (Novell)No (community forum and lists)
Recommend forAdvanced userNew / advanced userNew users
FeatureAttaches labels to all files, processes and objectsPathname based system does not require labeling or relabeling filesystemACLs
  • 7. SELinux
  • 8. Linux User Accounts and Strong Password Policy
  • 9. Set Up Password Aging for Better Security
  • 10. Restrict Use of Previous Passwords
  • 11. Lock User Accounts After Login Failures
  • 12. Verify No Accounts Have Empty Passwords
  • 13. Ensure No Non-Root Accounts Have UID Set to 0
  • 14. Disable Root Login
  • 15. Physical Server Security
  • 16. Disable Unwanted Linux Services
  • 17. Find Listening Network Ports
  • 18. Delete X Window Systems (X11)
  • 19. Configure Iptables and TCPWrappers Based Firewall
  • 20. Harden Linux Kernel with /etc/sysctl.conf
  • 21. Separate Disk Partitions for Linux System
  • 22. Implement Disk Quotas
  • 23. Disable IPv6 if Not Using It
  • 24. Disable Unwanted SUID and SGID Binaries
  • 25. Check for World-Writable Files
  • 26. Remove Noowner Files
  • 27. Use Centralized Authentication Service
  • 28. Implement Kerberos for Authentication
  • 29. Configure Logging and Auditing
  • 30. Monitor Suspicious Logs with Logwatch / Logcheck
  • 31. Use System Accounting with auditd
  • 32. Secure OpenSSH Server
  • 33. Install and Use Intrusion Detection Systems (IDS)
  • 34. Disable USB/Firewire/Thunderbolt Devices
  • 35. Disable Unused Services
  • 36. Use fail2ban/denyhost for IDS
  • 37. Secure Apache/PHP/Nginx Server
  • 38. Protect Files, Directories, and Email
  • 39. Perform Regular Backups
  • 40. Additional Recommendations and Conclusion
Back to top