So I’ve recently had to lock down a public-facing CentOS server. Always a fun process, as I’m sure you know. When all was said and done, I created a quick checklist for my next Linux server hardening project. I’m of course keeping it general; everyone’s purpose, environment, and security standards are different. Hope you find it useful!
Linux Server Hardening Checklist
Documentation
Write down all relevant machine details – hostname, IP address, MAC address, OS version
Store in your relevant database
The Basics
Update the system (yum, apt, etc)
Set up disk encryption
Disable USB and peripheral devices
Create a non-root user for daily use
Remove any unused accounts
Disable shell or elevated access for standard/built-in users
Disable logon as root
Disable all unnecessary running services (init.d and xinetd)
Uninstall/disable all unnecessary or insecure apps (ftp, telnet, X11)
Set up and configure a firewall
Use an antivirus and IDS/IPS
Schedule backup of log files and lock down directory storage
Separate disk partitions – /usr, /home, /var & /var/tmp, /tmp
Run only one network service per system
Security Policies and Standards
Enable SELinux
Use complex passwords for all accounts
Enable a strong policy (minimum length, blend of character types, etc)
Use a strong hashing algorithm like SHA512
Create a “lock account after X failed login attempts” policy
Set up password aging and expiration
Restrict use of previous passwords
Make sure all accounts have a password set
awk -F: '($2 == "") {print}' /etc/shadow
Verify no non-root account have a UID set to 0 (full permissions to machine)
awk -F: '($3 == "0") {print}' /etc/passwd
Enable disk usage quotas
Lock down SSH
Use public/private keypairs
Prohibit logins as root
Don’t allow logins using a password
Disable either IPv4 or IPv6 depending on what’s not used
Use an IP whitelist to control who can use SSH
Enable 2FA
Set chmod 0700 for all cron tasks so only the root account can see them
Delete symlinks and disable their creation (more info here)
Encrypt communication – SSH, VPNs, rsync, PGP, SSL, SFTP, GPG
Make sure no files have no owner specified
find /dir -xdev ( -nouser -o -nogroup ) -print
Verify no files are world-writeable
find /dir -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print
Configure auditd
Configure regular backups
Other Useful Tools
Fail2ban (link) – a great tool for automatically banning suspicious IP addresses
Lynis (link) – open-source auditing tool for Linux
Am I missing anything? Let me know in the comments! Otherwise, if you want some customized help with your hardening projects,
give us a call.
Secure Compliance Solutions is the trusted security advisor for Chicagoland’s small-to-medium businesses. We offer a variety of services that promote a strengthened security posture and a culture of compliance. Our solutions include: risk advisory services, strategic cybersecurity planning, security and privacy awareness, regulatory guidance, penetration testing, and managed security services. We tailor our engagements and solutions to align with your cultural needs and business objectives; not the other way around. We keep your appetite for risk, budget constraints, and timeline in mind to define strategy and operational tactics that maximize your return on investment. At SCS, we help you navigate the course of your cybersecurity journey.