Essential Linux Security Hardening: 12 Practical Commands to Protect Your System

In this article we discuss how to harden a Linux system using various security commands.

1. Console Security

Limit root login to specific terminals by editing the security file under /etc/ that lists allowed devices. It is recommended to allow root only on one console and require other users to use non‑root accounts, using su when root privileges are needed.

2. Password Lifecycle

Set password expiration to force regular changes, reducing risk if passwords are compromised. Two methods: $ chage -M 20 likegeeks This sets a 20‑day maximum password age for user likegeeks. $ chage likegeeks Running chage without options prompts for options interactively.

Alternatively, set defaults in /etc/login.defs:

PASS_MAX_DAYS 20 PASS_MIN_DAYS 0 PASS_WARN_AGE 5

3. Sudo Notifications

Configure /etc/sudoers to send email notifications when sudo is used: mailto [email protected] Or change the mail status:

mail_always on

4. SSH Hardening

Edit /etc/ssh/sshd_config to improve security. Change the default port, disable root login, disable password authentication, enable DNS checks, and configure keep‑alive settings.

Port 5555

PermitRootLogin no

PasswordAuthentication no PermitEmptyPasswords no

UseDNS yes

GSSAPIAuthentication no

ServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yes

ClientAliveInterval 30 ClientAliveCountMax 5

AllowUsers user1 user2

AllowGroup group1 group2

Install and enable two‑factor authentication with Google Authenticator:

$ yum install google-authenticator

$ google-authenticator

auth required pam_google_authenticator.so

ChallengeResponseAuthentication yes

$ systemctl restart sshd

5. Tripwire Intrusion Detection

Install Tripwire from EPEL, set up keys, and configure the policy file.

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm $ rpm -ivh epel-release-7-9.noarch.rpm

$ sudo yum install tripwire

$ tripwire-setup-keyfiles

/etc/tripwire/twpol.txt

$ tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt

$ tripwire --init

$ tripwire --check

6. Firewalld

Firewalld replaces iptables and allows dynamic rule changes without restarting the service.

$ firewall-cmd --state

$ firewall-cmd --get-zones

$ firewall-cmd --set-default-zone=

$ firewall-cmd --zone= --list-all

$ firewall-cmd --get-services

$ firewall-cmd --zone= --add-service= $ firewall-cmd --zone= --remove-service=

$ firewall-cmd --zone= --list-ports

$ firewall-cmd --zone= --add-port= $ firewall-cmd --zone= --remove-port=

$ firewall-cmd --zone= --add-forward-port= $ firewall-cmd --zone= --remove-forward-port=

7. Reverting to iptables

If you prefer iptables, disable firewalld first, then install and start iptables services.

$ systemctl disable firewalld $ systemctl stop firewalld

$ yum install iptables-services $ touch /etc/sysconfig/iptables $ touch /etc/sysconfig/ip6tables

$ systemctl start iptables $ systemctl start ip6tables $ systemctl enable iptables $ systemctl enable ip6tables

8. Restricting Compilers

Limit access to compiler binaries by creating a dedicated group and adjusting ownership and permissions.

$ rpm -q --filesbypkg gcc | grep 'bin'

$ groupadd compilerGroup

$ chown root:compilerGroup /usr/bin/gcc

$ chmod 0750 /usr/bin/gcc

9. Immutable Files

Use chattr +i to make critical files immutable, preventing even root from modifying them. $ chattr +i /myscript Remove the attribute with chattr -i when needed.

$ chattr -i /myscript

10. Managing SELinux with aureport

Generate SELinux audit reports using aureport:

$ aureport --avc

$ aureport -x

$ aureport -au -i

$ aureport -au --summary -i --failed

$ aureport -au --summary -i --success

11. Using sealert

Install setools to get the sealert utility, which parses SELinux audit logs and provides human‑readable explanations.

$ yum install setools

$ sealert -a /var/log/audit/audit.log

These commands and configurations provide a practical checklist for strengthening Linux system security.