Aldebaran

If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel. Most people assume Linux is secure, and that’s a false assumption. A thief would probably assume your username is “root” and your password is “toor” since that’s the default password on Kali and most people continue to use it. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.

To change password aging of any user, use the following command. You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands. Always keep system updated with latest releases patches, security fixes and kernel when it’s available. Once you’ve find out any unwanted service are running, disable them using the following command. Encrypt transmitted data whenever possible with password or using keys / certificates.

BIOS protection

An offsite backup of your server can help you quickly recover any lost machines due to intrusion or attack. Keeping detailed logging and auditing enabled for your servers is crucial. These logs can later be used to detect any attempted intrusions. Also, in case of intrusion, these logs will help you gauge the extent of the breach and offer insight for a blameless postmortem of the incident. Syslog logs all the messages in /var/log directory by default. Keep in mind that completely disabling ICMP can hamper diagnostics, reliability, and network performance.

• If you care about security then hardening is very important!
• SSH key pairs, while not as user-friendly as passwords, are significantly more secure.
• If your network applications are not using IPv6 protocol, disable it to decrease the attack surface.
• A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data.
• We can specify the source and destination address to allow and deny in specific udp/tcp port number.
• By default, the maximum days are set to days and might need to be tuned down.
• In this article, we will go through and discuss in depth five fundamental hardening tips that each and every Linux server, irrespective of its function, need to take.

By securing a Linux Box you are automatically reducing the attack surface for a Hacker. Also, the fewer functions a server does, the fewer chances there will be of it being hacked. This is because linux hardening and security lessons there will be fewer applications to exploit. There may be chances of vulnerabilities being over a decade old and it’s just a matter of time until it’s found by a security researcher.

Hardening steps after installation

But how we can monitor and collect user activities information. This is very useful if you want to disallow users to use same old passwords. Everybody says that Linux is secure by default and agreed to some extend (It’s debatable topics). However, Linux has in-built security model in place by default.

This checklist has been created based on our knowledge and additional research. A critical view on any of the suggestions is not just a good idea, but required. This way you gain the best possible understanding of the subject and make the right decision. After all, you have to decide what is best for your Linux systems when it comes to hardening them. So whatever you encounter on other websites or in this particular checklist, follow the saying Trust, but verify. So far, the tips we’ve covered for hardening your Linux servers are meant to reduce the attack surface.