Linux systems are secure by design and provide robust administration tools. But no matter how well-designed a system is, its security depends on the user.
Beginners often take years to find the best security policies for their machines. That’s why we are sharing these essential Linux hardening tips for new users like you. Give them a try.
1. Enforce Strong Password Policies
Passwords are the primary authentication method for most systems. No matter if you’re a home user or a professional, enforcing solid passwords is a must. First, disable empty passwords. You won’t believe how many people still use them.
awk -F: '($ 2 == "") {print}' /etc/shadowRun the above command as root to view which accounts have empty passwords. If you find someone with an empty password, lock the user right away. You can do this by using the following.
passwd -l USERNAMEYou can also set up password aging to ensure users can’t use old passwords. Use the chage command to do this from your terminal.
chage -l USERNAMEThis command displays the current expiration date. To set password expiration after 30 days, use the below command. Users may use Linux password managers to keep online accounts secure.
chage -M 30 USERNAME2. Backup Essential Data
If you’re serious about your data, then set up regular backups. This way, even if your system crashes, you can recover the data fast. But, choosing the right backup method is crucial for Linux hardening.
If you’re a home user, cloning the data into a hard drive could suffice. Enterprises, however, need sophisticated backup systems that offer swift recovery.
3. Avoid Legacy Communication Methods
Linux supports many remote communication methods. But, legacy Unix services like telnet, rlogin, and ftp can pose serious security issues. So, try to avoid them. You may remove them altogether to reduce the security issues associated with them.
apt-get --purge remove xinetd nis tftpd tftpd-hpa telnetd
> rsh-server rsh-redone-serverThis command removes some widely used but outdated services from Ubuntu/Debian machines. If you’re using an RPM-based system, use the following instead.
yum erase xinetd ypserv tftp-server telnet-server rsh-server4. Secure OpenSSH
The SSH protocol is the recommended method of remote communication for Linux. Make sure to secure your OpenSSH server (sshd) configuration. You can learn more about setting up an SSH server here.
Edit the /etc/ssh/sshd_config file to set security policies for ssh. Below are some common security policies anyone can use.
PermitRootLogin no # disables root login
MaxAuthTries 3 # limits authentication attempts
PasswordAuthentication no # disables password authentication
PermitEmptyPasswords no # disables empty passwords
X11Forwarding no # disables GUI transmission
DebianBanner no # disbales verbose banner
AllowUsers *@XXX.X.XXX.0/24 # restrict users to an IP range5. Restrict CRON Usage
CRON is a robust job scheduler for Linux. It allows admins to schedule tasks in Linux using the crontab. Thus, it’s crucial to restrict who can run CRON jobs. You can find out all active cronjobs for a user by using the following command.
crontab -l -u USERNAME
Check the jobs for each user to find out if anyone is exploiting CRON. You may want to block all users from using crontab except you. Run the following command to this.
echo $ (whoami) >> /etc/cron.d/cron.allow
# echo ALL >> /etc/cron.d/cron.deny6. Enforce PAM Modules
Linux PAM (Pluggable Authentication Modules) offers powerful authentication features for apps and services. You can use various PAM policies to secure the system’s login. For example, the below commands limit password reuse.
# CentOS/RHEL
echo 'password sufficient pam_unix.so use_authtok md5 shadow remember=5' >>
> /etc/pam.d/system-auth
# Ubuntu/Debian
echo 'password sufficient pam_unix.so use_authtok md5 shadow remember=5' >>
> /etc/pam.d/common-passwordThey restrict the use of passwords that have been used within the last five weeks. There are many more PAM policies that provide extra layers of security.
7. Remove Unused Packages
Removing unused packages reduces the attack surface on your machine. So, we recommend you delete rarely used packages. You can view all currently installed packages using the below commands.
yum list installed # CentOS/RHEL
apt list --installed # Ubuntu/Debian
Say you want to remove the unused package vlc. You can do this by running the following commands as root.
yum remove vlc # CentOS/RHEL
apt remove vlc # Ubuntu/Debian8. Secure Kernel Parameters
Another effective way of Linux hardening is securing the kernel parameters. You can configure these parameters using sysctl or by modifying the configuration file. Below are some common configurations.
kernel.randomize_va_space=2 # randomnize address base for mmap, heap, and stack
kernel.panic=10 # reboot after 10 sec following a kernel panic
net.ipv4.icmp_ignore_bogus_error_responses # protects bad error messages
net.ipv4.ip_forward=0 # disables IP forwarding
net.ipv4.icmp_ignore_bogus_error_responses=1 # ignores ICP errors
These are just some basic configurations. You will learn different ways of kernel configuration with experience.
9. Configure iptables
Linux kernels provide robust filtering methods for network packets via its Netfilter API. You can use iptables to interact with this API and set up custom filters for network requests. Below are some basic iptables rules for security-focused users.
-A INPUT -j REJECT # reject all inbound requests
-A FORWARD -j REJECT # reject traffic forwarding
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT # allow traffic on localhost
# allow ping requests
-A OUTPUT -p icmp -j ACCEPT # allow outgoing pings
# allow established/related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow DNS lookups
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# allow http/https requests
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# allow SSH access
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT10. Monitor Logs
You can utilize logs for making better sense of your Linux machine. Your system stores several log files for apps and services. We’re outlining the essential ones here.
- /var/log/auth.log — logs authorization attempts
- /var/log/daemon.log — logs background apps
- /var/log/debug — logs debugging data
- /var/log/kern.log — logs kernel data
- /var/log/syslog — logs system data
- /var/log/faillog — logs failed logins
Best Linux Hardening Tips for Beginners
Securing a Linux system is not as hard as you think. You can harden security by following some of the tips mentioned in this guide. You’ll master more ways of securing Linux as you gain experience.
