Hardening Linux: Practical Commands to Boost System Security

This article discusses how to harden a Linux system using a collection of practical security commands.

Console Security

Limit root login to specific terminals by editing the security file under /etc/ and allowing only one console for root, while requiring other users to operate without root privileges.

Password Lifecycle

Enforce password expiration using chage or by setting defaults in /etc/login.defs:

$ chage -M 20 likegeeks

$ chage likegeeks

PASS_MAX_DAYS 20 PASS_MIN_DAYS 0 PASS_WARN_AGE 5

Sudo Notification

Configure sudo to send email notifications by adding to /etc/sudoers:

mailto [email protected]

mail_always on

SSH Tuning

Modify /etc/ssh/sshd_config to improve SSH security:

Port 5555

PermitRootLogin no

PasswordAuthentication no PermitEmptyPasswords no

UseDNS yes

GSSAPIAuthentication no

ServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yes

ClientAliveInterval 30 ClientAliveCountMax 5

AllowUsers user1 user2

AllowGroup group1 group2

Enable two‑factor authentication with Google Authenticator:

$ yum install google-authenticator

$ google-authenticator

auth required pam_google_authenticator.so

ChallengeResponseAuthentication yes

$ systemctl restart sshd

Tripwire Intrusion Detection

Install Tripwire from EPEL, set up keys, customize the policy, and initialize the database:

$ wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm

$ rpm -ivh epel-release-7-9.noarch.rpm

$ sudo yum install tripwire

$ tripwire-setup-keyfiles

/etc/tripwire/twpol.txt

$ tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt

$ tripwire --init

$ tripwire --check

Firewalld

Use firewalld for dynamic firewall management without restarting services:

$ firewall-cmd --state

$ firewall-cmd --get-zones

$ firewall-cmd --set-default-zone=

$ firewall-cmd --zone= --list-all

$ firewall-cmd --get-services

$ firewall-cmd --zone= --add-service= SERVICE

$ firewall-cmd --zone= --remove-service= SERVICE

$ firewall-cmd --zone= --list-ports

$ firewall-cmd --zone= --add-port= PORT/PROTOCOL

$ firewall-cmd --zone= --remove-port= PORT/PROTOCOL

$ firewall-cmd --zone= --add-forward-port= ...

$ firewall-cmd --zone= --remove-forward-port= ...

Reverting to iptables

If preferred, disable firewalld and install iptables services:

$ systemctl disable firewalld

$ systemctl stop firewalld

$ yum install iptables-services

$ touch /etc/sysconfig/iptables

$ touch /etc/sysconfig/ip6tables

$ systemctl start iptables

$ systemctl start ip6tables

$ systemctl enable iptables

$ systemctl enable ip6tables

Restricting Compilers

Prevent attackers from using gcc by limiting its permissions:

$ rpm -q --filesbypkg gcc | grep 'bin'

$ groupadd compilerGroup

$ chown root:compilerGroup /usr/bin/gcc

$ chmod 0750 /usr/bin/gcc

Immutable Files

Make critical files immutable with chattr so even root cannot modify them:

$ chattr +i /myscript

$ chattr -i /myscript

Managing SELinux with Aureport

Generate SELinux audit reports using aureport:

$ aureport --avc

$ aureport -x

$ aureport -au -i

$ aureport -au --summary -i --failed

$ aureport -au --summary -i --success

Using Sealert

Install and run sealert to interpret SELinux audit logs:

$ yum install setools

$ sealert -a /var/log/audit/audit.log

The article concludes that these techniques collectively enhance Linux system security, though many more hardening measures remain to be explored.