Essential Linux Security Hardening: Account, Service, and Rootkit Defense

Account and Login Security

Account security is the first line of defense for any Linux system. Remove unnecessary default users and groups (e.g., adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher) and delete corresponding groups (adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers). Disable services that are not required for the server’s purpose to reduce attack surface.

For example, on a web server only the httpd service and essential system services should remain; services such as anacron, auditd, autofs, avahi‑daemon, bluetooth, cpuspeed, firstboot, gpm, haldaemon, ip6tables, ipsec, isdn, lpd, mcstrans, messagebus, netfs, nfs, nscd, pcscd, portmap, readahead_early, rpcgssd, rpcidmapd, rstatd, sendmail, setroubleshoot, yppasswdd, ypserv can be disabled.

Use strong password policies (minimum six characters, including numbers, letters, underscores, and special symbols) or, preferably, switch to key‑based SSH authentication to avoid brute‑force attacks. Tools like SecureCRT, PuTTY, or Xshell can be configured for key authentication.

Replace the insecure su command with sudo to grant limited privileges without exposing the root password. Configure /etc/sudoers to allow specific commands for specific users.

Remove or modify login banner files (/etc/issue, /etc/issue.net, /etc/redhat-release, /etc/motd) to prevent leaking OS version information. For SSH banner, add Banner /etc/issue.net to /etc/ssh/sshd_config only if needed.

Remote Access and Authentication Security

Replace insecure Telnet with SSH for all remote logins. Preserve shell command history in .bash_history for audit purposes, and back up this file to protect against tampering.

Enable tcp_wrappers (or iptables) as an additional firewall layer to control access to services.

File System Security

Lock critical files using chattr (immutable or append‑only) where appropriate, but avoid locking essential directories such as /, /dev, /tmp, /var, as this can break the system.

Regularly audit file permissions and ownership. Find world‑writable files and directories:

find / -type f -perm -2 -o -perm -20 | xargs ls -al

find / -type d -perm -2 -o -perm -20 | xargs ls -ld

Locate set‑uid/set‑gid binaries:

find / -type f -perm -4000 -o -perm -2000 -print | xargs ls -al

Identify suid/sgid files owned by root:

find / -user root -perm -2000 -print -exec md5sum {} \;

find / -user root -perm -4000 -print -exec md5sum {} \;

Detect files without owners:

find / -nouser -o -nogroup

Secure temporary directories (/tmp, /var/tmp, /dev/shm) by mounting them with nosuid,noexec,nodev options in /etc/fstab or using loopback filesystems.

Linux Backdoor Detection Tools

Rootkits are stealthy malware that replace system binaries (e.g., login, ls, ps, ifconfig, netstat) or modify the kernel. Detect them with tools such as chkrootkit and RKHunter .

Example chkrootkit output (infected binaries):

[root@server chkrootkit]# /usr/local/chkrootkit/chkrootkit

Checking ‘ifconfig’... INFECTED

Checking ‘ls’... INFECTED

Checking ‘login’... INFECTED

Checking ‘netstat’... INFECTED

Checking ‘ps’... INFECTED

Checking ‘top’... INFECTED

Use chkrootkit with trusted system binaries or run it from a clean rescue environment to avoid false negatives.

RKHunter performs MD5 checks, scans for hidden files, suspicious kernel modules, and open ports. Run it non‑interactively:

/usr/local/bin/rkhunter --check --skip-keypress

Schedule daily checks via cron:

30 09 * * * root /usr/local/bin/rkhunter --check --cronjob

Server Attack Response Process

When a server is compromised, follow these steps:

Disconnect the network to stop ongoing attacks.

Identify the attack source by reviewing logs (/var/log/messages, /var/log/secure) and examining open ports and processes.

Analyze the intrusion vector and patch the underlying vulnerability.

Back up user data securely, ensuring no malicious files are retained.

Reinstall the operating system to guarantee removal of hidden rootkits.

Apply all security patches and re‑configure hardening measures.

Restore data and bring the server back online.

Additional actions include locking suspicious user accounts, inspecting process executables via pidof and /proc/<pid>/exe, and verifying file integrity with rpm -Va.

Conclusion

By implementing strict account policies, disabling unnecessary services, securing authentication methods, hardening the file system, and regularly scanning for rootkits, operations teams can significantly reduce the risk of Linux server compromise and respond effectively if an incident occurs.