(/)

Blog (/blog) > IT Ops (/blog/it-ops)

BLOG ARTICLES
(/resource-center)

Linux Server Hardening in 15 Steps

By Gus Khawaja

Updated on November 21, 2022

Most people assume that Linux is already secure, but imagine that your laptop is stolen (or
yours) without first being hardened. A thief could easily use the default password and user on
Kali to breach your device.

I’ll share all of the necessary steps to make your Linux host secure, including how I use
penetration testing and Kali Linux (https://www.pluralsight.com/courses/penetration-
testing-automation-using-python-kali-linux) to get the job done. It’s important to know
that there are so many Linux distributions
(https://en.wikipedia.org/wiki/List_of_Linux_distributions) (AKA distros) and each one will
differ from the command line perspective, but the logic is the same. Use the following tips to
harden your own Linux box.

Secure your Linux Distro in 15 Steps

1. Document the host information

2. BIOS protection

3. Hard disk encryption

4. Disk partitioning

5. Lock the boot directory

6. Disable USB usage

7. Update your system

8. Check the installed packages

9. Check for open ports
(/)
10. Secure SSH

11. Enable SELinux

12. Set network parameters

13. Manage password policies

14. Permissions and verifications

15. Additional distro process hardening

1. Document Linux host information

Each time you work on a new Linux hardening job, you need to create a new document that
has all the checklist items listed in this post, and you need to check off every item you applied
on the system. Furthermore, on the top of the document, you need to include the Linux host
information:

Machine name

IP address

Mac address

Name of the person who is doing the hardening (most likely you)

Date

Asset Number (If you’re working for a company, then you need to include the asset number
that your company uses for tagging hosts

2. BIOS protection
You need to protect the BIOS (http://www.linfo.org/bios.html) of the host with a password
so the end-user won’t be able to change and override the security settings in the BIOS; it’s
important to keep this area protected from any changes. Each computer manufacturer has a
different set of keys to enter the BIOS mode, then it’s a matter of finding the configuration
where you set the administrative password.
Next, you need to disable the booting from external media devices (USB/CD/DVD). If you omit
(/)
to change this setting, anyone can use a USB stick that contains a bootable OS and can
access your OS data.

The latest servers’ motherboards have an internal web server where you can access them
remotely. Make sure to change the default password of the admin page or disable it if it’s
possible.

3. Hard disk encryption (confidentiality)

Most of the Linux distributions will allow you to encrypt your disks before installation. Disk
encryption is important in case of theft because the person who stole your computer won’t be
able to read your data if they connect the hard disk to their machine.

In the image below, choose the third option from the list: Guided-use entire disk and set up
encrypted LVM (https://wiki.ubuntu.com/Lvm) (logical volume manager).
4. Disk partitioning
(/) (availability)
Backups have so many advantages in case of a damaged system, bugs in the OS update. For
important servers, the backup needs to be transferred offsite in case of a disaster. Backup
needs to be managed as well. For example, how long will you keep the old backups? When do
you need to backup your system (every day, every week …)?

Critical systems should be separated into different partitions for:

/boot

/usr

/home

/tmp

/var

/opt

Portioning disks gives you the opportunity of performance and security in case of a system
error. In the picture below, you can see the option of how to separate partitions in Kali Linux
during the installation.
 (/)

5. Lock the boot directory

The boot directory contains important files related to the Linux kernel, so you need to make
sure that this directory is locked down to read-only permissions by following the next simple
steps. First, open the “fstab” file.

Then, add the last line highlighted at the bottom.

