If you apply the right security measures, you can significantly reduce the chances of your Linux server ever getting compromised. If remote access to your server via remote desktop protocol (RDP) is required, ensure you have the highest level of encryption enabled for this. In addition to the password policies, managing how users log in to access server resources is also essential. Security hardening measures here should include restrictions on where users can log in from and enforcing two-factor authentication. User accounts are identities created to allow authenticated access to a server or related system. Different user accounts have different levels of access to core functions of the server, with administrator accounts having the highest level of access.

As discussed earlier, ptrace is a system call that could be abused to trivially compromise processes running outside of the sandbox. To prevent this, you can enable the kernel’s YAMA ptrace restrictions via sysctl, or you can blacklist the ptrace syscall in your seccomp filter. Linux Kernel Runtime Guard (LKRG) is a kernel module which ensures kernel integrity at runtime and detects exploits. It can kill entire classes of kernel exploits; but it is not a perfect mitigation, as LKRG is bypassable by design. However, while it is unlikely, LKRG may in itself expose new vulnerabilities like any additional kernel module. Ptrace is a system call that allows a program to alter and inspect another running process, which allows attackers to trivially modify the memory of other running programs.

Generate an SSH Key Pair

One of the reasons is the Linux distributions that package the GNU/Linux kernel and the related software. They have to choose between usability, performance, and security. When you have this setup, you can disable password based SSH login. Now, only the clients machines that have the specified SSH keys can access the server via SSH. No matter how much you try, you’ll always see bad login attempts via SSH on your Linux server.

  • Rather, it’s the user’s responsibility to set up systems that reveal suspicious activities.
  • Security Content Automation Protocol (SCAP) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems.
  • By securing a Linux Box you are automatically reducing the attack surface for a Hacker.
  • This way you always have the option to go back to a previous configuration, if for some reason things fail.
  • The -M flag is for maximum days, -m for minimum, and -W for warnings.

Every server needs software packages to fulfill its destiny during the lifetime of the system. Ensure that it gets regularly patched and updated by using unattended-upgrades. This is done with the “Install security updates automatically” option during the installation. System hardening is a technical process of increasing the security of a Linux system by reducing its attack surface. Those items that pose the most risk to the system are adjusted by taking specific security measures. This can be done by adding, adjusting, or removing certain components of the Linux system.

Bonus Tips

In the area of system operations or information security, the usage of any checklist requires a serious warning. Implementing the listed security measures only makes your system more secure if done correctly. linux hardening and security lessons There are no ’10 things’ that are the best, as it depends strongly on each system and its purpose. When you come across other checklists with a number in the title, then most likely it’s not a real checklist.

Linux Server Hardening in 15 Steps

Posted in Education.