Additionally to the security hardening checklist shown below, this article includes brief explanations of each recommendation, including links to tutorials showing how to implement them with real scenario screenshots. The document is optimized for both novel and advanced users.
All tips described in this article are useful for every Linux distribution. Unix operating system users also may find this tutorial useful to protect their systems.”
Note: The following Linux security hardening checklist was initially written in 2019 and updated in 2022.
Linux Security Hardening Checklist
Disable SSH
The SSH service is one of the most used targets for attackers. Through SSH access, a hacker may break into the target system to escalate privileges, getting full control of the system. It is worth reminding that local execution exploits are more dangerous than remote exploits since local exploits aren’t filtered by firewalls.
Both home and corporate users must deactivate all unnecessary services since they represent doors for hackers to access the target system.
The main recommendation is to fully remove unwanted services. If you think in the future you may use a service currently unnecessary, read this tutorial with specific instructions on identifying and disabling unused services. If you need to keep the SSH service, keep reading below for instructions to secure it.
Disable SSH Root Access
As said in the previous recommendation to disable or remove the SSH service, this service may be vulnerable to certain attacks if wrongly configured.
An important measure to take to secure SSH access is to disable the root login. The main reason to disable root login through SSH is that every Linux system’s main superuser is a root; therefore, an attacker already knows your system has the root superuser and may use it in a brute force attack needing only to break your password. Additionally, another important reason to disable root access through SSH is to make it difficult for an attacker to get privileged access aided by exploits.
At LinuxHint, we have published a tutorial on how to disable the SSH root access you can read here.
Change SSH Default Port
Many attackers launch massive, indiscriminate attacks against random targets. If an attacker tries to massively identify devices by scanning the SSH port (22), he will fail against systems serving SSH access through a different port than 22.
Disabling SSH Password Authentication
SSH password authentication is the least safe. Other methods like key authentication are recommended to replace password login, which is vulnerable to many types of attacks, including brute force, the easiest attack method any inexperienced user can launch. In this link, you can read instructions to disable SSH password authentication and enable key authentication.
Define Proper Nftables or Iptables Rules
Implementing custom firewall rules is a must and a basic measure to secure your device. Firewalls are the first defense against malicious traffic, unwanted connections and unwanted scans trying to find security holes in your system.
Nftables and Iptables are interfaces to manage and define firewall rules in Linux. Home users may prefer UFW (Uncomplicated Firewall), which is a frontend for iptables to make firewall rules creation more user-friendly.
Depending on your desktop or server needs, most recommended firewall rules include restrictive policies allowing only needed traffic and connections. Also, firewalls are useful for redirecting default ports to custom ports, making it harder for attackers to identify your system-enabled services.
System administrators can find instructions to secure systems with Iptables at this link. Home users may choose UFW, which is easier to manage and can be learned at this link.
Implement IDS (Intrusion Detection System)
IDS (Intrusion Detection System) brings the security to the next level allowing it to analyze packets and detect anomalies and unauthorized access to the system. IDS is a great complement for firewalls. IDS monitors the network traffic looking for malicious packets to identify and report security incidents. The most popular IDS are Snort and OSSEC.
This security hardening checklist doesn’t recommend IDS for home users because of the large number of resources they require. Yet, if you enjoy good resources, adding them is always a good choice.
You can read this tutorial to get started with OSSEC. Regarding Snort, at LinuxHint, we have published several tutorials listed below.
Secure the BIOS
Rootkits, malware and server BIOS with remote access represent additional vulnerabilities both for servers and domestic devices. The BIOS can be hacked through code executed from the OS or through update channels to get unauthorized access or to store rootkits forever, forcing hardware replacement and precluding backup restoration.
The best way to protect your BIOS is to keep it updated, for which you can find instructions here.
Encrypt Storage Devices and Partitions
This is a more relevant measure for Desktop users who may lose their computers or be theft victims; it is especially useful for laptop users to prevent thieves from accessing information. Today almost every OS supports Disk and partition encryption; Linux distributions allow to encrypt of the hard disk during the installation process. For instructions on disk encryption, check the article How to Encrypt a Drive in Linux.
