Essential Linux Security Hardening: From Account Safety to Rootkit Detection

Why Linux Security Matters

Security is a perennial topic in IT; after incidents like Prism, protecting information systems is urgent.

1. Account and Login Security

Account security is the first line of defense. Key measures include:

Delete unnecessary accounts and groups : remove default users such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, and groups like adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers.

Disable unneeded services : stop services that are not required for the server’s role, e.g., anacron, auditd, autofs, avahi-daemon, bluetooth, cpuspeed, firstboot, gpm, haldaemon, hidd, ip6tables, ipsec, isdn, lpd, mcstrans, messagebus, netfs, nfs, nfslock, nscd, pcscd, portmap, readahead_early, restorecond, rpcgssd, rpcidmapd, rstatd, sendmail, setroubleshoot, yppasswdd, ypserv.

Password and key authentication policies : use strong passwords (minimum 6 characters, mix of numbers, letters, symbols) or preferably SSH key authentication to avoid brute‑force attacks.

Proper use of su and sudo : limit direct root logins, grant limited privileges via sudo and configure /etc/sudoers accordingly.

Remove or modify login welcome messages : edit or delete /etc/issue, /etc/issue.net, /etc/redhat-release, and /etc/motd to avoid leaking system information.

2. Remote Access and Authentication Security

Replace telnet with SSH : use encrypted SSH instead of plaintext telnet.

Manage shell history : protect .bash_history and consider regular backups.

Enable tcp_wrappers firewall : complement iptables with tcp_wrappers to control service access.

3. Filesystem Security

Lock critical files : use chattr to set immutable or append‑only attributes on important files, noting that it should not be applied to /, /dev, /tmp, /var directories.

Check and correct file permissions : find world‑writable files ( find / -type f -perm -2 -o -perm -20), locate set‑uid/set‑gid binaries ( find / -type f -perm -4000 -o -perm -2000), list suid/sgid files, and identify orphaned files ( find / -nouser -o -nogroup).

Secure /tmp , /var/tmp , /dev/shm : mount /tmp with nosuid,noexec,nodev options; bind /var/tmp to /tmp if needed; avoid making these directories immutable.

4. Linux Backdoor Detection Tools

Rootkits are common Linux backdoors. Two primary types are file‑level and kernel‑level.

File‑level rootkits

They replace system binaries such as login, ls, ps, ifconfig, etc. Regular integrity checks with tools like Tripwire or AIDE can detect modifications.

Kernel‑level rootkits

They modify the kernel directly, making detection difficult; the best defense is to keep the system minimally privileged.

Detection tools

chkrootkit : run /usr/local/chkrootkit/chkrootkit to scan for known rootkits.

RKHunter : execute /usr/local/bin/rkhunter --check --skip-keypress and schedule via cron ( 30 09 * * * root /usr/local/bin/rkhunter --check --cronjob).

5. Incident Response After a Server Attack

Disconnect the network to stop ongoing attacks.

Identify the attack source by examining logs, open ports, and running processes.

Analyze the intrusion vector and underlying vulnerabilities.

Backup user data while ensuring it is free of malicious code.

Reinstall the operating system to eliminate hidden compromises.

Patch identified software or system vulnerabilities.

Restore data, re‑enable network services, and monitor for recurrence.

Additional steps include locking suspicious user accounts, reviewing system logs ( /var/log/messages, /var/log/secure, .bash_history), inspecting suspicious processes (using ps, top, pidof, /proc/<pid>/exe), and verifying file integrity with rpm -Va.