Linux Server Security: 35 Linux Hardening And Security Tips And Tricks – Best Practices

TARGET AUDIENCE
Junior System Engineer, Junior System Administrator, Site Reliability Engineer, Junior DevOps Engineer and students.

Based on a survey conducted by Netcraft last year, Linux is the most commonly used operating system for web servers. It is installed on 6.64 million servers which is around 74.2% of the total web-facing servers. Whether you rely on your Android smartphone or enjoy browsing social media platforms like Facebook or Pinterest, Linux likely plays an important role in your daily life — even if you’re not fully aware of it. This reality is even more evident in the business world, where Linux is responsible for the web presence of companies of all sizes. In fact, Netcraft’s June 2020 survey shows that Linux also powers 9 out of the top 10 most reliable hosting company websites. Linux operating system is especially favored for some web servers. Between 92% and 96% of all web-facing computers that use each of nginx, Apache, Litespeed and lighttpd can be found running on Linux.

Protecting the data is one of the primary concern for any System Administrator or Site Reliability Engineer or even for a DevOps engineer. Securing a system from the hands of hackers and crackers is a challenging task! In this article, we’ll explore the role of Linux hardening and cover how to make these Linux servers more secure. We will see 30+ major tips and tricks that you must consider to secure your Linux server.

Contents hide
2. 35 Best Practices for Linux Servers

The Role of Linux Hardening in Linux Server Security

Many of the Linux server security issues you may experience occur, in part, because they don’t arrive hardened out of the box. Rather, it’s the user’s responsibility to set up systems that reveal suspicious activities. Without this extra effort, Linux servers can be vulnerable!

Further complicating matters, many of today’s top security initiatives focus on the front office rather than the server rack. This provides plenty of opportunities for malicious parties to acquire sensitive data, and the results can be devastating. The good news is: there’s no need to take a passive approach and succumb to Linux server security concerns — a strategic protocol focused on risk prevention and early mitigation can make all the difference.

35 Best Practices for Linux Servers

1. Document the host information

You MUST maintain a CMDB for better management of servers. Documenting the host information can become extremely beneficial in the long run. If you intend to maintain the same system over the course of time, chances are things will get messy at some point. However, if you document your workstation or server right from the day of its installation, you will have a solid idea of the overall system infrastructure and employed policies.

Include the below information about the system in your documentation.

Feel free to add some extras based on your server requirements.

a. System name
b. Installation date
c. Asset number (values tagging hosts in business environments)
d. IP address
e. MAC address
f. Kernel version
g. Server configuration
h. Administrator’s name

2. Strong Passwords Policy

People often reuse their passwords, which is a bad security practice. So, you need to have a robust password policy. It should define minimum password length (a strong password should have a minimum length of at least 10 alphanumeric characters – it should include special characters, upper and lowercase letters and numbers), password aging (password should expire in every quarter at least), restriction in using previous passwords. For application users, the same password should never be used for multiple users or for multiple software systems. Remember, no password can provide adequate security for an indefinite time. You should also configure to lock user after multiple login failures. In addition, you must disable direct root login. PAM module offers a pam_cracklib that protects your server from dictionary and brute-force attacks. To accomplish this task, open the file /etc/pam.d/system-auth using any text editor and add the following line:

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

Linux will hash the password to avoid saving it in cleartext so, you need to make sure to define a secure password hashing algorithm SHA512.

Another interesting functionality is to lock the account after five failed attempts. To make this happen, you need to open the file “/etc/pam.d/password-auth” and add the following lines:

auth required pam_env.so 
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800 
auth [success=1 default=bad] pam_unix.so 
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=604800 
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=604800 
auth required pam_deny.so

We’re not done yet; one additional step is needed. Open the file “/etc/pam.d/system-auth” and make sure you have the following lines added:

auth required pam_env.so 
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=604800 
auth [success=1 default=bad] pam_unix.so 
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=604800 
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=604800 
auth required pam_deny.so

After five failed attempts, only an administrator can unlock the account by using the following command:

# /usr/sbin/faillock --user <userlocked>  --reset

Several excellent password managers are available for the Linux platform.

