25 Hardening Security Tips for Linux Servers

Everybody says that Linux is secure by default and agreed to some extend (Its debatable topics). However, inux has in!built security model in place by default. "eed to tune it up and customi#e as per your need which may help to ma$e more secure system. inux is harder to manage but offers more flexibility and configuration options.

Securing a system in a production from the hands of hackers and crackers is a challenging task for a System Administrator. This is our first article related to How to Secure Linux box or Hardening a Linux Box. In this post Well explain 25 usefu tips ! tricks to secure your Linux system. Hope !elo" tips # tricks "ill help you some extend to secure your system.
1. Physical System Security

$onfigure the B"#S to disa!le !ooting from $%&%'% (xterna %evices ) oppy %rive in B"#S. %ext ena!le B"#S pass"ord # also protect *+,B "ith pass"ord to restrict physical access of your system.
%et &'() *assword to *rotect inux %ervers

2. Disk Partitions

Its important to ha&e different partitions to o!tain higher data security in case if any disaster happens. 'y creating different partitions data can !e separated and grouped. When an unexpected accident occurs only data of that partition "ill !e damaged "hile the data on other partitions sur&i&ed. (ake sure you must ha&e follo"ing separate partitions and sure that third party applications should !e installed on separate file systems under &opt.
/ /boot /usr /var /home /tmp /opt

3. Minimize Packages to Minimize Vulnerability

)o you really "ant all sort of ser&ices installed*. Its recommended to a&oid installing useless packages to a&oid &ulnera!ilities in packages. This may minimi+e risk that compromise of one ser&ice may lead to compromise of other ser&ices. ,ind and remo&e or disa!le un"anted ser&ices from the ser&er to minimi+e &ulnera!ility. -se the .chkconfig. command to find out ser&ices "hich are running on run eve -.
# /sbin/chkconfig --list |grep '3:on'

/nce you&e find out any un"anted ser&ice are running disa!le them using the follo"ing command.
# chkconfig serviceName off

-se the +./ package manager such as yum or apt0get tools to list all installed packages on a system and remo&e them using the follo"ing command.
# yum -y remove package-name # sudo apt-get remove package-name

4. Check Listening et!ork Ports

With the help of .netstat. net"orking command you can &ie" all open ports and associated programs. 0s I said a!o&e use . chkconfig. command to disa!le all un"anted net"ork ser&ices from the system.
# netstat tulpn

". #se Secure Shell$SS%&

Te net and r ogin protocols uses plain text not encrypted format "hich is the security !reaches. SSH is a secure protocol that use encryption technology during communication "ith ser&er. %e&er login directly as root unless necessary. -se sudo to execute commands. sudo are specified in &etc&sudoers file also can !e edited "ith the visudo utility "hich opens in '" editor. Its also recommended to change default SSH 22 port num!er "ith some other higher le&el port num!er. /pen the main SSH configuration file and make some follo"ing parameters to restrict users to access.
# vi /etc/ssh/sshd config

Disable root Login

!ermit"oot#ogin no

'nly allo! S(eci)ic #sers

$llo%&sers username

#se SS% Protocol 2 Version

!rotocol '

*. +ee( System u(,ate,

0l"ays keep system updated "ith latest releases patches security fixes and kernel "hen its a&aila!le.
# yum updates # yum check-update

-. Lock,o!n Cron.obs

$ron has its o"n !uilt in feature "here it allo"s to specify "ho may and "ho may not "ant to run 1o!s. This is controlled !y the use of files called &etc&cron1a ow and &etc&cron1deny. To lock a user using cron simply add user names in cron1deny and to allo" a user to run cron add in cron1a ow file. If you "ould like to disa!le all users from using cron add the . ALL. line to cron1deny file.
# echo $## ((/etc/cron)deny

/. Disable #S0 stick to Detect

(any times it happens that "e "ant to restrict users from using ,SB stick in systems to protect and secure data from stealing. $reate a file .&etc&modprobe1d&no0usb. and adding !elo" line "ill not detect ,SB storage.
install usb-storage /bin/true

1. 2urn on S3Linu4

Security0(nhanced Linux 2S(Linux3 is a compulsory access control security mechanism pro&ided in the kernel. )isa!ling S(Linux means remo&ing security mechanism from the system. Think t"ice carefully !efore remo&ing if your system is attached to internet and accessed !y the pu!lic then think some more on it. S(Linux pro&ides three !asic modes of operation and they are.
Enforcing+ ,his is default mode which enable and enforce the SELinux security policy on the machine. Permissive+ In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. ,his mode is very useful in term of troubleshooting SELinux related issues. Disabled+ SELinux is turned off.

