Essential Linux Security Hardening: Accounts, Remote Access, Filesystem & Rootkit Defense

Account and Login Security

Account security is the first line of defense for any Linux system. Remove unnecessary default users and groups (e.g., adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher) to minimize attack surface.

Deletable users : adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher

Deletable groups : adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers

Disable services that are not required for the server’s purpose; fewer running services mean fewer potential entry points.

Remote Access and Authentication Security

Replace insecure telnet with SSH for remote logins. Use the history command or examine .bash_history to audit user actions, and protect this file from tampering.

Enable Tcp_Wrappers and iptables firewalls to filter network traffic and restrict service exposure.

Filesystem Security

Lock critical files using chattr (e.g., +i immutable flag) while recognizing that root directories ( /, /dev, /tmp, /var) cannot be locked.

Check and correct improper permissions. Examples to locate insecure files:

find / -type f -perm -2 -o -perm -20 | xargs ls -al

find / -type d -perm -2 -o -perm -20 | xargs ls -ld

find / -type f -perm -4000 -o -perm -2000 -print | xargs ls -al

find / -user root -perm -2000 -print -exec md5sum {} \;

Secure temporary directories ( /tmp, /var/tmp, /dev/shm) by mounting them with nosuid,noexec,nodev options or using separate partitions.

Linux Backdoor Intrusion Detection Tools

Rootkits are common Linux backdoors that replace system binaries. Detect them with tools such as Chkrootkit and RKHunter .

Chkrootkit usage example: # /usr/local/chkrootkit/chkrootkit Sample output shows infected binaries (e.g., ifconfig, ls, login, netstat, ps, top).

RKHunter performs MD5 checks, scans for suspicious binaries, hidden files, and abnormal kernel modules. Run it manually or schedule via cron:

# /usr/local/bin/rkhunter --check --skip-keypress

30 09 * * * root /usr/local/bin/rkhunter --check --cronjob

Server Attack Handling Process

When a server is compromised, follow these steps:

Disconnect the network to stop ongoing attacks.

Identify the attack source by reviewing logs ( /var/log/messages, /var/log/secure) and user history.

Analyze the intrusion vector (vulnerabilities, exploited services).

Backup user data securely.

Reinstall the operating system to ensure a clean environment.

Patch vulnerabilities and apply security hardening measures.

Restore data and bring the network back online.

Additional remediation includes locking suspicious accounts, terminating malicious processes (using pidof and inspecting /proc/<pid>/exe), and verifying file integrity with package managers (e.g., rpm -Va).

Finally, after restoration, re‑apply the hardening steps outlined above to maintain a secure Linux server.