Essential Linux Hardening: 14 Steps to Secure Your Servers

For IT professionals, an increasing amount of work is moving to Linux, which powers a large share of web, DNS, mail, and big‑data servers. While Linux is often considered secure by default, its built‑in security model must be enabled and customized to achieve a truly hardened system.

1. Physical Security

Secure the hardware by restricting BIOS access, disabling boot from removable media, and optionally disabling USB devices.

vim /etc/modprobe.d/stopusb
install usb-storage /bin/true

Or remove the USB storage driver:

# mv /lib/modules/3.10.0-693.el7.x86_64/kernel/drivers/usb/storage/usb-storage.ko.xz /tmp/

2. Keep the System Updated

Regularly apply patches, security fixes, and kernel updates to eliminate known vulnerabilities.

yum update
yum check-update

3. Minimal Installation Principle

Install only the required packages and services, and disable unnecessary ports to reduce the attack surface.

# chkconfig --list | grep "3:on"
# chkconfig service-name off

4. Login and Connection

Avoid direct root logins; use sudo for privilege escalation and lock the /etc/sudoers file. Modify sshd_config to change the default port and disable root password login.

# vim /etc/ssh/sshd_config
# Port 22   (change to a non‑standard port)
# PermitRootLogin no
# AllowUsers your_user

5. User Management

Set strong passwords with passwd, create temporary accounts when needed, and lock or delete users after use.

# passwd mingongge
# usermod -L mingongge   # lock
# usermod -U mingongge   # unlock
# userdel -r username   # delete

6. File Management

Protect critical files such as /etc/passwd and /etc/shadow by setting appropriate permissions and locking them against modification by non‑root users.

# stat /etc/passwd
# stat /etc/shadow

7. Enable Firewall

Use iptables (or firewalld) to filter inbound and outbound traffic with fine‑grained rules.

8. Package Management

Manage software with the RPM/YUM or APT package managers, and always use the proper commands for removal.

yum -y remove package-name
sudo apt-get remove package-name

9. Disable Ctrl+Alt+Del Reboot

Prevent accidental reboots by disabling the Ctrl+Alt+Del key combination.

# vi /etc/init/control-alt-delete.conf   # comment the start line
# or
# mv /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak

On systems using systemd, remove or mask the target:

# systemctl mask ctrl-alt-del.target

10. Monitor User Activity

Install psacct or acct to record user sessions, commands, and resource usage.

# yum install psacct -y
# ac -p          # per‑user connection time
# sa -u          # per‑user command statistics
# last           # recent logins
# lastb          # failed login attempts

11. Regular Log Inspection

Centralize important logs on a dedicated log server to prevent attackers from harvesting local logs.

12. Data Backup

Perform local, off‑site, and media‑diverse backups, and regularly verify data integrity and availability.

13. Security Tools

Utilize port scanners (e.g., nmap), web application scanners (e.g., IBM AppScan, SQLMap), encryption utilities, IDS/IPS, and vulnerability scanners—choosing open‑source or commercial solutions based on requirements.

14. Management Practices

Establish clear security processes and policies; without disciplined management, technical measures alone cannot guarantee protection.