HxHippy

Linux System Hardening

Comprehensive guide to hardening Linux systems against attacks.

Last updated: 2025-01-15

Linux Hardening Fundamentals

A defense-in-depth approach to Linux security involves multiple layers of protection.

Initial System Hardening

Disable Unnecessary Services

# List all enabled services
systemctl list-unit-files --state=enabled

# Disable services you don't need
sudo systemctl disable cups.service
sudo systemctl disable avahi-daemon.service
sudo systemctl disable bluetooth.service
sudo systemctl disable rpcbind.service

# Mask services to prevent them from starting
sudo systemctl mask ctrl-alt-del.target

Secure Mount Options

Edit /etc/fstab with security mount options:

# Recommended mount options
/tmp    tmpfs   defaults,nodev,nosuid,noexec    0 0
/var    ext4    defaults,nodev                   0 2
/home   ext4    defaults,nodev,nosuid            0 2

# Mount options explained:
# nodev   - No device files interpreted
# nosuid  - No SUID/SGID bits honored
# noexec  - No binaries executed

Password Policies

# /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   14
PASS_MIN_LEN    14

# Install password quality checker
sudo apt install libpam-pwquality

# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Network Hardening

Kernel Network Parameters

# /etc/sysctl.d/99-security.conf

# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log martian packets
net.ipv4.conf.all.log_martians = 1

# Apply settings
sudo sysctl -p /etc/sysctl.d/99-security.conf

Firewall Configuration

# UFW - Uncomplicated Firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

# View status
sudo ufw status verbose

# For more control, use iptables
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

File System Security

Set Restrictive Permissions

# Critical file permissions
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 700 /root
chmod 750 /home/*

# Find world-writable files
find / -type f -perm -002 -ls 2>/dev/null

# Find SUID/SGID files
find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null

# Remove unnecessary SUID bits
chmod u-s /usr/bin/wall

Implement AppArmor/SELinux

# AppArmor (Ubuntu/Debian)
sudo apt install apparmor apparmor-utils
sudo aa-enforce /etc/apparmor.d/*

# Check status
sudo aa-status

# SELinux (RHEL/CentOS)
sudo setenforce 1
getenforce  # Should return "Enforcing"

# Check for denials
sudo ausearch -m avc -ts recent

CIS Benchmark Highlights

Control Description Priority
1.1.1 Disable unused filesystems High
1.5.1 Ensure bootloader password Medium
3.4.1 TCP Wrappers installed Medium
4.2.1 Configure rsyslog High
5.1.1 Ensure cron is restricted High
5.2.1 SSH configuration Critical

Verification Script

#!/bin/bash
# Quick security check script

echo "=== Security Audit ==="

echo -n "Root login via SSH: "
grep -q "^PermitRootLogin no" /etc/ssh/sshd_config && echo "PASS" || echo "FAIL"

echo -n "Password auth disabled: "
grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config && echo "PASS" || echo "WARN"

echo -n "Firewall enabled: "
ufw status | grep -q "Status: active" && echo "PASS" || echo "FAIL"

echo -n "Automatic updates: "
dpkg -l unattended-upgrades 2>/dev/null | grep -q "^ii" && echo "PASS" || echo "WARN"
intermediate System Hardening Updated 2025-01-15
  • linux
  • hardening
  • security
  • cis benchmarks
  • defense in depth