Linux Hardening and Best Practices Checklist

March 31, 2016, by | Start Discussion

The below mentioned are the best practices to be followed for Linux Hardening. The consolidation is done through personal experience as well as through research on various articles from the Internet.  The information mentioned can be varied to one’s organisational needs. This is a generic list and can be used as a checklist to harden Linux based systems. To improvise this checklist, please feel free to contribute by writing to us at [email protected]

  1. Use User Accounts and Strong Password Policy
    • Password Aging, user account lockout after login failures and restriction of use of previous passwords are important aspects to be followed.
  2. Disable Root for SSH Login. Thinking How To? Click Here
  3. Disable USB stick detection. Do it yourself. Click Here
  4. Physical Server Security
  5. Make use of Public/Private keys when accessing remotely rather than passwords.
  6. Encrypt data while communicating.
    • All data transmitted over the network must be encrypted.
    • Use scp, ssh or sftp for file transfer.
    • GnuPG can be used to encrypt and sign data and communication, provides an effective key management system.
    • OpenVPN- a cost effective and lightweight.
    • Apache SSL (Secure Server Layer) Https installation and configuration.
    • Lighttpd SSL (Secure Server Layer) Https installation and configuration.
  7. Use centralized password server.
    • Implementing LDAP or Kerberos server for authentication. A central database is maintained for user’s passwords which allows easy management.
  8. Use IPTABLES Firewall
    • Implementing IPTABLES would limit network threats such as DOS and Port Scanning attacks.
    • You can lock any ports that you don’t require access from external networks. To know all about IPTABLES Click Here
  9. Least Privilege principle must be implemented.
    • Disable shell access for those who don’t need it.
  10. Minimize software to minimize vulnerabilities.
    • Install only those software that are needed, remove unnecessary or never required applications.
    • Prefer to use RPM package manager such as apt-get or yum.
  11. Keep Linux kernel and all packages updated
    • Always keep all software packages updated such as Apache, MySQL and PHP on a standard LAMP setup.
    • RPM package manager must be used to apply all security updates.
  12. Disable unwanted services. To know more Click Here
  13. Install Linux kernel patches. To know more Click Here
  14. One network service per system or one VM instance
    • Different network services must be run on separate servers or VM instances for e.g.if an attacker exploits the Apache server then, he/she can access all software’s associates with that server such as MySQL, email server and so on.
  15. Separate partitions
    • Separate partitions must be created for user modifiable directories and block write and execute access to unneeded partitions. To know more about partitions in linux Click Here
  16. Use Linux Security Extensions
    • Use extensions such as SELinux or GR Security to provide additional hardening to Linux kernel.
    • Used to guard against misconfigured or compromised programs. To know some more about linux security Click Here
  17. Implement NTP (Network Time Protocol)
    • Important when reviewing log files and determining when the event occurred. To configure and install NTP server Click Here
  18. Monitoring Logs
    • Logging and auditing logs to track errors and changes to server.
  19. Keep confidential data encrypted. To know more about linux encryption tools Click Here
  20. Install LogWatch
    • Gives daily report that summarizes information in the server log files. To install and use LogWatch Click Here
  21. Install Linux Socket Monitor (LSM)
    • Provides alerts when new sockets are created on the system. To install LSM Click Here
  22. Lock Down Cron Jobs
  23. Limit root access using sudo
    • Using sudo some commands can be run as root. Sudo operates on per command basis.
  24. Use tcpwrappers
    • Controls services based on hostname and ip address. It is a daemon that sits between the inquiries and the services offered.
  25. Apache mod_security
    • Mod_security increases security of apache web server by making the configuration setting in httpd.conf file. To configure mod_security Click Here
  26. Bind processes to local host
    • Some services need to be listened only on local socket or bind to a localhost.
  27. Install Bastille
    • Tested method that enhances security of Linux box by configuring daemons, firewalls and other system settings. To install and use Bastille Click Here
  28. Use PAM Authentication
    • PAM (Pluggable Authentication Module) in which authentication mechanism is integrated with high level application programming interface (API). Thus, using this module policies can be set for the system with great flexibility. To implement PAM authentication Click Here
  29. Configuring user login sessions to timeout automatically
    • After a particular time of inactivity the user session must be locked out.
    • A variable needs to be set in the shell’s startup file using the following command typeset -r TMOUT=900 (15 minutes=900 seconds)



Security Analyst and a Technical Writer

Leave a Reply