Essential Linux Hardening: Minimalism, Port Tweaks, and Kernel Optimizations

1. Minimalization Principle

Adopt a minimal‑install mindset by (1) installing only essential packages, (2) limiting services that start at boot, (3) reducing operational overhead, (4) tightening file permissions, and (5) keeping configuration values reasonable rather than maximized.

2. Port Optimization

Change the default SSH port (22) to a custom value and disable direct root login to thwart brute‑force attacks.

vim /etc/ssh/sshd_config   # backup before editing
# Example changes
Port 2222                     # choose any unused port
PermitRootLogin no           # prevent root remote login
PermitEmptyPasswords no      # disallow empty passwords
UseDns no                     # skip DNS lookups
service sshd restart          # apply changes

3. Sudo Configuration

Grant specific root‑level capabilities to regular users via sudo and edit the sudoers file with visudo to define precise command allowances.

# visudo
# Example entry: user ALL=(ALL) NOPASSWD:/usr/bin/systemctl restart httpd

4. Kernel Parameter Optimization

Fine‑tune TCP and connection‑tracking parameters using sysctl to improve network throughput and reduce resource consumption.

net.ipv4.tcp_fin_timeout=2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_local_port_range=4000 65000
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.tcp_max_tw_buckets=36000
net.route.gc_timeout=100
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_synack_retries=1
net.core.somaxconn=16384
net.core.netdev_max_backlog=16384
net.ipv4.tcp_max_orphans=16384
net.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120

5. Firewall Optimization

Temporarily stop the firewall and disable it permanently when appropriate.

service iptables stop                     # temporary stop
chkconfig --level 35 iptables off        # permanent disable

6. Additional System Hardening

Hide the operating system version, lock critical files, and adjust file‑descriptor limits.

# Hide OS version
cat /etc/issue
# Lock important files
chattr +i /etc/passwd /etc/gshadow /etc/inittab

7. Linux Hardening Summary

Key actions include: (1) create non‑root users and manage privileges via sudo, (2) change the SSH port and disable root login, (3) synchronize server time, (4) use domestic yum mirrors for faster package downloads, (5) disable SELinux and iptables where suitable, (6) increase file‑descriptor limits, (7) clean up stale files in /var/spool/clientmqene, (8) trim auto‑start services (crond, ssh, network, syslog), and (9) apply the kernel and firewall tweaks listed above.

8. Linux Package Installation Methods

Three common approaches for installing software such as Apache:

Compile from source for maximum flexibility.

Install via yum or rpm for simplicity.

Hybrid method: build a custom RPM from source and distribute it through a private yum repository for controlled, repeatable deployments.