Many of these offer crucial features, such as:

i) Two-factor authentication,
ii) Password generators, and
iii) Cloud password storage.

Bitwarden, LastPass, Enpass, keypass and Dashlane represent some of the best options available. However, no one password manager is ideal for every server; therefore, it’s important to examine your options thoroughly to ensure you find a tailored approach that meets your unique needs.

The final tip for passwords policy is to disable the system accounts for non-root users by using the following bash script

#!/bin/bash 
for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd`; do
if [ $user != "root" ] 
then 
/usr/sbin/usermod -L $user 
if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ] 
then /usr/sbin/usermod -s /sbin/nologin $user 
fi 
fi 
done

Some obvious questions should come to your mind now. I’m trying to document them below as much as I can within this article. However, this may increase the length of the article.

How Do I Set Up Password Aging For Linux Users For Better Security on a Linux Server?

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

/etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration.

To disable password aging, enter:

chage -M 99999 userName

To get password expiration information, enter:

chage -l userName

Finally, you can also edit the /etc/shadow file in the following fields:

{userName}:{password}:{lastPasswdChanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:

Where:

  • Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
  • Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
  • Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
  • Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

However, I would recommend chage command instead of editing the /etc/shadow file directly:

chage -M 120 -m 7 -W 7 userName

Parameters:
-M Set maximum number of days
-m Set minimum number of days
-W Set the number of days of warning

How Do I Restrict the Use of Previous Passwords in Linux?

You can prevent all users from reusing the same old passwords in Linux. This can be accomplished by using the remember option in PAM module.

To achieve that, you need to edit the following files:

/etc/login.defs – Shadow password suite configuration
/etc/pam.d/common-auth – OpenSuse/Suse Enterprise Linux PAM config file.
/etc/pam.d/system-auth – CentOS/RHEL/Fedora/Red Hat/Scientific Linux PAM config file.
/etc/pam.d/common-password – Debian / Ubuntu Linux PAM config file.
/etc/security/opasswd – Store old passwords.

Finding pam_unix.so or pam_unix2.so file location

find / -iname "pam_unix.so"
find / -iname "pam_unix2.so"

Open your /etc/pam.d/common-password file on a Debian / Ubuntu Linux, run:

cp /etc/pam.d/common-password /root/common-password.bak
vi /etc/pam.d/common-password

If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:

cp /etc/pam.d/system-auth /root/system-auth.bak
vi /etc/pam.d/system-auth

OpenSUSE/SUSE Linux user, edit /etc/pam.d/common-auth, run:

cp /etc/pam.d/common-auth /root/common-auth.bak
vi /etc/pam.d/common-auth

Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last 13 passwords:

password sufficient pam_unix.so use_authtok md5 shadow remember=13

If you are using pam_unix2.so, update it as follows:

password sufficient pam_unix2.so use_authtok md5 shadow remember=13

Save and close the file. Please note that the last 13 passwords for each user are saved in /etc/security/opasswd file in order to force password change history and keep the user from alternating between the same password too frequently.

If the file /etc/security/opasswd does not exist, create the file using touch or shell redirection command. You can also use the below command –

# [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd

Use the following ls command to verify file permissions:

# ls -lZ /etc/security/opasswd

How Do I Verify No Accounts Have Empty Passwords?

Type the following command in order to find the account with empty password.

awk -F: '($2 == "") {print}' /etc/shadow

Or

cat /etc/shadow | awk -F: '($2==""){print $1}'

Lock all empty password accounts:

passwd -l accountName

How Do I Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system.

Type the following command to display all accounts with UID set to 0:

awk -F: '($3 == "0") {print}' /etc/passwd

You should only see one line as follows:

root:x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

How Do I Disable root Login?

The simplest method to disable root user login is to change its shell from /bin/bash or /bin/ksh (or any other shell that permits user login) to /sbin/nologin, in the /etc/passwd file, which you can open for editing using any of your favorite command line editors as shown.

vim /etc/passwd

Change the line:

root:x:0:0:root:/root:/bin/bash
to
root:x:0:0:root:/root:/sbin/nologin

Save the file and close it.

From now on, when root user logs in, he/she will get the error message: “This account is currently not available.” This is the default message, but, you can change it and set a custom message in the the file /etc/nologin.txt.

The common way of accessing remote servers or VPS is via SSH and to block root user login under it, you just need to edit the /etc/ssh/sshd_config file.

vim /etc/ssh/sshd_config

Then uncomment (if it is commented) the directive PermitRootLogin and set its value to no as shown in the below snippet.

PermitRootLogin no

3. Secure SSH

To secure ssh, you need to perform the following changes:

1. Disable SSH password authentication
2. Restrict root from logging in remotely
3. Restrict access to IPv4 or IPv6

Open /etc/ssh/sshd_config using your text editor of choice and ensure these lines:

PasswordAuthentication yes
PermitRootLogin yes

look like this:

PasswordAuthentication no
PermitRootLogin no

Upload ssh key to the server for the users.

You can upload your SSH key to your new server using the ssh-copy-id command:

ssh-copy-id <username>@ip_address

Now you can log into your new server without having to type in a password. Make sure you add a passphrase while generating ssh key.

Next, restrict the SSH service to either IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most folks) make this change:

AddressFamily inet

Restart the SSH service to enable your changes. Note that it’s a good idea to have two active connections to your server before restarting the SSH server. Having that extra connection allows you to fix anything should the restart go wrong.

On Ubuntu:

service sshd restart

On Fedora or CentOS or anything that use Systemd:

systemctl restart sshd

4. Update Your Software Regularly

Always keep Linux Kernel and Software Up to Date.

Properly managing your Linux server security includes implementing regular software patches to address emerging vulnerabilities. Unfortunately, many Linux users neglect to put these patches into action. Without prompt updates, software can become exploitable and easy for hackers to use to gain access.

Use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.

yum update

Or

apt-get update && apt-get upgrade

You can configure Red Hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications. It is also possible to configure unattended upgrades for your Debian/Ubuntu Linux server using apt-get command/apt command:

sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx

5. Avoid Unnecessary Software

Minimize unused Software to Minimize Vulnerability. You must disable your unwanted Linux services. Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.

yum list installed
yum list packageName
yum remove packageName

Or

dpkg --list
dpkg --info packageName
apt-get remove packageName

6. Disable Booting from External Devices

Malicious parties can easily use external devices such as USB thumb drives to gain access to sensitive information. Disabled booting for external devices may reduce the potential for physical attacks, which can be just as damaging as hacking. Without this extra step, many security layers can be circumvented easily.

There are several different ways to disable certain USB ports in Linux. One option is to open the Terminal and enter the following code:

“# chmod 000 /media/”

To restore access to USB, this code will need to be entered:

“# chmod 777 /media/”

You may also disable USB access by editing the blacklist.conf file found in /etc/modprobe.d/blacklist.conf. To do this, enter the following line in the .conf file:

echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf

7. Close Hidden Open Ports

Open ports may reveal network architecture information while extending attack surfaces. Therefore, ports that are not absolutely essential should be closed. The netstat command can be used to determine which ports are listening while also revealing the details of connections that may currently be available.

The below command lines can be utilized to find specific ports:

* All TCP ports — “netstat -at”
* All UDP ports — “netstat -au”
* All listening ports — “netstat -l”
* Information for all ports — “netstat -s”

8. Install And Scan Log Files with Fail2ban

Fail2ban is an application that examines server logs looking for repeated or automated attacks. If any are found, it will alter the firewall to block the attacker’s IP address either permanently or for a specified amount of time.

You can install Fail2ban by typing:

apt install fail2ban -y

Or

yum install fail2ban

Then copy the included configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And restart Fail2ban:

service fail2ban restart

The software will continuously examine the log files looking for attacks. After a while, the app will build up quite a list of banned IP addresses. You can view this list by requesting the current status of the SSH service with:

fail2ban-client status ssh

9. Utilize Backups and Test Them Often

No matter how many Linux hardening methods you apply, you need to be always prepared for unforeseen problems. Backing up your workstation or server can prove extremely beneficial in the long run. Thankfully, a large number of backup utility for Linux exists to make system backups easier.

Moreover, you must automate the backup process and store your system data safely. Employing disaster management and recovery solutions can be also useful when it comes to data management.

10. Perform Security Audits

While the tips highlighted in this article can provide more peace of mind as you strive to improve your Linux server security, additional threats could be right around the corner. Even the most secure server will eventually become vulnerable to new hazards if not updated on a regular basis. Software upgrades are crucial, of course, but security audits can uncover other adjustments that are worth making.

Without regular audits, it’s impossible to know where gaps exist or how they can be addressed to ensure that your server remains fully protected.

11. Encrypt Data Communication For Linux Server

Since data transmitted over the network can be easily captured and analyzed using open source security tools, data encryption should be your top priority during the Linux hardening process. Many legacy data communication tools do not employ proper encryption and thus may leave your data vulnerable.

You should always use secure communication services such as ssh, scp, rsync, or sftp for remote data transfer. Linux also allows users to mount remote filesystems using special tools like fuse or sshfs. Try to use GPG encryption to encrypt and sign your data. Other Linux tools that offer data encryption services include OpenVPN, Lighthttpd SSL, Apache SSL, and Let’s Encrypt.

12. Avoid Using FTP, Telnet, And Rlogin / Rsh Services on Linux

Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP.

Type the following yum command to delete NIS, rsh and other outdated service:

yum erase xinetd ypserv tftp-server telnet-server rsh-server

If you are using a Debian/Ubuntu Linux based server, try apt-get command/apt command to remove insecure services:

apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server

13. One Network Service Per System or VM Instance

Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he or she will get an access to entire server including other services such as MySQL/MariaDB/PGSql, e-mail server and so on. We could avoid that using current container based architecture as well.

14. Use Linux Security Extensions

SELinux or Security Enhanced Linux is a security mechanism that implements various methods for access control at the kernel level. SELinux is developed by Red Hat and has been added to many modern Linux distributions. You can think of it as a set of kernel modifications and user-space tools. You can check out whether SELinux is enabled in your system or not by using the below command.

getenforce

If it returns enforcing that means your system is protected by SELinux. If the result says permissive that means your system has SELinux but it’s not enforced. It will return disabled for systems where SELinux is completely disabled. You can enforce SELinux by using the below command.

setenforce 1

15. Physical Server Security

Lockdown your server rooms access, use racks locking and video surveillance. Take into consideration that any physical access to server rooms can expose your machine to serious security issues.

BIOS passwords can be changed by resetting jumpers on the motherboard or by disconnecting the CMOS battery. Also, an intruder can steal the hard disks or directly attach new hard disks to the motherboard interfaces (SATA, SCSI, etc), boot up with a Linux live distro, and clone or copy data without leaving any software trace.

16. Delete X Window Systems (X11)

The X Window Systems or x11 is the de-facto graphical interface for Linux systems. If you’re using Linux for powering your server instead of your personal system, you can delete this entirely. It will help to increase your server security by removing a lot of unnecessary packages.

yum groupremove "X Window System"

This yum command will delete x11 from RHEL or Centos systems.

If you’re using Debian/Ubuntu instead, use the following command.

apt-get remove xserver-xorg-core

17. Configure Iptables and TCPWrappers based Firewall on Linux

Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet.

18. Linux Kernel /etc/sysctl.conf Hardening

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time.

Sample /etc/sysctl.conf:

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

19. Separate Disk Partitions For Linux System

Separation of the operating system files from user files may result into a better and secure system.

Make sure the following filesystems are mounted on separate partitions:

/usr
/home
/var and /var/tmp
/tmp

Create separate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:

noexec – Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
nodev – Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
nosuid – Do not set SUID/SGID access on this partition (prevent the setuid bit).
Sample /etc/fstab entry to to limit user access on /dev/sda5:

/dev/sda5  /data          ext3    defaults,nosuid,nodev,noexec 1 2

20. Disk Quotas

Disk Quotas are simply limits set by the system administrator which restrict usage of the Linux filesystem for other users. If you are hardening your Linux security, implementing disk quotas is mandatory for your server.

vim /etc/fstab
LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2

Add the above line to /etc/fstab for enabling disk quota for the /home filesystem.

If you have already a line /home, modify that accordingly.

quotacheck -avug

This command will display all quota information and create the files aquota.user and aquota.group in /home.

edquota

This command will open the quota settings of in an editor where you can assign the quota limits. You can set both soft and hard limits for the disk quota size as well as the number of inodes. Use the below command to view a report on the disk quota usage.

repquota /home

21. Turn Off IPv6 only if you are NOT using it on Linux

IPv6 or Internet Protocol version 6 is the latest version of the TCP/IP protocol. It comes with an extended feature list and many usability benefits. However, IPv4 is still the trade of choice for most servers. So, chances are you might not be using IPv6 at all. In such cases, you should turn this off altogether.

By removing unnecessary network connectivity, your server’s security will be more solid. Thus, turning off IPv6 offers reasonable Linux hardening effects. Add the below lines to /etc/sysctl.conf for disabling IPv6 connectivity from the kernel level.

vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Finally, run the below command to load the changes in your server.

sysctl -p

22. Disable Unwanted SUID and SGID Binaries

SUID and SGID are special types of file permission in the Linux file system. Having the SUID permission allows users other to run executable files like they are the owner of those files. Likewise, the SGID permission gives directory rights similar to the owner but also gives ownership of all child files in a directory.

These are bad since you don’t want any users other than you to have those permissions on a secure server. You should find any file that has SUID and SGID enabled and disable those. The following commands will respectively list all files that have SUID and SGID permission enabled.

find / -perm /4000
find / -perm /2000

Investigate these files properly and see if these permissions are mandatory or not. If not, remove SUID/SGID privileges.

The below commands will remove SUID/SGID respectively.

chmod 0755 /path/to/file
chmod 0664 /path/to/dir

23. File and folder permission

If your Linux server is multipurpose and many users are accessing the server then it is very important to restrict files and directory permissions. These permissions define who can read, write, and execute your files and directories.

You can view directory permissions by “ls -l” command.

root@redhat:~# ls -l /etc/passwd
-rw-r--r-- 1 root root 2378 Jul 09 02:08 /etc/passwd

In the above output, the first ten characters show the permissions of the file. The dash (-) character at first indicates whether it is file or directory. If the first character is a dash (-) then it is a file; d is for directory and s for special file. The next three characters define the file owner’s permissions. The above file has read and write permissions for the owner. Next three characters indicate the permissions for the group which file belongs. Here the group root has only read permission on the file. Last three characters indicate permissions for all other users, which are not the owner or part of the group.

You can change the permission of file or directory with chmod command:

[root@redhat ~]# chmod 644 document
[root@redhat ~]# ls -l document
-rw-r--r--. 1 root root 16 Jul 21 04:03 document

Above command provides read and write permissions to the file owner and read permissions to the group and others.

If you want to change ownership and group of file, you can use chown command:

[root@redhat ~]# chown demo:demo document
[root@redhat ~]# ls -l document
-rw-r--r--. 1 demo demo 16 Jul 21 04:03 document

We have changed the ownership of document file from root to ‘demo’.

24. Use A Centralized Authentication Service

For better security and management of your Linux servers, you should think of integrating your system with LDAP. It will help you to manage your users effectively.

25. Kerberos

Kerberos performs authentication as a trusted third party authentication service by using cryptographic shared secret under the assumption that packets traveling along the insecure network can be read, modified, and inserted. Kerberos builds on symmetric-key cryptography and requires a key distribution center. You can make remote login, remote copy, secure inter-system file copying and other high-risk tasks safer and more controllable using Kerberos. So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted. See how to setup and use Kerberos.

26. Logging and Auditing

You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory. This is also useful to find out software mis-configuration which may open your system to various attacks.

27. System Accounting with auditd

The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The following points can be addressed with auditd.

  • System startup and shutdown events (reboot / halt).
  • Date and time of the event.
  • User responsible for the event.
  • Type of event (edit, access, delete, write, update file & commands).
  • Success or failure of the event.
  • Records events that Modify date and time.
  • Find out who made changes to modify the system’s network settings.
  • Record events that modify user/group information.
  • See who made changes to a file etc.

