Linux Server Hardening
For today's computing platforms, ease of access and openness is essential for web based
communications and for lean resourced IT Management teams. This is directly at odds for the
increased necessity for comprehensive security measures in a world full of malware, hacking
threats and would-be data thieves.
Most organizations will adopt a layered security strategy, providing as many protective
measures for their IT infrastructure as are available - firewalls, sandboxes, IPS and IDS,
anti-virus - but the most secure computing environments are those with a "ground up" security
If data doesn't need to be stored on the public-facing Linux web server, then take it
off completely - if the data isn't there, it can't be compromised.
If a user doesn't need access to certain systems or parts of the network, for example,
where your secure Ubuntu server farm is based, then revoke their privileges to do so - they
need access systems to steal data so stop them getting anywhere near it in the first place.
Similarly, if your CentOS server doesn't need FTP or Web services then disable or remove
them. You reduce the potential vectors for security breaches every time you reduce means of access.
To put it simply, you need to harden your Linux servers.
Linux Hardening Policy background
The beauty of Linux is that it is so accessible and freely available that it is easy
to get up and running with very little training or knowledge. The web-based support community
places all the tips and tutorials you'll ever need to carry out any Linux set-up task or troubleshoot
issues you may experience.
Finding and interpreting the right hardening checklist for your Linux hosts may still
be a challenge so this guide gives you a concise checklist to work from, encompassing the highest
priority hardening measures for a typical Linux server.
• Enforce password history - 365 days
• Maximum Password Age - 42 days
• Minimum password length - 8 characters
• Password Complexity - Enable
• Account Lockout Duration - 30 minutes
• Account Lockout Threshold - 5 attempts
• Reset Account Lockout Counter - 30 minutes
Edit the ⁄etc⁄pam.d⁄common-password to define password policy parameters for your host.
• Ensure SSH version 2 is in use
• Disable remote root logons
• Enable AllowGroups to permitted Group names only
• Allow access to valid devices only
• Restrict the number of concurrent root sessions to 1 or 2 only
Edit sshd.config to define SSHD policy parameters for your host and
⁄etc⁄hosts.allow and ⁄etc⁄hosts.deny to control access.
Use ⁄etc⁄securetty to restrict root access to tty1 or tty1 and tty2 only.
Secure Boot Only
Remove options to boot from CD or USB devices and password protect the computer to prevent
the BIOS options from being edited.
Password protect the ⁄boot⁄grub⁄menu.lst file, then remove the
rescue-mode boot entry.
Disable All Unnecessary Processes, Services and Daemons
Each system is unique so it is important to review which processes and services are unnecessary
for your server to run your applications. Assess your server by running the ps -ax command
and see what is running currently.
Similarly, assess the startup status of all processes by running a chkconfig -list
command. Disable any unnecessary services using the sysv-rc-conf service-name off