 (/)

When you finish editing the file, you need to set the owner by executing the following
command:

#chown root:root /etc/fstab

Permissions for secure boot settings

Next, I set few permissions for securing the boot settings:

Set the owner and group of /etc/grub.conf to the root user:

#chown root:root /etc/grub.conf

Set permission on the /etc/grub.conf file to read and write for root only:

#chmod og-rwx /etc/grub.conf

Require authentication for single-user mode:

#sed -i "/SINGLE/s/sushell/sulogin/" /etc/sysconfig/init

 #sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init
(/)

6. Disable USB usage

Depending on how critical your system is, sometimes it’s necessary to disable the USB sticks
usage on the Linux host. There are multiple ways to deny the usage of USB storage; here’s a
popular one:

Open the “blacklist.conf” file using your favorite text editor:

#nano /etc/modprobe.d/blacklist.conf

When the file opens, then add the following line at the end of the file (save and close):

blacklist usb_storage

After this, open the rc.local file:

#nano /etc/rc.local

Finally, add the following two lines:

modprobe -r usb_storage
exit 0

7. Update your Linux system

The first thing to do after the first boot is to update the system; this should be an easy step.
Generally, you open your terminal window and execute the appropriate commands. In Kali
Linux, you achieve this by executing the commands in the pictures below:
 (/)

8. Check the installed packages

List all packages installed on your Linux OS and remove the unnecessary ones. You need to be
very strict if the host you’re trying to harden is a server because servers need the least number
of applications and services installed on them. Here’s an example of how to list the packages
installed on Kali Linux:

Remember that disabling unnecessary services will reduce the attack surface, so it is
important to remove the following legacy services if you found them installed on the Linux
server:

Telnet server
 RSH server
(/)

NIS server

TFTP server

TALK server

9. Check for open ports

Identifying open connections to the internet is a critical mission. In Kali Linux, I use the
following command to spot any hidden open ports:

10. Secure SSH

SSH is secure, but you should harden this service as well. You can also disable SSH. However, if
you want to use it, then you have to change the default configuration of SSH. To do it, browse
to /etc/ssh and open the “sshd_config” file using your favorite text editor.

Change the default port number 22 to something else e.g. 99.

Make sure that root cannot login remotely through SSH:

PermitRootLogin no

Allow some specific users:

 AllowUsers [username]
(/)

The list can go on and on, but these should be enough to start with. For example, some
companies add banners to deter attackers and discourage them from continuing further. I
encourage you to check the manual of the SSH to understand all the configurations
(https://www.ssh.com/ssh/sshd_config/) in this file.

Here are some additional options that you need to make sure exist in the “sshd_config” file:

Protocol2

IgnoreRhosts to yes

HostbasedAuthentication no

PermitEmptyPasswords no

X11Forwarding no

MaxAuthTries 5

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

ClientAliveInterval 900

ClientAliveCountMax 0

UsePAM yes

Finally, set the permissions on the sshd_config file so that only root users can change its
contents:

#chown root:root /etc/ssh/sshd_config

#chmod 600 /etc/ssh/sshd_config

11. Enable SELinux

Security Enhanced Linux is a Kernel security mechanism for supporting access control
security policy. The SELinux has three configuration modes:

Disabled: Turned-off
 Permissive: Prints warnings
(/)

Enforcing: Policy is enforced

Using a text editor, open the config file:

#nano /etc/selinux/config

And make sure that the policy is enforced:

SELINUX=enforcing

12. Set network parameters

Securing your Linux host network activities is an essential task. Don’t always assume that your
firewall will take care of everything. Here are some important features to consider for securing
your host network:

Disable the IP Forwarding by setting the net.ipv4.ip_forward parameter to 0 in

“/etc/sysctl.conf”

Disable the Send Packet Redirects by setting the net.ipv4.conf.all.send_redirects and

net.ipv4.conf.default.send_redirects parameters to 0 in “/etc/sysctl.conf”
 Disable ICMP Redirect Acceptance by setting the net.ipv4.conf.all.accept_redirects and
(/)
net.ipv4.conf.default.accept_redirects parameters to 0 in “/etc/sysctl.conf”

Enable Bad Error Message Protection by setting the

net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in “/etc/sysctl.conf”

I strongly recommend using the Linux Firewall by applying the iptable rules and filtering all the
incoming, outgoing and forwarded packets. Configuring your iptables rules will take some time,
but it’s worth the pain.

