Most important steps for Linux server hardening

Linux Server Hardening

1. Install security patches

Most weaknesses on a system are caused by flaws in software. So upgrading the system and installing software updates. It is fairly easy, limited risk, yet have a great impact. Most Linux distributions have the option to limit what packages you want to upgrade. Especially make sure that your security updates are installed as soon as they come available.

Depending on your Linux distribution there might be a way to implement security patches automatically, like unattended-upgrades on Debian and Ubuntu. This makes software patch management a lot easier.

2. Use secure passwords

The main gateway to a system is by logging in as a valid user with the related password of that account. Strong passwords make it more difficult for tools to guess the password and let malicious people walk in via the front door.

3. Bind processes to localhost

Not all services have to be available via the network. For example, when running a local instance of MySQL on your web server, let it only listen on a local socket or bind to localhost (127.0.0.1). Then tell your application to connect via this local address.

4. Implement a firewall

Only allowed traffic should in an ideal situation reach your system. To achieve this, implement a firewall solution like iptables, or the newer nftables.

When creating a policy for your firewall, consider using a “deny all, allow some” policy. So you deny all traffic by default, then define what kind of traffic you want to allow. This is especially useful for incoming traffic, to prevent sharing services you didn’t intend to share.

Useful reads:

5. Keep things clean

Everything installed on a system which doesn’t belong there, can only negatively impact your machine. It will increase your backups (and restore times), it might contain vulnerabilities and will clutter up the system. Same is true for unused user accounts.

6. Secure configurations

Most applications have one or more security measures available to protect against some forms of threats to the software or system. Look at the man page for any options and test these options carefully.

7. Limit access

Only allow access to the machine for authorized users. Does someone really need access or are alternative methods possible to give the user what he or she wants?

8. Monitor your systems

Most intrusions are undetected, due to lack of monitoring. Implement normal system monitoring and implement monitoring on security events. For example, the use of the Linux audit framework increased detection rates of suspected events.

9. Create backups (and test!)

Regular make a backup of system data, to prevent data loss. Even more important, test your backups!

Backups can be done with existing system tools like tar and scp. Another option to spare bandwidth is synchronizing data with rsync. If you rather want to use a backup program, consider Amanda or Bacula.

10. Perform system auditing

Lynis (Linux/Unix auditing tool) screenshot

Screenshot of a Linux server security audit performed with Lynis.

Use a tool like Lynis to perform a regular audit of your system and perform further hardening steps.

Lynis runs on almost all Unix or Linux based systems and only requires a normal shell and root permissions.

It will scan the system and perform an in-depth security audit and explain what can be done to improve the system even further. Best of all, the normal Lynis version is free to use and open source.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)