4ou can &ie" current status of S(Linux mode from the command line using .system0config0 se inux. .getenforce. or .sestatus. commands.
# sestatus

If it is disa!led ena!le S(Linux using the follo"ing command.

# setenforce enforcing

It also can !e managed from .&etc&se inux&config. file "here you can ena!le or disa!le it.
15. 6emo7e +D389 'M3 Deskto(s

There is no need to run 2 3indow desktops like 4%( or *5#/( on your dedicated L0(5 ser&er. 4ou can remo&e or disa!le them to increase security of ser&er and performance. To disa!le simple open the file .&etc&inittab. and set run le&el to -. If you "ish to remo&e it completely from the system use the !elo" command.
# yum groupremove *+ ,indo% -ystem*

11. 2urn ')) :P7*

If youre not using a ".v6 protocol then you should disa!le it !ecause most of the applications or policies not re6uired ".v6 protocol and currently it doesnt re6uired on the ser&er. 7o to net"ork configuration file and add follo"ings lines to disa!le it.
# vi /etc/sysconfig/net%ork N./,0"12N3 2!456no 2!452N2/6no

12. 6estrict #sers to #se 'l, Pass!or,s

This is &ery useful if you "ant to disallo" users to use same old pass"ords. The old pass"ord file is located at &etc&security&opasswd. This can !e achie&ed !y using .A/ module. /pen .&etc&pam1d&system0auth. file under +H(L & $ent#S & )edora.
# vi /etc/pam)d/system-auth

/pen 7&etc&pam1d&common0password. file under ,buntu&%ebian&Linux /int.

# vi /etc/pam)d/common-pass%ord

0dd the follo"ing line to .auth. section.

auth sufficient pam uni7)so likeauth nullok

0dd the follo"ing line to .password. section to disallo" a user from re8using last 5 pass"ord of his or her.
pass%ord sufficient pam uni7)so nullok use authtok md8 shado% remember68

/nly last 5 pass"ords are remem!er !y ser&er. If you tried to use any of last 5 old pass"ords you "ill get an error like.
!ass%ord has been already used) 9hoose another)

13. %o! to Check Pass!or, 34(iration o) #ser

In Linux users pass"ords are stored in .&etc&shadow. file in encrypted format. To check pass"ord expiration of users you need to use . chage. command. It displays information of pass"ord expiration details along "ith last pass"ord change date. These details are used !y system to decide "hen a user must change his9her pass"ord. To &ie" any existing users aging information such as expiry date and time use the follo"ing command.
#chage -l username

To change pass"ord aging of any user use the follo"ing command.

#chage -: 5; username #chage -: 5; -m < -, < userName

Parameters -M %et maximum number of days -m %et minimum number of days -W %et the number of days of warning

14. Lock an, #nlock ;ccount Manually

The lock and unlock features are &ery useful instead of remo&ing an account from the system you can lock it for an "eek or a month. To lock a specific user you can use the follo" command.
# pass%d -l accountName

5ote : The locked user is still a&aila!le for root user only. The locking is performed !y replacing encrypted pass"ord "ith an 283 string. If someone trying to access the system using this account he "ill get an error similar to !elo".
# su - accountName /his account is currently not available)

To unlock or ena!le access to an locked account use the command as. This "ill remo&e 2 83 string "ith encrypted pass"ord.
# pass%d -u accountName

1". 3n)orcing Stronger Pass!or,s

0 num!er of users use soft or "eak pass"ords and their pass"ord might !e hacked "ith a dictionary based or !rute8force attacks. The .pam9crack ib. module is a&aila!le in .A/ 2. uggab e Authentication /odu es3 module stack "hich "ill force user to set strong pass"ords. /pen the follo"ing file "ith an editor. ;ead 0lso:
# vi /etc/pam)d/system-auth

-nd add line using credit parameters as (lcredit, ucredit, dcredit and.or ocredit respectively lower!case, upper!case, digit and other)
/lib/security/=2-$/pam cracklib)so dcredit6-' ocredit6-? retry63 minlen6> lcredit6-? ucredit6-'

1*. 3nable :(tables $<ire!all&

Its highly recommended to ena!le Linux firewa to secure unauthorised access of your ser&ers. 0pply rules in iptab es to filters incoming outgoing and forwarding packets. We can specify the source and destination address to allo" and deny in specific udp&tcp port num!er.

