Ario's Blog

Hardening Linux Server

๐Ÿ”’ Hardening Linux Server: Complete Guide for Beginners & Sysadmins

  • ๐Ÿงญ Table of Contents
    • Introduction to Server Hardening
    • Why Security Hardening Matters
    • Pre-Deployment Considerations
    • User Account Security
    • SSH Configuration Best Practices
    • Firewall Configuration (UFW, firewalld)
    • Disabling Unnecessary Services
    • Security Updates & Patch Management
    • File System Security Tips
    • Intrusion Detection Systems (IDS)
    • Logging & Auditing
    • Kernel Hardening
    • SELinux / AppArmor Overview
    • Monitoring Suspicious Activity
    • Automating Hardening with Scripts
    • Common Mistakes to Avoid
    • Resources and Tools

๐Ÿ” Introduction to Server Hardening
Linux server hardening is the process of enhancing the security of your system by reducing its attack surface. This includes configuring the OS, apps, and network services securely.

๐Ÿšจ Why Security Hardening Matters
– Prevent unauthorized access
– Minimize data breaches
– Comply with standards like PCI-DSS, ISO 27001

๐Ÿ› ๏ธ Pre-Deployment Considerations
– Use a minimal Linux distro
– Avoid GUI unless required
– Enable full disk encryption
– Use strong passwords and/or SSH keys

๐Ÿ‘ค User Account Security
Disable root login, use sudoers, enforce password policies, enable account lockout:

sudo adduser secureuser
sudo usermod -aG sudo secureuser

๐Ÿ”‘ SSH Configuration Best Practices
Edit /etc/ssh/sshd_config and restart the service:

PermitRootLogin no
PasswordAuthentication no
AllowUsers secureuser
sudo systemctl restart sshd

๐Ÿ”ฅ Firewall Configuration
Use UFW or firewalld to control traffic:

sudo ufw default deny incoming
sudo ufw allow 2222/tcp
sudo ufw enable

๐Ÿงน Disabling Unnecessary Services

systemctl list-units --type=service
sudo systemctl disable bluetooth.service

๐Ÿ›ก๏ธ Security Updates & Patch Management

sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades

๐Ÿ”’ File System Security

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

๐Ÿง  Intrusion Detection Systems (IDS)

sudo apt install aide
sudo aideinit

๐Ÿ“œ Logging & Auditing

sudo apt install auditd
sudo systemctl enable auditd

โš™๏ธ Kernel Hardening
Use sysctl to tweak kernel settings:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0

๐Ÿ›ก๏ธ SELinux / AppArmor
– SELinux (CentOS)
– AppArmor (Ubuntu)

๐Ÿ‘€ Monitoring Suspicious Activity
Install fail2ban, rkhunter, or chkrootkit:

sudo apt install fail2ban

๐Ÿค– Automating Hardening
Use Bash scripts or Ansible:

#!/bin/bash
ufw allow 2222/tcp
ufw enable
apt install fail2ban -y

โŒ Common Mistakes to Avoid
– Weak passwords
– Open ports
– No log monitoring
– Not patching regularly

๐Ÿ”— Resources
Lynis Audit Tool
OpenSCAP Project

40

SHARES
facebookShare on Facebook
TwitterPost on X
FollowFollow us
PinterestSave
Post Views: 12

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *