Essential Linux Security Hardening Checklist for System Administrators

1. Accounts and Passwords

1.1 Disable or delete unused accounts

Remove unnecessary accounts to reduce attack surface.

Delete an account: userdel <username> Lock an account: passwd -l <username> Unlock an account:

passwd -u <username>

1.2 Check special accounts

Identify empty passwords and accounts with UID 0.

List accounts with empty passwords: awk -F: '($2=="")' /etc/shadow List accounts with UID 0: awk -F: '($3==0)' /etc/passwd Set passwords for empty‑password accounts: passwd <username> Ensure only root has UID 0.

1.3 Add password policy

Enforce password complexity and aging.

Edit /etc/login.defs and set:

PASS_MAX_DAYS 90

PASS_MIN_DAYS 0

PASS_WARN_AGE 7

Use chage for per‑user settings, e.g.: chage -m 0 -M 30 -E 2000-01-01 -W 7 <username> Lock account after three failed attempts for five minutes by editing /etc/pam.d/common-auth and adding:

auth required pam_tally.so onerr=fail deny=3 unlock_time=300

1.4 Restrict su usage

Limit which users may su to root.

Edit /etc/pam.d/su and add, for example, auth required pam_wheel.so group=test to allow only the test group.

1.5 Disable direct root login

Prevent root from logging in via SSH.

Create a regular user with a password.

Edit /etc/ssh/sshd_config, set PermitRootLogin no, then restart the service:

service sshd restart

2. Services

2.1 Disable unnecessary services

Stop services that are not required, e.g., generic or xinetd services.

Use systemctl disable <service> to prevent start‑up. On older systems (CentOS 6) use chkconfig --level <runlevel> <service> off.

2.2 Harden SSH service

Edit /etc/ssh/sshd_config and apply the following settings:

Set PermitRootLogin no to block root login.

Set Protocol 2 to enforce SSH version 2.

Set MaxAuthTries 3 to limit password attempts.

Restart SSH after changes to apply.

3. Filesystem

3.1 Set default umask

Configure default file permissions by adding umask 027 to /etc/profile. New files will be readable/writable/executable by the owner, readable/executable by the group, and inaccessible to others.

3.2 Set login timeout

Define an automatic logout after inactivity.

Edit /etc/profile and change the line starting with TMOUT= to TMOUT=180 (seconds), then source the file.

4. Logging

4.1 Enable syslogd logs

Typical log files on Linux include:

/var/log/messages (system log)

/var/log/cron (cron jobs)

/var/log/secure (security events)

Some distributions use syslog‑ng with configuration at /etc/syslog-ng/syslog-ng.conf.

4.2 Record all user actions

Append the following script to /etc/profile to capture each user's commands, IP, and timestamp in /var/log/history:

# vim /etc/profile
history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
  USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
  mkdir -p /var/log/history && chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
  mkdir -p /var/log/history/${LOGNAME} && chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_${DT}"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null

Activate the new settings with: # source /etc/profile Logs are stored under /var/log/history, one directory per user, each containing files named with the user, source IP, and timestamp.