28. Install And Use Intrusion Detection System

A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install AIDE software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system. I recommended that you install and use rkhunter root kit detection software too.

29. Disable USB/firewire/thunderbolt devices

Type the following command to disable USB devices on Linux server system:

echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf

You can use same method to disable firewire and thunderbolt modules:

echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo "blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf

Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.

30. Disable unused services

You can disable unused services on any Linux server using the service command/systemctl command:

systemctl stop service
systemctl disable service

31. BIOS protection

Start the process of hardening your machine by securing BIOS/UEFI settings, especially set a BIOS/UEFI password and disable boot media devices (CD, DVD, disable USB support) in order to prevent any unauthorized users from modifying the system BIOS settings or altering the boot device priority and booting the machine from an alternate medium.

In order to apply this type of change to your machine you need to consult the motherboard manufacturer manual for specific instructions.

Set a GRUB password in order to prevent malicious users to tamper with kernel boot sequence or run levels, edit kernel parameters or start the system into a single-user mode in order to harm your system and reset the root password to gain privileged control.

32. Hard disk encryption

Encrypting your disk storage can prove highly beneficial in the long term. It will prevent data leaks in case of theft or any third-party intrusion. Luckily, there are a wide variety of Linux encryption tools (e.g. LUKS) that make this task hassle-free for admins.

Additionally, modern Linux distributions offer admins to encrypt their Linux filesystem during the installation process. However, you should know that encryption may affect performance throughput and will likely make data recovery difficult.

33. Monitor User Activities

If you are dealing with lots of users, then its important to collect the information of each user activities and processes consumed by them and analyze them at a later time or in case if any kind of performance, security issues. But how we can monitor and collect user activities information.

There are two useful tools called ‘psacct‘ and ‘acct‘ are used for monitoring user activities and processes on a system. These tools runs in a system background and continuously tracks each user activity on a system and resources consumed by services such as Apache, MySQL, SSH, FTP, etc. For more information about installation, configuration and usage, visit the below url.

34. Ignore ICMP or Broadcast Request

Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.

Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Load new settings or changes, by running following command

sysctl -p

35. Reduce Spying Impact

In case of highly sensitive data, you should probably use advanced physical protection such as placing and locking the server into a Faraday Cage or use a military TEMPEST solution in order to minimize the impact of spying the system via radio or electrical leaking emanations.

Conclusion

In this short article, we’ve covered many important configurations for Linux security. But, we’ve just scratched the surface of Linux Hardening—there are a lot of complex, nitty-gritty configurations. Remember, Linux hardening and server security isn’t a one-time function: It’s an ongoing journey that requires regular audits, software patches, and data backups. Your efforts to keep up with these necessities could save you a world of trouble.

Rating: 4.5 out of 5.

Frequently Asked Questions

Which Linux OS is best for server?

Widely used Linux Server Distributions of 2020 are:
1. Ubuntu.
2. Red Hat Enterprise Linux (RHEL)
3. SUSE Linux Enterprise Server.
4. CentOS (Community OS) Linux Server.
5. Debian
6. Oracle Linux

Why Linux is used in servers?

Linux is Unix-based and Unix was originally designed to provide an environment that’s powerful, stable and reliable yet easy to use. Linux systems are widely known for their stability and reliability, many Linux servers on the Internet have been running for years without failure or even being restarted.

Do hackers use Linux?

Linux is an extremely popular operating system for hackers. First of all, Linux’s source code is freely available because it is an open source operating system. This means that Linux is very easy to modify or customize. Second, there are countless Linux security distros available that can double as Linux hacking software.

Why Linux is faster than Windows?

There are many reasons for Linux being generally faster than windows. Firstly, Linux is very lightweight while Windows is fatty. In windows, a lot of programs run in the background and they eat up the RAM. Secondly, in Linux, the file system is very much organized.

How many servers run on Linux?

96.3% of the world’s top 1 million servers run on Linux. Only 1.9% use Windows, and 1.8% – FreeBSD
You may want to check out our article on supercomputer.