Essential Linux Hardening: Practical Steps to Secure Accounts, Services, and Networks

Linux, as an open‑source operating system, is widely adopted by enterprises and individuals, making its security a critical concern. While antivirus tools exist, true protection requires hardening the system itself.

User Account Security

Password Management : Avoid dictionary attacks by using non‑dictionary character combinations, mixing numbers, uppercase and lowercase letters, and special symbols; keep passwords sufficiently long; change them regularly.

Account Privilege Levels : Assign appropriate permissions when creating new user IDs and group them accordingly. Control login access via /etc/hosts.allow and /etc/hosts.deny, and monitor /var/log/secure for suspicious entries.

Root Access Control : The /etc/securetty file lists terminals allowed for direct root login. Prefer logging in with a regular account and using su to elevate privileges.

System Login Management

User credentials are stored in /etc/passwd (public information) and encrypted passwords in /etc/shadow. Restrict permissions on these files, regularly audit UID/GID mappings, and prevent privilege escalation.

Network Service Security

Disable Unnecessary Services : Remove or stop services such as HTTP, SMTP, Telnet, FTP, TFTP, IMAP/POP3, Gopher, Daytime, and Time if not required. Verify port assignments in /etc/services to avoid exposure.

Restrict Local User Logins for Services : For services like NFS, Samba, FTP, and HTTP, configure their *.conf files to limit directory access or deny HOME directory access.

Change Default Service Ports : Modify ports listed in /etc/services (e.g., FTP 20/21, SSH 22, DNS 53, HTTP 80, MySQL 3306) to obscure service identification and hinder automated attacks.

System Hardening Settings

Disable Ping Responses to reduce ICMP‑based probing: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all (add to /etc/rc.d/rc.local for persistence). Restore with echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all.

Disable IP Source Routing to prevent packet spoofing:

for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

(add to /etc/rc.d/rc.local).

Enable TCP SYN Cookies to mitigate SYN flood attacks: echo 1 > /proc/sys/net/ipv4/tcp_syncookies.

Secure Init Scripts : Restrict permissions on scripts in /etc/rc.d/init.d: chmod -R 700 /etc/rc.d/init.d/*, ensuring only root can start or stop services.

Log Management

Regularly review logs in /var/log (e.g., messages, maillog, secure, mail/root) for anomalies such as unusual login times, truncated logs, unknown source IPs, repeated failed authentication attempts, unauthorized su usage, and unexpected service restarts.

Comprehensive Defense

Deploy both a firewall (iptables/Netfilter) and an intrusion detection system (Snort or LIDS). The firewall filters traffic by IP/port, while IDS inspects packet payloads for deeper analysis; using them together provides layered protection.

Vulnerability Tracking and Patch Management

Stay informed via reputable Linux security forums and mailing lists, perform regular vulnerability scans and penetration tests, and apply kernel and package updates promptly. Prefer stable kernel versions (even numbers) and disable unnecessary kernel features to reduce the attack surface.

Hardware Firewalls

Employ hardware firewalls as the first line of defense, adhering to the principle "deny all unless explicitly allowed". Configure NAT and port forwarding carefully, avoiding default ports when possible.

Conclusion

Effective Linux security combines proper account policies, service minimization, network hardening, diligent log monitoring, timely patching, and layered defenses. Continuous vigilance and regular updates are essential to mitigate evolving threats.