What is System Hardening in Linux?

System hardening is a critical process for enhancing the security of a Linux system by minimizing its vulnerabilities and reducing the attack surface. It involves configuring the system to reduce risks associated with unauthorized access, malware, and other security threats. By implementing system hardening techniques, system administrators can ensure that the system is more resilient to cyberattacks and unauthorized access.

This article will explore what system hardening is, why it is important, the steps to harden a Linux system, best practices, tools, and tips to implement an effective hardening process.

Why is System Hardening Important?

Linux is a popular operating system due to its open-source nature, stability, and performance. It powers many servers, workstations, and embedded systems worldwide. However, the open-source nature of Linux also means that if not properly configured, it can be vulnerable to malicious attacks and unauthorized access.

Hardening a Linux system aims to:

  • Reduce the number of potential entry points for attackers.
  • Secure the system’s configuration.
  • Ensure that only authorized users can access the system.
  • Protect the system from external and internal threats, such as privilege escalation, denial of service (DoS), and data breaches.

By following systematic hardening practices, you can make it much more difficult for attackers to exploit the system, even if they gain some initial access.

Steps to Harden a Linux System

System hardening can be performed at various levels, from securing network settings to locking down user access. The following are the key steps involved in hardening a Linux system:

1. Keep the System Up-to-Date

One of the most basic yet effective hardening steps is to keep the system updated with the latest security patches. Regular updates ensure that any security vulnerabilities are patched promptly, preventing attackers from exploiting known weaknesses.

  • Command to update your system (for Debian/Ubuntu-based systems):
    sudo apt update && sudo apt upgrade -y
  • Command to update your system (for RedHat/CentOS-based systems):
    sudo yum update -y

You can also enable automatic updates for critical security patches using tools like unattended-upgrades on Debian-based systems or configuring yum-cron for RedHat-based systems.

2. Secure User Accounts

Limiting user privileges and ensuring proper authentication are essential aspects of system hardening.

  • Disable unnecessary accounts: Review user accounts and remove or disable any unused accounts.
    sudo userdel username
  • Limit sudo access: Only grant sudo access to trusted users and limit root access by configuring the /etc/sudoers file. It’s recommended to allow sudo access only when absolutely necessary.
  • Enforce strong passwords: Use password policies to enforce strong passwords that include uppercase and lowercase letters, numbers, and special characters. This can be done using the passwd command or configuring the PAM (Pluggable Authentication Modules) settings.Example to enforce password complexity using PAM:
    sudo vi /etc/pam.d/common-password

    Add or modify the line:

    password requisite pam_pwquality.so retry=3 minlen=12 maxrepeat=3
  • Lock accounts after failed login attempts: Prevent brute-force attacks by locking accounts after a specified number of failed login attempts. This can be done by configuring the faillock or pam_tally2 module.Example of configuring account lockout with faillock:
    sudo vi /etc/security/faillock.conf

3. Configure the Firewall

Firewalls are essential in protecting the system from unauthorized network access. You should configure your firewall to restrict access to only necessary services and ports.

  • Using ufw (Uncomplicated Firewall) on Ubuntu/Debian:
    sudo ufw enable
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw deny 23
sudo ufw deny 21
sudo ufw status
  • Using firewalld on RedHat/CentOS:
    sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --reload

Additionally, you can configure your firewall to only allow certain IP addresses to access specific services or ports for added security.

4. Disable Unused Services

One of the most common ways for attackers to gain access to a system is through unnecessary or unused services that are running. By disabling unused services, you reduce the attack surface.

  • List running services:
    sudo systemctl list-units --type=service
  • Disable unnecessary services:
    sudo systemctl stop <service_name>
sudo systemctl disable <service_name>
  • Disable IPv6 (if not needed): In some cases, disabling IPv6 can help avoid attacks targeting IPv6 vulnerabilities.
    sudo sysctl net.ipv6.conf.all.disable_ipv6=1

5. Configure SSH Properly

SSH (Secure Shell) is one of the most common protocols for accessing Linux systems remotely, and it is a prime target for attackers. Securing SSH is a crucial step in hardening a Linux system.

  • Disable root login via SSH by modifying the /etc/ssh/sshd_config file:
    PermitRootLogin no
  • Use key-based authentication instead of password-based authentication. Generate SSH keys and copy them to the server using ssh-copy-id:
    ssh-keygen
ssh-copy-id user@hostname
  • Change the default SSH port: By changing the default port (22) to a less common port, you can reduce the likelihood of automated attacks.
    Port 2222
  • Limit SSH access to specific IP addresses if possible by configuring the AllowUsers directive in the /etc/ssh/sshd_config file:
    AllowUsers user1@192.168.1.*
  • Enable SSH timeout: Set a timeout for idle SSH sessions to limit exposure in case an SSH session is left unattended.

6. Apply Security Updates Automatically

Linux distributions offer tools to automatically apply critical security patches without user intervention. These tools help keep the system secure by ensuring that security patches are applied as soon as they are available.

  • Using unattended-upgrades on Debian/Ubuntu:
    sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
  • Configure automatic security updates on RedHat/CentOS using yum-cron:
    sudo yum install yum-cron
sudo systemctl enable yum-cron
sudo systemctl start yum-cron

7. Install and Configure SELinux (Security-Enhanced Linux)

SELinux is a mandatory access control (MAC) system that provides an additional layer of security by enforcing policies on the Linux kernel.

  • Check SELinux status:
    sestatus
  • Enable SELinux:
    sudo setenforce 1
  • Configure SELinux policies to enforce stricter security for file and process management.

8. Audit the System

A good audit trail is essential for identifying security issues or attempting exploits. Linux provides tools like auditd for logging system activity and security events.

  • Install and configure auditd:
    sudo apt install auditd
sudo systemctl enable auditd
sudo systemctl start auditd
  • Define audit rules to log specific events and activities on the system.

Affordable VPS Hosting With Dracula Servers

Looking for reliable and budget-friendly Virtual Private Server (VPS) hosting? Look no further than Dracula Servers. Dracula Servers offers a range of VPS hosting plans tailored to meet diverse needs. With competitive pricing, robust performance, and a user-friendly interface, it’s an excellent choice for individuals and businesses alike.

Explore the Dracula Servers website to discover hosting solutions that align with your requirements and take your online presence to new heights with their affordable and efficient VPS hosting services.

Visit Dracula Servers and experience reliable VPS hosting without breaking the bank.

Best Practices for System Hardening

  • Minimize the number of open ports: Only open the ports that are absolutely necessary for your application.
  • Use two-factor authentication (2FA): Adding a second layer of security for login and sudo access improves system security.
  • Encrypt sensitive data: Use tools like gpg or openssl to encrypt sensitive data, such as backup files.
  • Monitor system activity: Use tools like fail2bansyslog, and auditd to detect suspicious activity and attempt login brute-forcing.
  • Perform regular backups: Regular backups are essential for recovery in the event of a security breach.

Tools for Linux System Hardening

  1. Lynis: A popular auditing tool that checks the security of the system and provides recommendations for hardening.
    sudo lynis audit system
  2. Chkrootkit: A tool to check for rootkits and malicious software that may be installed on the system.
    sudo chkrootkit
  3. Fail2ban: A security tool that helps prevent brute-force attacks by blocking IP addresses that have multiple failed login attempts.
    sudo apt install fail2ban
  4. AIDE (Advanced Intrusion Detection Environment): A tool for detecting file integrity changes on the system.
    sudo apt install aide
  5. AppArmor: Similar to SELinux, it provides security policies to restrict applications’ abilities to access sensitive resources.
    sudo apt install apparmor

Conclusion

System hardening is a vital process to protect Linux systems from a wide range of security threats. By following best practices and using the right tools, you can significantly reduce the risk of attacks and unauthorized access. Regular updates, proper user management, secure SSH configurations, firewall management, and auditing are just some of the steps in building a robust, secure system. Proper hardening not only protects sensitive data but also ensures the integrity and availability of the system, making it a critical part of Linux system administration.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
× Dracula Servers

Subscribe to DraculaHosting and get exclusive content and discounts on VPS services.