Linux Hardening
Some information on linux hardening
Linux Hardening Overview
Linux Hardening Testing Checklist
| Area | Action |
|---|---|
| 1. File Permissions | Ensure sensitive files have restricted permissions. |
| Verify directory permissions and ownerships. | |
| 2. System Updates | Ensure the system is up-to-date. |
| Check for installed kernel patches. | |
| 3. User Account Security | Disable unused or unnecessary user accounts. |
| Lock or expire unnecessary accounts. | |
| 4. Password Policies | Enforce strong password policies. |
| Set password expiration and history. | |
| 5. SSH Configuration | Disable root login via SSH. |
| Disable password-based authentication for SSH. | |
| Use SSH key pairs instead. | |
| Enforce SSH protocol 2 only. | |
| 6. Firewall Configuration | Ensure firewall is enabled and configured correctly. |
| Allow only necessary ports through the firewall. | |
| 7. File Integrity | Implement file integrity checking. |
| 8. Logs and Auditing | Ensure auditing is enabled and logs are monitored. |
| Check logs for suspicious activity. | |
| 9. Sudo and Privileges | Limit sudo access to specific users. |
| Avoid unnecessary privileges to users. | |
| 10. Security Updates | Enable automatic security updates. |
| 11. Intrusion Detection | Install an IDS system for monitoring. |
| 12. System Services | Disable unnecessary or unused services. |
| 13. SELinux/AppArmor | Enable SELinux or AppArmor for mandatory access control (MAC). |
| 14. Cron Jobs | Ensure that cron jobs are secure and not vulnerable. |
| 15. Network Configuration | Disable IPv6 if not needed. |
| 16. Kernel Hardening | Enable kernel security features like grsecurity. |
| Disable core dumps to prevent information leakage. | |
| 17. Removal of Unnecessary Packages | Remove unnecessary software packages. |
| 18. Virtualization Hardening | Disable unnecessary virtualization features. |
| 19. Secure Boot Configuration | Ensure secure boot is enabled (if available). |
| 20. Encryption | Use disk encryption for sensitive data. |
Tools for Linux Hardening Testing
| Tool | Purpose |
|---|---|
| Lynis | Auditing tool for security hardening of Linux systems. |
| OpenSCAP | Compliance scanning and vulnerability management tool. |
| Tiger | Security scanner to detect misconfigurations and vulnerabilities. |
| OSSEC | Host-based Intrusion Detection System. |
| Auditd | Auditing framework to log and monitor system activities. |
| AIDE | File integrity checker to detect changes to critical files. |
| Chkrootkit | Rootkit detection tool. |
| RKHunter | Rootkit scanner for Linux systems. |
| Nessus | Vulnerability scanning tool for system security checks. |
| Nmap | Network scanner used to detect open ports and services. |
| Fail2ban | Protects the system from brute force attacks by banning IPs. |
| Netcat | Networking utility often used in penetration testing. |
| Snort | Network intrusion detection system (NIDS). |
| HIDS (Host-based IDS) | For host intrusion detection. |
| SELinux | Mandatory access control (MAC) implementation. |
| AppArmor | MAC for Linux. |
Conclusion
This checklist helps you systematically harden your Linux system and can be used with the tools provided to ensure maximum security. Regularly audit and update the system to stay protected against new vulnerabilities.