1-. Disable Ctrl=;lt=Delete in :nittab

In most Linux distri!utions pressing . $T+L0ALT0%(L(T(: "ill takes your system to re!oot process. So its not a good idea to ha&e this option ena!led at least on production ser&ers if someone !y mistakenly does this. This is defined in .&etc&inittab. file if you look closely in that file you "ill see a line similar to !elo". 'y default line is not commented out. We ha&e to comment it out. This particular key se6uence signalling "ill shut8do"n a system.
# /rap 9/"#-$#/-@.#./. #ca::ctrlaltdel:/sbin/shutdo%n -t3 -r no%

1/. Checking ;ccounts )or 3m(ty Pass!or,s

0ny account ha&ing an empty pass"ord means its opened for unauthori+ed access to anyone on the "e! and its a part of security "ithin a Linux ser&er. So you must make sure all accounts ha&e strong pass"ords and no one has any authori+ed access. <mpty pass"ord accounts are security risks and that can !e easily hacka!le. To check if there "ere any accounts "ith empty pass"ord use the follo"ing command.
> cat 8etc8sha,o! ? a!k @<A B$C2DDEE&F(rint C1GB

11. Dis(lay SS% 0anner 0e)ore Login

Its al"ays a !etter idea to ha&e an legal !anner or security !anners "ith some security "arnings !efore SSH authentication. To set such !anners read the follo"ing article.
25. Monitor #ser ;cti7ities

If you are dealing "ith lots of users then its important to collect the information of each user acti&ities and processes consumed !y them and analyse them at a later time or in case if any kind of performance security issues. 'ut ho" "e can monitor and collect user acti&ities information. There are t"o useful tools called .psacct. and .acct. are used for monitoring user acti&ities and processes on a system. These tools runs in a system !ackground and continuously tracks each user acti&ity on a system and resources consumed !y ser&ices such as Apache /yS;L SSH )T. etc. ,or more information a!out installation configuration and usage &isit the !elo" url.
/onitor (ser -ctivity with psacct or acct 0ommands

21. 6e7ie! Logs 6egularly

(o&e logs in dedicated log ser&er this may pre&ents intruders to easily modify local logs. 'elo" are the $ommon Linux default log files name and their usage:
/var/log/message 1 2here whole system logs or current activity logs are available. /var/log/auth.log 1 -uthentication logs. /var/log/kern.log 1 3ernel logs. /var/log/cron.log 1 0rond logs (cron 4ob). /var/log/maillog 1 /ail server logs. /var/log/boot.log 1 %ystem boot log. /var/log/m s!ld.log 1 /y%5 database server log file. /var/log/secure 1 -uthentication log. /var/log/utm" or /var/log/#tm" + ogin records file. /var/log/ um.log+ 6um log files.

22. :m(ortant )ile 0acku(

In a production system it is necessary to take important files !ackup and keep them in safety &ault remote site or offsite for )isasters reco&ery.

23. :C 0on,ing

There are t"o types of mode in 5"$ !onding need to mention in !onding interface.
mode$% 1 'ound 'obin mode$& 1 -ctive and )ac$up

5"$ Bonding helps us to a&oid single point of failure. In 5"$ !onding "e !ond t"o or more 5etwork (thernet $ards together and make one single &irtual Interface "here "e can assign ". address to talk "ith other ser&ers. /ur net"ork "ill !e a&aila!le in case of one 5"$ $ard is do"n or una&aila!le due to any reason. +ead A so : $reate %I$ $hannel 'onding in Linux
24. +ee( 8boot as rea,@only

Linux kernel and its related files are in &boot directory "hich is !y default as read0write. $hanging it to read0on y reduces the risk of unauthori+ed modification of critical !oot files. To do this open &etc&fstab file.
# vi /etc/fstab

0dd the follo"ing line at the !ottom sa&e and close it.
#$A.#6/boot /boot e7t' defaultsBro ? '

5lease note that you need to reset the change to read8"rite if you need to upgrade the kernel in future.
2". :gnore :CMP or 0roa,cast 6eHuest

0dd follo"ing line in &etc&sysct 1conf file to ignore ping or broadcast re6uest.
2gnore 29:! reCuest: net)ipvD)icmp echo ignore all 6 ? 2gnore Aroadcast reCuest: net)ipvD)icmp echo ignore broadcasts 6 ?

Load ne" settings or changes !y running follo"ing command

#sysctl -p

If you&e missed any important security or hardening tip in the a!o&e list or you&e any other tip that needs to !e included in the list. 5lease drop your comments in our comment !ox. Tec/int is al"ays interested in recei&ing comments suggestions as "ell as discussion for impro&ement.