It is highly crucial for individuals and teams to secure their servers. Linux is one of the most secure systems ever! However, there are still some cyber threats that hover around. Hence, you must keep yourself safe and stay two steps ahead of such attacks.
Let’s discuss the 40 best Linux security tips in this article.
40 Linux Security Tips | Linux hardening
Here we have curated the best security tips to do Linux Hardening:
1. Create and maintain backups
Backups are essential to maintain the security of a system. With its help, it is possible to restore entire data if you face a cyber attack. There are various options available to create daily backups for your server, such as
Make sure to test these backup tools regularly.
2. Enable firewall
Firewalls help create a shield over the system and protect it from any unauthorized access. As you know, DDoS attacks are getting more common; for that, the firewall is an excellent protective shield option.
3. Keep the Linux kernel up-to-date
This is an essential step to maintaining a Linux server in the best way possible. Moreover, you must closely monitor the security updates.
Tip: Use the RPM package manager:
- # yum update
- # apt-get update && apt-get upgrade
4. Use Linux security extensions
A couple of security extensions can be used to protect the Linux server. Here is a list of the top ones:
- AppArmor: protects the system from both external and internal threats.
- SELinux: it provides a powerful access control mechanism to the server.
- Grsecurity: provide security alerts comprising IP addresses of the potential threat to the system.
5. Minimize redundant software
It is one of the best options to cleanse out unwanted applications from the system. It’s a simple yet highly effective way to minimize some risky loopholes. For that, you can always use an RPM package manager to see which installed software is not needed anymore.
You can use the following:
- # dpkg --list
- # dpkg --info packageName
- # apt-get remove packageName
6. GnuPG encryption for web security
While transferring files on the network, always keep all your file's passwords encrypted. It further ensures additional security to your system. The chances of some potential attack on the network while data transfer is high. Additionally, you can use this excellent tool, GnuPG , for hosting web security.
7. Use Kerberos
Kerberos helps to enhance Linux server security immensely. It’s a third-party service based on symmetric key cryptography. With its help, you can remotely log in and perform secure intersystem file copying and other highly safe options.
Moreover, this service also catches unauthorized users, which can be potential threats.
8. Disable social media tracking
As you know, we are heavily using social media platforms at present. Different channels gather your information as soon as you click on the share buttons on different websites. To disable these options, you can go to your social media account settings and do the needful.
9. Use SELinux
Security-Enhanced Linux or SELinux to provide strong access control to your server system. It prevents malicious attacks that try to gain administrative access to your system and saves your system from different malware.
10. Privacy Badger Extension
Privacy Badger is known to be an open-source browser extension that restricts third-party trackers from tracking your website. This extension addresses cookies and ads that try to track different web pages. Due to this feature, you can stay secure from any third-party malicious actions online.
11. System accounting with auditd
We use Auditd for various system audits. With its help, you can understand the following things in your system:
- Track the time of an event.
- Success or failure of an event.
- Records any change or modification in the time and date of various events.
- Traces the name of an individual who changed a file or changed network settings.
12. Linux Kernel Runtime Guard
Linux Kernel Runtime Guard (LKRG) is a kernel module. It checks the Linux kernel and detects any vulnerabilities against it.
Hence, it is a great option to protect your system against any unauthorized access.
13. Carefully set privacy settings and permissions
Most browsers have a ‘do not track’ option in the settings. This option collects and tracks your data. Make sure you disable it. Further, you can also set your social media accounts on different platforms as private, as the data can be collected when available publicly.
14. Use SSH (Secure Shell)
SSH is a secure protocol that provides protection to system administrators. It is used by most data centers and large enterprises for additional security while working on different networks.
Additionally, it protects your network against cryptographic attacks. Currently, this protocol is used by most web servers, especially UNIX or Linux , and in the cloud.
15. Check network ports to clear the clutter
You can use these two commands:
- Check all open ports with the help of netstat networking command.
- Use chkconfig command to discard any services, not in use or not needed by you anymore.
16. Set strong password policies
Never use easy passwords for the sake of easily remembering them. This can lead to easy data breaches and challenges or security. Instead, keep a password containing alphanumeric characters and digits for your applications and files.
17. Separate desk partitions
You must separate the operating system , software, and user files. Whenever a breach occurs, all your data will vanish if you use the same partition. Additionally, also make sure to install third-party apps on separate partitions.
You can use the below-mentioned recommended partition scheme:
- /
- /boot
- /usr
- /var
- /home
- /tmp
- /opt
18. Prevent using FTP, Telnet, or RSH commands
If someone on the network is using a packet sniffer; it becomes extremely easy to breach passwords or files. For that, use:
- OpenSSH
- SFTP
- FTPS
To discard any insecure services, use:
$ sudo apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server
19. Set up Password Aging
After a certain number of days, a password must be changed. The change command is helpful as it tracks the last password change date so that you can determine when you must take action and make changes. Use the below mentioned command:
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
Minimum_days: minimum number of days between password changes.
Maximum_days: maximum number of days for a password to exist.
Warn: a warning as soon as the password's expiration date comes closer.
Expire: the exact date after which the user is not allowed to use the same password.
