25 Essential Linux Hardening Tips to Secure Your Servers

1. Physical System Security

Configure BIOS to disable boot from CD/DVD, external devices, and floppy drives, set a BIOS password, and enable GRUB password protection to restrict physical access.

2. Disk Partitioning

Use separate partitions to isolate data; place third‑party applications in a dedicated filesystem such as /opt to limit damage from failures.

3. Minimal Package Installation

Avoid installing unnecessary services; remove or stop unused packages to reduce vulnerability surface. List services in runlevel 3 with chkconfig.

Stop unwanted services using the commands shown in the following images.

4. Check Network Listening Ports

Use netstat to view open ports and associated programs, then disable unwanted network services with chkconfig.

5. Use SSH Instead of Telnet/rlogin

Prefer encrypted SSH connections; never log in directly as root. Use sudo and edit /etc/sudoers with visudo. Change the default SSH port from 22 to a higher number.

6. Keep System Updated

Regularly apply the latest patches, security fixes, and kernel updates.

7. Lock Cron Jobs

Control which users can run cron jobs via /etc/cron.allow and /etc/cron.deny. Add usernames to cron.deny to block them, or to cron.allow to permit.

8. Disable USB Detection

Create /etc/modprobe.d/no-usb and use the shown command to prevent USB storage devices.

9. Enable SELinux

Activate SELinux’s enforcing mode; avoid disabling it unless absolutely necessary. Use system-config-selinux, getenforce, or sestatus to check status.

10. Remove Desktop Environments on Servers

Uninstall KDE or GNOME on dedicated LAMP servers to improve security and performance; set runlevel 3 in /etc/inittab or remove packages entirely.

11. Disable IPv6 If Unused

Comment out or remove IPv6 configuration lines in network settings to reduce attack surface.

12. Enforce Password History

Prevent reuse of recent passwords by configuring PAM modules in /etc/pam.d/system-auth (RHEL/CentOS/Fedora) or /etc/pam.d/common-password (Debian/Ubuntu). Add lines to disallow the last five passwords.

13. Check Password Expiration

Use chage to view and modify password aging information stored in /etc/shadow.

14. Manually Lock/Unlock User Accounts

Lock accounts for a period by prefixing the encrypted password with an exclamation mark; unlock by restoring the original hash.

15. Strengthen Password Policies

Enable pam_cracklib in PAM to require complex passwords (uppercase, lowercase, digits, special characters).

16. Enable iptables Firewall

Configure iptables rules to filter inbound, outbound, and forwarded packets, allowing or denying specific ports and protocols.

17. Disable Ctrl+Alt+Delete Reboot

Comment out the Ctrl‑Alt‑Delete entry in /etc/inittab to prevent accidental server reboots.

18. Check for Empty Password Accounts

Identify accounts with no password using the provided command to eliminate a serious security risk.

19. Display SSH Login Banner

Configure an SSH banner to show legal and security warnings before authentication.

20. Monitor User Activity

Use psacct or acct to log user actions and process resource consumption for analysis.

21. Regularly Review Logs

Centralize logs on a dedicated server to prevent tampering; common log files and their purposes are illustrated.

22. Backup Critical Files

Maintain off‑site backups of essential files for disaster recovery.

23. NIC Bonding

Configure NIC bonding (mode 0 – round‑robin, mode 1 – active‑backup) to avoid single points of failure.

24. Keep /boot Read‑Only

Set the /boot partition to read‑only to protect kernel files; revert to read‑write when updating the kernel.

25. Ignore ICMP and Broadcast Requests

Add rules to /etc/sysctl.conf to block ping and broadcast traffic, then reload the configuration.