Essential Linux Security Hardening: From Account Safety to Rootkit Detection

Security is a perennial topic in IT; after incidents like the "Prism" scandal the urgency of handling information security is clear.

Operations personnel must adopt security guidelines, thinking like attackers and addressing threats in five areas:

Account and Login Security

Account security is the first line of defense. Remove unnecessary system accounts and groups (e.g., adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher) and groups (adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers).

Disable Unnecessary Services

Close services that are not required for the server’s purpose; for a web server, only httpd and essential system services should remain. Examples of dispensable services include anacron, auditd, autofs, avahi-daemon, bluetooth, cpuspeed, firstboot, gpm, haldaemon, ip6tables, ipsec, isdn, lpd, mcstrans, messagebus, netfs, nfs, nfslock, nscd, pcscd, portmap, readahead_early, restorecond, rpcgssd, rpcidmapd, rstatd, sendmail, setroubleshoot, yppasswdd, ypserv.

Password and Key Authentication Policies

Linux supports password and key authentication. Passwords should be at least six characters with numbers, letters, underscores, and symbols, though they bring risks such as brute‑force attacks. Key authentication, using public‑private key pairs via SSH, avoids these risks and is recommended.

Proper Use of su and sudo

Direct root login is discouraged; users log in with normal accounts and elevate privileges via su or, preferably, sudo. sudo grants limited rights without exposing the root password, and its configuration resides in /etc/sudoers.

Trim Login Banners

Remove or modify files that disclose system version information, such as /etc/issue, /etc/issue.net, /etc/redhat-release, and /etc/motd, to prevent attackers from gathering details.

Remote Access and Authentication Security

Replace insecure telnet with SSH, protect shell history ( .bash_history), and enable tcp_wrappers alongside iptables for layered firewall protection.

File System Security

Lock critical files with chattr, but avoid immutable attributes on essential directories (/dev, /tmp, /var). Ensure proper file permissions and use find commands to locate world‑writable files, SUID/SGID binaries, and orphaned files.

Secure /tmp, /var/tmp, and /dev/shm

Mount these temporary filesystems with nosuid,noexec,nodev options, or use loopback filesystems for /tmp when necessary.

Rootkit Detection Tools

Rootkits can be file‑level or kernel‑level. Regular integrity checks with tools like Tripwire or AIDE help detect file‑level rootkits. For detection, use chkrootkit and rkhunter, which scan binaries, MD5 hashes, hidden files, and suspicious kernel modules.

Post‑Attack Response Procedure

When a server is compromised, follow these steps: disconnect the network, identify the attack source via logs and open ports, analyze the intrusion vector, back up user data, reinstall the OS, patch vulnerabilities, restore data, and finally bring the service back online.

Additional actions include locking suspicious accounts, examining system logs (/var/log/messages, /var/log/secure, .bash_history), terminating dubious processes, verifying file integrity with rpm -Va, and ensuring the rebuilt system incorporates the hardening measures described above.