13. Manage password policies

People often reuse their passwords (https://www.pluralsight.com/blog/it-ops/world-
password-day), which is a bad security practice. The old passwords are stored in the file
“/etc/security/opasswd”. We are going to use the PAM module to manage the security policies
of the Linux host. Under a debian distro, open the file “/etc/pam.d/common-password” using a
text editor and add the following two lines:

auth sufficient pam_unix.so likeauth nullok

password sufficient pam_unix.so remember=4

(Will not allow users to reuse the last four passwords.)

Another password policy that should be forced is strong passwords. The PAM module
(https://en.wikipedia.org/wiki/Pluggable_authentication_module) offers a pam_cracklib
that protects your server from dictionary and brute-force attacks. To accomplish this task,
open the file /etc/pam.d/system-auth using any text editor and add the following line:

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=

Linux will hash the password to avoid saving it in cleartext so, you need to make sure to define
a secure password hashing algorithm SHA512.

Another interesting functionality is to lock the account after five failed attempts. To make this
happen, you need to open the file “/etc/pam.d/password-auth” and add the following lines:
 auth required pam_env.so
(/)
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=604800
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=604800
auth required pam_deny.so

We’re not done yet; one additional step is needed. Open the file “/etc/pam.d/system-auth” and
make sure you have the following lines added:

auth required pam_env.so

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=604800
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=604800
auth required pam_deny.so

After five failed attempts, only an administrator can unlock the account by using the following
command:

# /usr/sbin/faillock --user <userlocked> --reset

Also, another good practice is to set the password to expire after 90 days, to accomplish this
task you need to:

Set the PASS_MAX_DAYS parameter to 90 in “/etc/login.defs”

Change the active user by executing the following command :

#chage --maxdays 90 <user>

The next tip for enhancing the passwords policies is to restrict access to the su command by
setting the pam_wheel.so parameters in “/etc/pam.d/su”:

auth required pam_wheel.so use_uid

The final tip for passwords policy is to disable the system accounts for non-root users by using
the following bash script:
 #!/bin/bash
(/)
for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd`; do
if [ $user != "root" ]
then
/usr/sbin/usermod -L $user
if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]
then /usr/sbin/usermod -s /sbin/nologin $user
fi
fi
done

14. Permissions and verification

Prepare yourself mentally because this is going to be a long list. But, permissions is one of the
most important and critical tasks to achieve the security goal on a Linux host.

Set User/Group Owner and Permission on “/etc/anacrontab”, “/etc/crontab” and “/etc/cron.*”

by executing the following commands:

#chown root:root /etc/anacrontab

#chmod og-rwx /etc/anacrontab
#chown root:root /etc/crontab
#chmod og-rwx /etc/crontab
#chown root:root /etc/cron.hourly
#chmod og-rwx /etc/cron.hourly
#chown root:root /etc/cron.daily
#chmod og-rwx /etc/cron.daily
#chown root:root /etc/cron.weekly
#chmod og-rwx /etc/cron.weekly
#chown root:root /etc/cron.monthly
#chmod og-rwx /etc/cron.monthly
#chown root:root /etc/cron.d
#chmod og-rwx /etc/cron.d

Set the right and permissions on “/var/spool/cron” for “root crontab”

#chown root:root <crontabfile>

#chmod og-rwx <crontabfile>

Set User/Group Owner and Permission on “passwd” file

 #chmod 644 /etc/passwd
(/)
#chown root:root /etc/passwd

Set User/Group Owner and Permission on the “group” file

#chmod 644 /etc/group

#chown root:root /etc/group

Set User/Group Owner and Permission on the “shadow” file

#chmod 600 /etc/shadow

#chown root:root /etc/shadow

Set User/Group Owner and Permission on the “gshadow” file

#chmod 600 /etc/gshadow

#chown root:root /etc/gshadow

15. Additional distro process hardening

For this last item in the list, I’m including some additional tips that should be considered when
hardening a Linux host.

First, Restrict Core Dumps by:

Adding hard core 0 to the “/etc/security/limits.conf” file

Adding fs.suid_dumpable = 0 to the “/etc/sysctl.conf” file

Second, configure Exec Shield by:

Adding kernel.exec-shield = 1 to the “/etc/sysctl.conf” file

Third, enable randomized Virtual Memory Region Placement by:

 Adding kernel.randomize_va_space = 2 to the “/etc/sysctl.conf” file
(/)
This article was originally published on NetworkWorld
(http://www.networkworld.com/article/3143050/linux/linux-hardening-a-15-step-
checklist-for-a-secure-linux-server.html) and was updated here on November 21, 2022.

Final thoughts on Linux server

hardening
In this short post, we covered many important configurations for Linux security. But, we’ve just
scratched the surface of Linux Hardening—there are a lot of complex, nitty-gritty
configurations. To learn more about how to harden your Linux servers for better security, check
out these Linux courses. (https://www.pluralsight.com/browse/it-ops/linux)

ABOUT THE AUTHOR

Ghassan Khawaja holds a BS degree in computer Science, he specializes in .NET

development and IT security including C# .NET, asp.Net, HTML5 and ethical hacking.
Ghassan has successfully delivered software products and developed solutions for
companies all over Quebec/Canada. He is passionate about Technology and loves what he's
doing. After many years of experience in computer science, he has turned his attention to
cyber security and the importance that security brings to this minefield. His passion for
ethical hacking mixed with his background in programming make him a wise swiss knife
professional in the computer science field.

RECOMMENDED ARTICLES

5 keys to successful organizational design

How do you create an organization that is nimble, flexible and takes a fresh view of team structure? These
are the keys to creating and maintaining a successful business that will last the test of time.

Read more (https://www.pluralsight.com/resource-center/guides/organizational-design)

 8 ways to stand out in your stand-up meetings
(/)
Whether you call them stand-ups, scrums, or morning circles, here's some secrets to standing out and
helping everyone get the most out of them.

Read more (https://www.pluralsight.com/resources/blog/software-development/standing-out-

stand-up-meetings)

Technology in 2025: Prepare your workforce

The key to surviving this new industrial revolution is leading it. That requires two key elements of agile
businesses: awareness of disruptive technology and a plan to develop talent that can make the most of it.

Read more (https://www.pluralsight.com/blog/career/tech-in-2025)

Subscribe to the newsletter (https://www.pluralsight.com/subscribe) Back to blog › (/blog)

Support Community
Contact (/contact) Guides (https://www.pluralsight.com/guides)
Help Center Teach (/teach)
(https://help.pluralsight.com/hc/en-us) Partner with Pluralsight (/partners)
IP Allowlist Affiliate Partners (/affiliate)
(https://help.pluralsight.com/hc/en- Pluralsight One (https://www.pluralsightone.org/)
us/articles/24428176323476) Authors (/authors)
Site Map
(https://www.pluralsight.com/sitemap.xml)
Download Pluralsight (/product/downloads)
Skills Plans (/pricing/skills)
A Cloud Guru Plans (/cloud-guru/pricing)
Flow Plans (/pricing/flow)
Professional Services
(/product/professional-services)

Company Industries
About Us (/about) Education (/industries/public-sector/higher-
Careers (/careers) education)
Newsroom (/newsroom) Financial Services (FSBI) (/industries/finance)
Resources (/resources) Healthcare (/industries/healthcare)
 Insurance (/industries/insurance)
(/)
Non-Profit (https://www.pluralsightone.org/)
Public Sector (/industries/public-sector)

Newsletter
Sign up with your email to join our mailing list.

Email Address:*

I would like to receive emails from Pluralsight

Submit

(https://ww (https://t (https://www.instagr (https://www.linkedin.c (https://ww

w.facebook. witter.co am.com/accounts/l om/company/pluralsig w.youtube.c
com/plurals m/plurals ogin/? ht/mycompany/verific om/pluralsi
ight) ight) next=/pluralsight/) ation/) ght)
Copyright © 2004 - 2024 Pluralsight LLC. All rights reserved(/)

Terms of Use Privacy Notice Modern Slavery Statement

(https://legal.pluralsight.c (https://legal.pluralsight.com/policies (https://legal.pluralsight.com/policies?name=modern-
om/policies) ?name=privacy-notice) slavery-act-transparency-statement)