Linux Server Hardening:

Linux server hardening is the first step will be performed on the server after provisioning.

  1. Setting the banner
    • message of the day(motd) can be set by editing the below file,
      • /etc/motd
      • This file content can act as welcome message when you are login to the server.

 

  1. Setting Password aging policy

These settings will help us to apply the password policy for the users which are going to create in future,

Configuration file => /etc/login.defs

echo “PASS_MAX_DAYS   90” >> /etc/login.defs

echo “PASS_MIN_DAYS   1”  >> /etc/login.defs

echo “PASS_MIN_LEN    8”  >> /etc/login.defs

echo “PASS_WARN_AGE   14” >> /etc/login.defs

  1. Enforcing stronger passwords

/etc/pam.d/system-auth

minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3

pam_cracklib.so minlen=8 Minimum length of password is 8
pam_cracklib.so lcredit=-1 Minimum number of lower case letters is 1
pam_cracklib.so ucredit=-1 Minimum number of upper case letters is 1
pam_cracklib.so dcredit=-1 Minimum number of digits is 1
pam_cracklib.so ocredit=-1 Minimum number of other characters is 1

 

  1. setting root password never expires and disabling direct login of root

chage -M 99999 root

echo “PermitRootLogin no” >> /etc/ssh/sshd_config

For production linux servers, direct root login will not be practiced as it will lead difficulties in tracking activites performed by the end user

  1. Changing Run-level from 5 to 3

# cat /etc/inittab  | grep -v ^#

id:3:initdefault:

 

  1. Creating admin service accounts with sudo privilege
  2. Kernel Tunable Security Parameters

Edit the file /etc/sysctl.conf  for the below changes,

Enable TCP SYN Cookie Protection:

net.ipv4.tcp_syncookies = 1

Disable IP Source Routing:

net.ipv4.conf.all.accept_source_route = 0

Disable ICMP Redirect Acceptance:

 net.ipv4.conf.all.accept_redirects = 0

Enable IP Spoofing Protection:

net.ipv4.conf.all.rp_filter = 1

Enable Ignoring to ICMP Requests:

 net.ipv4.icmp_echo_ignore_all = 1

Enable Ignoring Broadcasts Request:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable Bad Error Message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1

To activate the configured kernel parameters immediately at runtime, use:

# sysctl -p

Subscribe For Latest Updates

Signup for our newsletter and get notified when we publish new articles for free!