10 Linux Hardening Tips for Beginner SysAdmins

/ / Published in Malika Karoum Global News

Linux systems are secure by design and provide robust administration tools. But no matter how well-designed a system is, its security depends on the user.

Beginners often take years to find the best security policies for their machines. That’s why we are sharing these essential Linux hardening tips for new users like you. Give them a try.

1. Enforce Strong Password Policies

Passwords are the primary authentication method for most systems. No matter if you’re a home user or a professional, enforcing solid passwords is a must. First, disable empty passwords. You won’t believe how many people still use them. 

awk -F: '($ 2 == "") {print}' /etc/shadow

Run the above command as root to view which accounts have empty passwords. If you find someone with an empty password, lock the user right away. You can do this by using the following. 

passwd -l USERNAME

You can also set up password aging to ensure users can’t use old passwords. Use the chage command to do this from your terminal. 

chage -l USERNAME

This command displays the current expiration date. To set password expiration after 30 days, use the below command. Users may use Linux password managers to keep online accounts secure. 

chage -M 30 USERNAME

2. Backup Essential Data

If you’re serious about your data, then set up regular backups. This way, even if your system crashes, you can recover the data fast. But, choosing the right backup method is crucial for Linux hardening.

If you’re a home user, cloning the data into a hard drive could suffice. Enterprises, however, need sophisticated backup systems that offer swift recovery.

3. Avoid Legacy Communication Methods

Linux supports many remote communication methods. But, legacy Unix services like telnet, rlogin, and ftp can pose serious security issues. So, try to avoid them. You may remove them altogether to reduce the security issues associated with them. 

apt-get --purge remove xinetd nis tftpd tftpd-hpa telnetd 
> rsh-server rsh-redone-server

This command removes some widely used but outdated services from Ubuntu/Debian machines. If you’re using an RPM-based system, use the following instead. 

yum erase xinetd ypserv tftp-server telnet-server rsh-server

4. Secure OpenSSH

The SSH protocol is the recommended method of remote communication for Linux. Make sure to secure your OpenSSH server (sshd) configuration. You can learn more about setting up an SSH server here.

Edit the /etc/ssh/sshd_config file to set security policies for ssh. Below are some common security policies anyone can use. 

PermitRootLogin no                 # disables root login
MaxAuthTries 3                     # limits authentication attempts
PasswordAuthentication no          # disables password authentication
PermitEmptyPasswords no            # disables empty passwords
X11Forwarding no                   # disables GUI transmission
DebianBanner no                    # disbales verbose banner
AllowUsers *@XXX.X.XXX.0/24        # restrict users to an IP range

5. Restrict CRON Usage

CRON is a robust job scheduler for Linux. It allows admins to schedule tasks in Linux using the crontab. Thus, it’s crucial to restrict who can run CRON jobs. You can find out all active cronjobs for a user by using the following command. 

crontab -l -u USERNAME

Check the jobs for each user to find out if anyone is exploiting CRON. You may want to block all users from using crontab except you. Run the following command to this. 

echo $ (whoami) >> /etc/cron.d/cron.allow
# echo ALL >> /etc/cron.d/cron.deny

6. Enforce PAM Modules

Linux PAM (Pluggable Authentication Modules) offers powerful authentication features for apps and services. You can use various PAM policies to secure the system’s login. For example, the below commands limit password reuse. 

# CentOS/RHEL
echo 'password sufficient pam_unix.so use_authtok md5 shadow remember=5' >> 
> /etc/pam.d/system-auth
# Ubuntu/Debian
echo 'password sufficient pam_unix.so use_authtok md5 shadow remember=5' >> 
> /etc/pam.d/common-password

They restrict the use of passwords that have been used within the last five weeks. There are many more PAM policies that provide extra layers of security.

7. Remove Unused Packages

Removing unused packages reduces the attack surface on your machine. So, we recommend you delete rarely used packages. You can view all currently installed packages using the below commands. 

yum list installed           # CentOS/RHEL 
apt list --installed         # Ubuntu/Debian

Say you want to remove the unused package vlc. You can do this by running the following commands as root. 

yum remove vlc              # CentOS/RHEL
apt remove vlc              # Ubuntu/Debian

8. Secure Kernel Parameters

Another effective way of Linux hardening is securing the kernel parameters. You can configure these parameters using sysctl or by modifying the configuration file. Below are some common configurations. 

kernel.randomize_va_space=2          # randomnize address base for mmap, heap, and stack
kernel.panic=10                      # reboot after 10 sec following a kernel panic
net.ipv4.icmp_ignore_bogus_error_responses        # protects bad error messages
net.ipv4.ip_forward=0                             # disables IP forwarding
net.ipv4.icmp_ignore_bogus_error_responses=1      # ignores ICP errors

These are just some basic configurations. You will learn different ways of kernel configuration with experience.

9. Configure iptables

Linux kernels provide robust filtering methods for network packets via its Netfilter API. You can use iptables to interact with this API and set up custom filters for network requests. Below are some basic iptables rules for security-focused users. 

-A INPUT -j REJECT              # reject all inbound requests
-A FORWARD -j REJECT            # reject traffic forwarding
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT       # allow traffic on localhost
# allow ping requests
-A OUTPUT -p icmp -j ACCEPT     # allow outgoing pings
# allow established/related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow DNS lookups
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# allow http/https requests
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# allow SSH access
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

10. Monitor Logs

You can utilize logs for making better sense of your Linux machine. Your system stores several log files for apps and services. We’re outlining the essential ones here.

  • /var/log/auth.log — logs authorization attempts
  • /var/log/daemon.log — logs background apps
  • /var/log/debug — logs debugging data
  • /var/log/kern.log — logs kernel data
  • /var/log/syslog — logs system data
  • /var/log/faillog — logs failed logins

Best Linux Hardening Tips for Beginners

Securing a Linux system is not as hard as you think. You can harden security by following some of the tips mentioned in this guide. You’ll master more ways of securing Linux as you gain experience.

MakeUseOf – Feed

Tagged under: , , , ,

What you can read next

The 7 Best Buy Now, Pay Later Sites
How to Build a Home Theater on the Cheap
How to Easily Bypass YouTube’s Regional Filter