Linux Hardening Fundamentals
A defense-in-depth approach to Linux security involves multiple layers of protection.
Initial System Hardening
Disable Unnecessary Services
# List all enabled services
systemctl list-unit-files --state=enabled
# Disable services you don't need
sudo systemctl disable cups.service
sudo systemctl disable avahi-daemon.service
sudo systemctl disable bluetooth.service
sudo systemctl disable rpcbind.service
# Mask services to prevent them from starting
sudo systemctl mask ctrl-alt-del.targetSecure Mount Options
Edit /etc/fstab with security mount options:
# Recommended mount options
/tmp tmpfs defaults,nodev,nosuid,noexec 0 0
/var ext4 defaults,nodev 0 2
/home ext4 defaults,nodev,nosuid 0 2
# Mount options explained:
# nodev - No device files interpreted
# nosuid - No SUID/SGID bits honored
# noexec - No binaries executedPassword Policies
# /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14
PASS_MIN_LEN 14
# Install password quality checker
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1Network Hardening
Kernel Network Parameters
# /etc/sysctl.d/99-security.conf
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Apply settings
sudo sysctl -p /etc/sysctl.d/99-security.confFirewall Configuration
# UFW - Uncomplicated Firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
# View status
sudo ufw status verbose
# For more control, use iptables
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTFile System Security
Set Restrictive Permissions
# Critical file permissions
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 700 /root
chmod 750 /home/*
# Find world-writable files
find / -type f -perm -002 -ls 2>/dev/null
# Find SUID/SGID files
find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null
# Remove unnecessary SUID bits
chmod u-s /usr/bin/wallImplement AppArmor/SELinux
# AppArmor (Ubuntu/Debian)
sudo apt install apparmor apparmor-utils
sudo aa-enforce /etc/apparmor.d/*
# Check status
sudo aa-status
# SELinux (RHEL/CentOS)
sudo setenforce 1
getenforce # Should return "Enforcing"
# Check for denials
sudo ausearch -m avc -ts recentCIS Benchmark Highlights
| Control | Description | Priority |
|---|---|---|
| 1.1.1 | Disable unused filesystems | High |
| 1.5.1 | Ensure bootloader password | Medium |
| 3.4.1 | TCP Wrappers installed | Medium |
| 4.2.1 | Configure rsyslog | High |
| 5.1.1 | Ensure cron is restricted | High |
| 5.2.1 | SSH configuration | Critical |
Verification Script
#!/bin/bash
# Quick security check script
echo "=== Security Audit ==="
echo -n "Root login via SSH: "
grep -q "^PermitRootLogin no" /etc/ssh/sshd_config && echo "PASS" || echo "FAIL"
echo -n "Password auth disabled: "
grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config && echo "PASS" || echo "WARN"
echo -n "Firewall enabled: "
ufw status | grep -q "Status: active" && echo "PASS" || echo "FAIL"
echo -n "Automatic updates: "
dpkg -l unattended-upgrades 2>/dev/null | grep -q "^ii" && echo "PASS" || echo "WARN" - linux
- hardening
- security
- cis benchmarks
- defense in depth