Essential Linux Security Vulnerabilities & Practical Hardening Guide for Ops Engineers

Introduction

Linux servers are a frequent target for network attacks. Proper configuration, regular patching, and systematic hardening are essential to reduce the attack surface and prevent most incidents.

1. Privilege‑Escalation Vulnerabilities

1.1 Misconfigured sudo

Allowing users to run commands without a password or granting overly broad privileges can lead to full system compromise.

Typical risky entries:

# Dangerous sudo configuration
user1 ALL=(ALL) NOPASSWD: ALL
%developers ALL=(ALL) NOPASSWD: /bin/bash, /bin/sh

Mitigation steps

Apply the principle of least privilege – restrict command sets and target users.

Audit sudo policies regularly with visudo -c and sudo -l -U <user>.

Enable logging (e.g., local2.* /var/log/sudo.log in /etc/rsyslog.conf).

# Example of a tighter sudo policy
user1 ALL=(www-data) NOPASSWD: /usr/bin/systemctl restart apache2
user1 ALL=(root) PASSWD: /usr/bin/apt update, /usr/bin/apt upgrade

1.2 SUID/SGID binaries

Set‑uid/set‑gid programs are common privilege‑escalation vectors.

Discovery commands

# List all SUID files
find / -perm -4000 -type f 2>/dev/null
# List all SGID files
find / -perm -2000 -type f 2>/dev/null

Hardening actions

Perform periodic inventories and remove unnecessary SUID/SGID binaries.

Replace where possible with Linux capabilities (e.g., cap_net_bind_service).

Deploy file‑integrity monitoring (AIDE, Tripwire, etc.).

2. Network Service Vulnerabilities

2.1 SSH hardening

SSH is the primary remote‑management channel and a frequent attack vector.

Core sshd_config settings

# /etc/ssh/sshd_config
Port 2222
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
AllowUsers user1 user2

Advanced defenses

Enable two‑factor authentication (e.g., Google Authenticator).

Deploy fail2ban to block brute‑force attempts.

# Install Google Authenticator
apt install libpam-google-authenticator
# Add PAM rule
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd

# /etc/fail2ban/jail.local for SSH
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

2.2 Web server hardening (Nginx/Apache)

Secure public‑facing services by hiding version information and adding security headers.

# Nginx security snippet
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 10M;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

3. Kernel Vulnerabilities

3.1 Kernel privilege‑escalation bugs

Keeping the kernel up‑to‑date and enabling hardening sysctl parameters reduces exposure.

# Check current kernel version
uname -r
# List upgradable kernel packages (Debian/Ubuntu)
apt list --upgradable | grep linux-image
# Apply safe kernel update
apt update && apt upgrade linux-image-generic

# /etc/sysctl.conf hardening options
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.yama.ptrace_scope = 1
net.ipv4.conf.all.log_martians = 1

3.2 Container escape protection

Run containers with reduced privileges and explicit capability drops.

# Example Docker run with security options
docker run --read-only --tmpfs /tmp \
  --security-opt=no-new-privileges \
  --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
  --user 1000:1000 myapp

4. Filesystem Permission Issues

4.1 Sensitive file permissions

Incorrect permissions on system files expose credential data.

# Verify and correct critical file modes
ls -la /etc/passwd /etc/shadow /etc/sudoers
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 440 /etc/sudoers

Automated audit script

#!/bin/bash
CRITICAL_FILES="/etc/passwd /etc/shadow /etc/sudoers /etc/ssh/sshd_config"
for file in $CRITICAL_FILES; do
  if [ -f "$file" ]; then
    echo "Permissions for $file: $(stat -c '%a' $file)"
  fi
done

4.2 Home‑directory security

Set home directories to 750 (or stricter).

SSH private keys must be 600.

Regularly purge temporary and sensitive data.

5. Log Management and Monitoring

5.1 Centralized logging

# /etc/rsyslog.conf snippet
auth,authpriv.*    /var/log/auth.log
*.*;auth,authpriv.none  -/var/log/syslog
kern.*             -/var/log/kern.log
mail.*             -/var/log/mail.log

Log rotation

# /etc/logrotate.d/security
/var/log/auth.log /var/log/sudo.log {
    weekly
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    postrotate
        systemctl reload rsyslog
    endscript
}

5.2 Real‑time security monitoring

Watch for failed SSH logins, privilege changes, abnormal resource usage, and network anomalies.

#!/bin/bash
# Simple monitor for failed SSH attempts
tail -f /var/log/auth.log | while read line; do
  if echo "$line" | grep -q "Failed password"; then
    echo "Login failure detected: $line"
    # Insert alerting (email, webhook, etc.) here
  fi
done

6. Network Security Defense

6.1 Firewall configuration

Use a host‑based firewall to enforce a default‑deny posture.

iptables baseline

# Accept loopback and established connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow required services
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT   # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT     # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT    # HTTPS
# Drop everything else
iptables -P INPUT DROP

UFW simplified example

ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

6.2 Intrusion detection

File‑integrity checking with AIDE provides early warning of unauthorized modifications.

# Initialise AIDE database
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Periodic verification
aide --check

7. Incident Response and Recovery

7.1 Response workflow

Confirm and classify the incident.

Assess impact and scope.

Isolate affected systems.

Preserve evidence (logs, memory dumps).

Restore from known‑good backups or rebuild.

Conduct post‑mortem and update controls.

7.2 Backup best practices

Implement a 3‑2‑1 strategy (three copies, two media types, one off‑site).

Encrypt backup data at rest and in transit.

Test restore procedures regularly.

8. Compliance and Security Standards

8.1 Common frameworks

ISO 27001 – Information Security Management.

PCI DSS – Payment Card Industry Data Security Standard.

SOX – Sarbanes‑Oxley Act for financial reporting.

GDPR – General Data Protection Regulation.

8.2 Audit practices

Regular user‑permission reviews.

Configuration baseline verification.

Automated vulnerability scanning.

Log analysis and audit trails.

9. Automated Security Operations

9.1 Ansible hardening playbook

- name: System security hardening
  hosts: all
  become: true
  tasks:
    - name: Update package cache and apply safe upgrades
      apt:
        update_cache: yes
        upgrade: safe
    - name: Enforce SSH root login restriction
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
      notify: Restart sshd

  handlers:
    - name: Restart sshd
      service:
        name: sshd
        state: restarted

9.2 Continuous monitoring considerations

Behavior‑based anomaly detection (login patterns, process activity).

Machine‑learning threat analysis where applicable.

Automated response (quarantine, alerting).

Real‑time notification channels (email, Slack, PagerDuty).

10. Emerging Threats and Protection

10.1 Cloud environment challenges

Identity and Access Management (IAM) policies.

Network security‑group rules.

Data encryption and key lifecycle management.

Container and micro‑service security (runtime policies, image scanning).

10.2 Zero‑Trust model

Never trust, always verify every request.

Enforce least‑privilege access at all layers.

Continuously validate device posture and user identity.

Apply micro‑segmentation to limit lateral movement.