25 Hardening Security Tips for Linux Servers

In reality, however, the vast majority of SSH key pairs are even more complex. For this reason, SSH key pairs should be one of the first measures implemented when adopting a proactive server security strategy. Before utilizing SSH keys, it’s important to understand why you may want to implement them instead of the standard username and password setup.

  • Good understand and keeping your knowledge up-to-date is important.
  • For more information about installation, configuration and usage, visit the below url.
  • Tools like Snort or Suricata can be used for network-based IDS, while AIDE or Samhain can be used for host-based intrusion detection.
  • It helps to find missing security controls, so additional system hardening measures can be applied to systems.
  • Also, as a disclaimer, not every Windows app runs on Linux with Wine.

LKRG works in a post-detect fashion, attempting to respond to unauthorized modifications to the running Linux kernel. While it is bypassable by design, it does stop off-the-shelf malware that does not specifically target LKRG itself. This may make exploits harder to develop and execute on vulnerable systems. It’s also recommended to change default SSH 22 port number with some other higher level port number.

Enable Automatic Updates

There are also some methods of kernel attack surface reduction and access restrictions to sysfs that can further improve security. Consider adding the mount options nodev, noexec, and nosuid to mountpoints which do not need the respective capabilities. There are several things you can do to harden the Linux kernel, including setting appropriate kernel parameters and blacklisting unnecessary kernel modules. On some distributions, it may be possible for applications running as a wheel or sudo user to make firewall changes through polkit. To prevent this, enable firewalld lockdown mode with sudo firewall-cmd –lockdown-on. They are more common in server environments where individual services are built to operate independently.

linux hardening and security

Disk Quotas are simply limits set by the system administrator which restrict usage of the Linux filesystem for other users. If you are hardening your Linux security, implementing disk quotas is mandatory for your server. When performing Linux server hardening tasks, admins should give linux hardening and security lessons extra attention to the underlying system partitions. Malicious users may leverage partitions like /tmp, /var/tmp, and /dev/shm to store and execute unwanted programs. Luckily, you can implement steps to secure your partitions by adding some parameters to your /etc/fstab file.

Investigate IP Addresses

For me, CIS and the STIGs compliances are about the best prescriptive guides – but of course you can choose a different one (e.g. PCI-DSS, DISA). In my opinion, you should drop all non-industry policies, articles, manuals, and others especially on production environments https://remotemode.net/ and standalone home servers. These lists exist to give a false sense of security and aren’t based on authority standards. For example, mod_dav and  mod_dav_fs should always be disabled, while the  log_config module should always be loaded and enabled.

In the Linux kernel, “root privileges” are split up into various different capabilities. This is helpful in applying the principle of least privilege — instead of giving a process total root privileges, you can grant them only a specific subset instead. For example, if a program simply needs to set your system time, then it only needs CAP_SYS_TIME rather than total root. TIOCSTI is an ioctl which allows injecting terminal commands and provides an attacker with an easy mechanism to move laterally among other processes within the same user’s session. This attack can be mitigated by blacklisting the ioctl in your seccomp filter or by using bubblewrap’s –new-session argument.

Leave a Comment

Your email address will not be published. Required fields are marked *