25 Essential Linux Hardening Tips to Boost System Security

Linux is often assumed to be secure by default, but to achieve a truly hardened system administrators must actively enable and customize its security features.

1. Physical System Security

Configure BIOS to disable boot from CD/DVD, external devices, and floppy drives; set a BIOS password and enable GRUB password protection to restrict physical access.

2. Disk Partitioning

Use separate partitions to isolate data; in case of failure only the affected partition is compromised. Install third‑party applications on a dedicated filesystem such as /opt.

3. Minimal Package Installation

Avoid installing unnecessary services and packages to reduce the attack surface. List services in runlevel 3 with chkconfig and remove or stop unused ones.

4. Check Network Listening Ports

Use netstat to view open ports and associated programs, then disable unwanted network services with chkconfig.

5. Use SSH Instead of Telnet/rlogin

SSH encrypts client‑server communication. Disable direct root login, use sudo, and change the default SSH port from 22 to a higher number.

6. Keep System Updated

Regularly apply patches, security fixes, and kernel updates.

7. Lock Down Cron Jobs

Control who can schedule cron tasks via /etc/cron.allow and /etc/cron.deny. Add usernames to cron.deny to block all users, or to cron.allow to permit specific users.

8. Disable USB Storage Detection

Create /etc/modprobe.d/no-usb and add rules to prevent USB storage devices from being recognized.

9. Enable SELinux

SELinux provides mandatory access control. Use modes: Enforcing (default), Permissive, and Disabled. Manage status with system-config-selinux, getenforce, or sestatus.

Enforcing – policies are enforced.

Permissive – policies are logged but not enforced.

Disabled – SELinux is turned off.

10. Remove Desktop Environments on Servers

Uninstall KDE or GNOME on dedicated LAMP servers to reduce attack surface and improve performance. Change runlevel to 3 in /etc/inittab or remove packages entirely.

11. Disable IPv6 if Unused

Comment out or remove IPv6 configuration lines in network settings to eliminate unnecessary exposure.

12. Enforce Password History

Prevent reuse of recent passwords by configuring PAM modules ( pam_unix or pam_pwquality) in /etc/pam.d/system-auth (RHEL/CentOS/Fedora) or /etc/pam.d/common-password (Debian/Ubuntu).

13. Check Password Expiration

Use chage -l username to view password aging information stored in /etc/shadow. Modify policies with chage options -M, -m, and -W.

14. Manually Lock/Unlock User Accounts

Lock an account with usermod -L username (password becomes !) and unlock with usermod -U username.

15. Enforce Strong Passwords

Enable pam_cracklib (or pam_pwquality) and set parameters such as lcredit, ucredit, dcredit, and ocredit to require mixed‑case, digits, and symbols.

16. Enable iptables Firewall

Configure iptables rules to filter inbound, outbound, and forwarded packets, allowing or denying specific TCP/UDP ports based on source and destination.

17. Disable Ctrl+Alt+Delete Reboot

Comment out the ca:ctrlaltdel line in /etc/inittab to prevent accidental server reboots via the key combination.

18. Check for Empty Password Accounts

Identify accounts with no password using awk -F: '($2==""||$2=="*") {print $1}' /etc/shadow, as they pose a serious security risk.

19. Display SSH Login Banner

Configure /etc/issue.net or Banner in sshd_config to show a legal/security notice before authentication.

20. Monitor User Activity

Install psacct or acct to log user commands and resource usage for later analysis.

21. Regular Log Review

Centralize logs on a dedicated log server and regularly review files such as /var/log/messages, /var/log/secure, and application logs.

22. Backup Critical Files

Regularly back up configuration files and important data to remote, secure storage for disaster recovery.

23. NIC Bonding

Configure network interface bonding (mode 0 – round‑robin, mode 1 – active‑backup) to provide redundancy and avoid single points of failure.

24. Keep /boot Read‑Only

Mount /boot as read‑only to protect kernel and bootloader files; add tmpfs /boot ro entry to /etc/fstab when appropriate.

25. Ignore ICMP and Broadcast Requests

Add rules to /etc/sysctl.conf to drop ping and broadcast traffic, then reload with sysctl -p.

These 25 steps provide a comprehensive checklist for hardening a Linux system, helping administrators mitigate vulnerabilities and maintain a secure operating environment.