Essential Linux Hardening: 12 Practical Commands to Secure Your System

Console Security

You can limit root login to specific terminals by editing the security file under /etc that lists allowed devices, and enforce non‑root users for regular logins, using su when root privileges are needed.

Password Lifecycle

Set an expiration period for passwords so users must change them regularly, reducing risk if credentials are compromised. chage -M 20 likegeeks Running chage likegeeks without options shows the current settings. chage likegeeks Alternatively, define defaults for all users in /etc/login.defs:

PASS_MAX_DAYS 20 PASS_MIN_DAYS 0 PASS_WARN_AGE 5

Sudo Notifications

Configure /etc/sudoers to send email alerts when sudo is used. mailto [email protected] Enable always‑mail mode:

mail_always on

SSH Hardening

Modify /etc/ssh/sshd_config to improve security.

Port 5555

PermitRootLogin no

PasswordAuthentication no PermitEmptyPasswords no

UseDNS yes

GSSAPIAuthentication no

ServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yes

ClientAliveInterval 30 ClientAliveCountMax 5

AllowUsers user1 user2

AllowGroup group1 group2

Enable two‑factor authentication with Google Authenticator:

yum install google-authenticator

google-authenticator

auth required pam_google_authenticator.so

ChallengeResponseAuthentication yes

systemctl restart sshd

Tripwire Intrusion Detection

Install Tripwire from the EPEL repository and set up keys.

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm
rpm -ivh epel-release-7-9.noarch.rpm

sudo yum install tripwire

tripwire-setup-keyfiles

Customize the policy file /etc/tripwire/twpol.txt and update it:

tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt

tripwire --init

Run checks with:

tripwire --check

Firewalld

Firewalld replaces iptables and allows dynamic rule changes without restarting the service.

firewall-cmd --state

firewall-cmd --get-zones

firewall-cmd --set-default-zone=

firewall-cmd --zone=public --list-all

firewall-cmd --get-services

firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --remove-service=ftp

firewall-cmd --zone=public --list-ports

firewall-cmd --zone=public --add-port=8080/tcp
firewall-cmd --zone=public --remove-port=8080/tcp

firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --zone=public --remove-forward-port=port=80:proto=tcp:toport=8080

Returning to iptables

If you prefer iptables, disable firewalld first, then install and start iptables services.

systemctl disable firewalld
systemctl stop firewalld

yum install iptables-services
touch /etc/sysconfig/iptables
touch /etc/sysconfig/ip6tables

systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables

Reboot the system for kernel to apply the new configuration.

Restricting Compilers

Limit access to compiler binaries so attackers cannot easily compile malicious code.

rpm -q --filesbypkg gcc | grep 'bin'

groupadd compilerGroup

chown root:compilerGroup /usr/bin/gcc

chmod 0750 /usr/bin/gcc

Immutable Files

Mark critical files as immutable so even root cannot modify, delete, or rename them. chattr +i /myscript Remove the immutable attribute when needed:

chattr -i /myscript

Managing SELinux with aureport

Generate SELinux audit reports using aureport:

aureport --avc

aureport -x

aureport -au -i

aureport -au --summary -i --failed

aureport -au --summary -i --success

Using sealert

Install the setools package and run sealert to get human‑readable SELinux warnings.

yum install setools

sealert -a /var/log/audit/audit.log

The article concludes that many more Linux security techniques exist, and encourages readers to explore further hardening methods.