Protect System Against Rootkits
Rootkits are malicious software granting attackers unauthorized access. They are extremely difficult to detect due to their ability to hide. Some rootkits get access to the system BIOS requiring hardware replacement as a solution. Rootkits prevention and removal most popular software are Chrootkit and Rkhunter. You can get started with Chkrootkit by reading this tutorial which also includes instructions for Rkhunter.
Keep the System Up To Date
Both desktop users and system administrators must keep the system up to date to prevent vulnerable versions from offering unauthorized access or execution. Additionally, using the OS-provided package manager to check for available updates running vulnerability scans may help to detect vulnerable software which wasn’t updated on official repositories or vulnerable code which needs to be rewritten. Below are some tutorials to update Linux operating systems and installed software:
- How do I check for updates on Debian 11?
- How to Upgrade Kernel in Debian 11 Bullseye
- How to Update and Upgrade CentOS 8
- Linux Mint How to Update System
- CentOS Update
- Install or Upgrade To Latest Linux Kernel on Ubuntu 20.04 & Linux Mint 20
VPN (Virtual Private Network)
Internet users must be aware that ISPs monitor all their traffic, and the only way to afford this is by using a VPN service. The ISP is able to monitor the traffic to the VPN server but not from the VPN to final destinations. Since VPN may affect speed negatively, this is not a recommended option for servers. To minimize the effect on connection speed, it is recommended to use a paid service. ProtonVPN is a great option offering both free and paid services. You can learn how to install ProtonVPN at this link.
Enable SELinux (Security-Enhanced Linux)
SELinux is a set of Linux Kernel modifications focused on managing security aspects related to security policies by adding MAC (Mechanism Access Control), RBAC (Role-Based Access Control), and MLS (Multi-Level Security) and Multi-Category Security (MCS). When SELinux is enabled, an application can only access the specified resources it needs. Allowed resources are defined through security policies. Access to ports, processes, files and directories are controlled through rules defined on SELinux, which allows or denies operations based on the security policies. At LinuxHint, we have published some articles on this feature which are listed below.
Implement Honeypots and Honeynets
A honeypot is a tool simulating a target which is really a recorder of attackers’ activity. Multiple honeypots simulating multiple devices, services, and applications are known as a honeynet.
Basically, Honeypots and Honeynets are fake targets both to distract attackers from real targets and to record their activity. You can learn how to implement both honeypots and honeynets here.
Externally Scan Your Device for Vulnerabilities
A good practice to keep your system safe is to see what attackers see when they target your system. This can be achieved by scanning your system to find vulnerabilities. There are many alternatives in the market you can use to scan your system. Some tutorials are listed below.
- How to scan for services and vulnerabilities with Nmap
- Getting started with Nikto vulnerability scanner
- Installing Nexpose Vulnerability Scanner on Debian/Ubuntu
Common Practices
- Do not use root unless necessary.
- Never use X Windows or browsers as root.
- Use password managers like LastPass.
- Use strong and unique passwords only.
- Try not to install non-free packages or unavailable packages at official Linux repositories.
- Disable unused modules.
- On servers, enforce strong passwords and prevent users from using old passwords.
- Uninstall unused software.
- Don’t use the same passwords for different accesses.
- Change all default access usernames.
Conclusion
As you can see in the above Linux Security hardening checklist, protecting the system is not an easy task and requires numerous security measures. Yet, despite the number of tasks users need to complete to secure their systems, each recommendation can be implemented by all Linux users independently of their experience level by reading the linked tutorials on each item, which are optimized to be understandable by novel users. Most recommendations can also be applied to other operating systems like BSD systems. Applying the numerated tips will definitely dissuade random attackers from targeting you. A strongly protected system is less attractive to attackers.
I hope this security hardening checklist was useful for you to secure your system. Keep reading us for additional Linux professional tutorials.
