Skip to content

A Quick Linux Server Hardening Checklist

So I’ve recently had to lock down a public-facing CentOS server. Always a fun process, as I’m sure you know. When all was said and done, I created a quick checklist for my next Linux server hardening project. I’m of course keeping it general; everyone’s purpose, environment, and security standards are different. Hope you find it useful!

Linux Server Hardening Checklist

Documentation
  • Write down all relevant machine details – hostname, IP address, MAC address, OS version
    • Store in your relevant database
The Basics
  • Update the system (yum, apt, etc)
  • Set up disk encryption
  • Disable USB and peripheral devices
  • Create a non-root user for daily use
    • Remove any unused accounts
    • Disable shell or elevated access for standard/built-in users
  • Disable logon as root
  • Disable all unnecessary running services (init.d and xinetd)
  • Uninstall/disable all unnecessary or insecure apps (ftp, telnet, X11)
  • Set up and configure a firewall
  • Use an antivirus and IDS/IPS
  • Schedule backup of log files and lock down directory storage
  • Separate disk partitions – /usr, /home, /var & /var/tmp, /tmp
  • Run only one network service per system
Security Policies and Standards
  • Enable SELinux
  • Use complex passwords for all accounts
    • Enable a strong policy (minimum length, blend of character types, etc)
    • Use a strong hashing algorithm like SHA512
    • Create a “lock account after X failed login attempts” policy
    • Set up password aging and expiration
    • Restrict use of previous passwords
  • Make sure all accounts have a password set
    • awk -F: '($2 == "") {print}' /etc/shadow
  • Verify no non-root account have a UID set to 0 (full permissions to machine)
    • awk -F: '($3 == "0") {print}' /etc/passwd
  • Enable disk usage quotas
  • Lock down SSH
    • Use public/private keypairs
    • Prohibit logins as root
    • Don’t allow logins using a password
    • Disable either IPv4 or IPv6 depending on what’s not used
    • Use an IP whitelist to control who can use SSH
    • Enable 2FA
  • Set chmod 0700 for all cron tasks so only the root account can see them
  • Delete symlinks and disable their creation (more info here)
  • Encrypt communication – SSH, VPNs, rsync, PGP, SSL, SFTP, GPG
  • Make sure no files have no owner specified
    • find /dir -xdev ( -nouser -o -nogroup ) -print
  • Verify no files are world-writeable
    • find /dir -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print
  • Configure auditd
  • Configure regular backups
Other Useful Tools
  • Fail2ban (link) – a great tool for automatically banning suspicious IP addresses
  • ClamAV (link) – an open-source antivirus engine
  • Lynis (link) – open-source auditing tool for Linux
Am I missing anything? Let me know in the comments! Otherwise, if you want some customized help with your hardening projects, give us a call. Secure Compliance Solutions is the trusted security advisor for Chicagoland’s small-to-medium businesses. We offer a variety of services that promote a strengthened security posture and a culture of compliance. Our solutions include: risk advisory services, strategic cybersecurity planning, security and privacy awareness, regulatory guidance, penetration testing, and managed security services. We tailor our engagements and solutions to align with your cultural needs and business objectives; not the other way around. We keep your appetite for risk, budget constraints, and timeline in mind to define strategy and operational tactics that maximize your return on investment. At SCS, we help you navigate the course of your cybersecurity journey.