20. Lock accounts after repeated wrong credentials
There are certain commands that notify you whenever any malicious login attempts take place. To check the number of failed login attempts, just use the following command:
faillog
In case you see any suspicious activity, simply lock your account using:
# lock Linux account
passwd -l userName
21. Disable root login
It is highly recommended to use sudo to enhance the overall security of the system, and it is an excellent step in Linux server hardening.
Further, it also comes up with tracking and auditing features.
22. Disable USB sticks
Restrict users from accessing USB sticks to protect your system from any sort of data breach. Use this command:
install usb-storage /bin/true
23. Restrict using previous passwords
Protect your system by restricting users from keeping any old passwords. Here is a mechanism you can use to keep a record of all the previous passwords:
pam_unix module parameter remember
PAM helps to authenticate users and doesn’t allow users to use the same password again. This guarantees that security is not compromised.
24. Don’t set UID as 0 for non-root accounts
This step is crucial as UID 0 is only for the root account with all the permissions. These permissions help access the overall system as and when needed. To check which accounts are set to 0, use the below-mentioned command:
# awk -F: '($3 == "0") {print}' /etc/passwd
25. Disable SUID and SGID (unwanted) binaries
If any SUID or SGID file faces insecure activity, all SUID/SGID bits are put at risk. Find such files using the following command and disable them:
For SUID Files:
find / -perm +4000
For SGID Files:
find / -perm +2000
Single command for both SUID and SGID:
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls
26. Discard all noowner files
In case you find any files not owned by any user, it is crucial to discard them as they can be easily used for some malicious purpose. Use this command to find such files:
find /dir -xdev \( - nouser -o -nogroup \) - print
27. Use OpenSSH server
It is highly recommended to use the OpenSSH server for any sort of remote login and file transfer.
28. Protect files, email, and directories
There are various ways through which you can protect files in Linux. Some of them are mentioned below:
- Only send root Mail to an account under your notice.
- Use OpenSSL to protect your files.
- Use the gpg command to encrypt your files with a password.
29. Secure PHP/ Apache/ Nginx server
Use the following commands for that:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By
30. Use NIDS
Network Intrusion Detection System or NIDS is a wonderful option that notifies you in case of any outside attack by monitoring the traffic on your network.
Hence, it’s important to install an IDS for this extra safety. In addition, it’s also beneficial to add the below-mentioned software too:
31. Use SSH keys more than using passwords
SSH key pairs are Highly secured as compared to passwords; however, they are less user-friendly. Additionally, an SSH key pair is the same as a 12-character password.
When you use these key pairs in your system, it becomes quite impossible for a hacker to perform brute-force hacking on your system.
32. Switch off external device booting
USB drives are often used by outside users to access important information from your system. To safeguard yourself from this action, disable all sorts of external device booting.
33. Disable IPv6
If IPv6 is not in use, it’s the best option to disable it. Doing this can decrease the probability of any malicious attack on the system.
Use:
GRUB_CMDLINE_LINUX=“ipv6.disable=1
34. Ensure disabling these systems
Here is a list of filesystems that shouldn’t be placed in your system:
- FAT
- udf
- squashfs
- hfs
- hfsplus
- jffs2
- cramfs
- freevxfs
35. Configure 2-factor authentication
Added layer of security doesn’t hurt, right? Well, you must take all the needed steps to keep your defense mechanism stronger. It is highly recommended that you incorporate two-factor authentication into your system.
Encrypted channels guarantee maximum protection against breaches.
36. Set up fail2ban
There are various bots with the intention to attack your servers. Now, these bots try gaining access if your server has an unpatched vulnerability.
If you don’t wish this to happen, it’s the best option to install the Fail2Ban tool . This tool is known to block any suspicious or malicious IP addresses or bots and safeguard your server at its finest.
Use this command to install this tool:
sudo apt-get install fail2ban
37. Change the FTP port
This step again adds extra security to your Linux system. Follow these steps:
- Find port 21 line.
- Change this port to any random port number ranging from 0 to 65353.
38. Use Spamassassin to remove email spam
Many outside attackers have found email as one of the easiest ways to attack you. A spam folder is a simple way to reach you and extract confidential information. One excellent tool to help you is SpamAssassin .
It scans each of your mail and identifies any suspicious incoming messages. Use this command to install this tool:
sudo apt install spamassassin
39. Delete old backups
It is crucial to shift your old backup files to the server locally. In addition, you can store backup files on third-party storage services as well.
40. Set up auto-updates
Linux servers receive security updates quite frequently. It is a great step to install automated updates.
Set auto-updates using this command:
sudo apt install unattended-upgrades apt-listchanges bsd-mailx update-notifier-common
Use this command to enable these automatic updates:
sudo dpkg-reconfigure --priority=low unattended-upgrades
Final Remarks
Linux distributions are considered to be one of the safest systems available. However, there are certain security safeguards that you must incorporate into your system for extra safety. This post provided you with the best Linux security tips for a smooth and safe workflow.
Linux server security is of utmost importance for any user; hence, I would hope these tips help you in the best possible way to keep your system secure. Feel free to comment below with some extra tips if I missed any.
Adios!
People are also reading:
Leave a Comment on this Post