BestHub
Sign in
Information Security 15 min read

25 Essential Linux Hardening Tips to Secure Your Servers

This guide lists 25 practical Linux hardening techniques—from BIOS protection and partitioning to SSH configuration, SELinux, firewall rules, password policies, and log management—helping system administrators strengthen server security against attacks and vulnerabilities.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
25 Essential Linux Hardening Tips to Secure Your Servers

For system administrators, keeping Linux systems secure against hackers is a constant challenge. This article presents 25 useful tips and tricks to harden Linux systems.

1. Physical System Security

Configure BIOS to disable boot from CD/DVD, external devices, and floppy drives, set a BIOS password, and enable GRUB password protection to limit physical access.

2. Disk Partitioning

Use separate partitions to isolate data and improve resilience. Install third‑party applications under a dedicated /opt filesystem.

/
/boot
/usr
/var
/home
/tmp
/opt

3. Minimal Package Installation

Avoid installing unnecessary services to reduce attack surface. List services in runlevel 3 with # /sbin/chkconfig --list |grep '3:on' and stop unwanted ones using # chkconfig serviceName off. Remove packages with package managers:

# yum -y remove package-name
# sudo apt-get remove package-name

4. Check Network Listening Ports

Use # netstat -tulpn to view open ports and disable unwanted network services with chkconfig.

5. Use SSH (Secure Shell)

Replace insecure protocols like Telnet with SSH. Never log in directly as root; use sudo and edit /etc/sudoers with visudo. Change the default SSH port and edit /etc/ssh/sshd_config: # vi /etc/ssh/sshd_config Disable root login: PermitRootLogin no Allow specific users: AllowUsers username Enforce SSH protocol 2:

Protocol 2

6. Keep System Updated

Regularly apply patches and kernel updates:

# yum updates
# yum check-update

7. Lock Down Cron Jobs

Control who can run cron jobs via /etc/cron.allow and /etc/cron.deny. To deny all users:

# echo ALL >>/etc/cron.deny

8. Disable USB Storage

Create /etc/modprobe.d/no-usb and add:

install usb-storage /bin/true

9. Enable SELinux

SELinux provides mandatory access control. Use one of three modes: enforcing, permissive, or disabled. Check status with # sestatus and enable enforcing mode:

# setenforce enforcing

10. Remove Desktop Environments

On headless servers, uninstall X Window systems to reduce attack surface:

# yum groupremove "X Window System"

11. Disable IPv6

If not needed, turn off IPv6 in /etc/sysconfig/network:

# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

12. Enforce Password History

Prevent reuse of old passwords via PAM configuration. Add to /etc/pam.d/system-auth (RHEL/CentOS/Fedora) or /etc/pam.d/common-password (Ubuntu/Debian):

auth        sufficient    pam_unix.so likeauth nullok
password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5

13. Check Password Expiration

Use # chage -l username to view aging information and # chage -M 60 username to set maximum days.

14. Manually Lock/Unlock User Accounts

Lock an account: # passwd -l accountName Unlock an account:

# passwd -u accountName

15. Strengthen Password Policy

Enable pam_cracklib in /etc/pam.d/system-auth:

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

16. Enable iptables Firewall

Configure iptables rules to filter inbound, outbound, and forwarded traffic.

17. Disable Ctrl+Alt+Del Reboot

Comment out the Ctrl‑Alt‑Del entry in /etc/inittab:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

18. Detect Empty Password Accounts

Find accounts with no password:

# cat /etc/shadow | awk -F: '($2==""){print $1}'

19. Show SSH Login Banner

Display a legal/security warning before SSH login.

20. Monitor User Activity

Use psacct or acct to log user actions and resource usage.

21. Regular Log Review

Store logs on a dedicated log server and monitor common log files such as /var/log/message, /var/log/auth.log, /var/log/kern.log, etc.

22. Backup Important Files

Maintain remote backups of critical data for disaster recovery.

23. NIC Bonding

Combine multiple network interfaces for redundancy using mode 0 (round‑robin) or mode 1 (active‑backup).

24. Make /boot Read‑Only

Set /boot to read‑only in /etc/fstab:

LABEL=/boot     /boot     ext2     defaults,ro     1 2

25. Block ICMP and Broadcast Requests

Add to /etc/sysctl.conf:

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
# sysctl -p

These tips collectively improve the security posture of Linux servers.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxSecurityServerSystem AdministrationHardening
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment