Hardening Linux Servers to Level‑3 Security with Open‑Source Check and Protective Scripts

Security Requirements for Linux Servers (Level‑3)

The Level‑3 protection standard for Linux servers includes several key controls:

Identity Verification : Unique user identifiers, complex credentials, regular rotation, login‑failure handling, encrypted remote management, and multi‑factor authentication.

Access Control : Assign accounts and permissions, remove or rename default accounts, disable expired accounts, enforce least‑privilege for administrators.

Security Auditing : Enable auditing of critical actions, record timestamps, users, event types, and outcomes, and protect and back up audit logs.

Intrusion Prevention : Install only necessary components, disable unnecessary services and high‑risk ports, restrict management access by network range, and promptly patch known vulnerabilities.

Malicious Code Prevention : Deploy anti‑malware techniques and trusted verification mechanisms to detect and block threats.

Data Integrity and Confidentiality : Use checksums or encryption to ensure data integrity in transit and storage, and encrypt sensitive data.

Implementation Steps

System Grading : Determine the protection level based on system importance and data sensitivity.

System Filing : Report the grading result to the relevant authority.

System Construction : Configure identity verification, access control, auditing, etc., according to the requirements.

System Assessment : Invite a third‑party to evaluate compliance.

Remediation & Hardening : Fix identified issues and reinforce the system.

Periodic Review : Regularly re‑evaluate to maintain compliance.

Check Script

This script performs a one‑click compliance check for Level‑3 requirements on RedHat/CentOS systems.

sudo sh CentOS_Check_Script.sh | tee check_$(date +%Y%m%d_%H%M%S).txt

The command generates a timestamped check_YYYYMMDD_HHMMSS.txt file containing the results. It examines system basic information, resource usage, user accounts, identity verification, access control, security auditing, residual information protection, intrusion prevention, malicious code prevention, and resource control. The script is not suitable for Ubuntu because of differing configuration files.

Protective Script

The protective script applies hardening measures and automatically backs up any modified configuration files into a backup directory. sudo sh CentOS_Protective_Script.sh Key functions (some require manual invocation in the script’s main function) include:

One‑click full hardening.

Setting password complexity.

Adding an openroot account.

Disabling remote root login.

Configuring history size, command timestamps, and session timeout.

Changing the SSH port.

Handling login failures.

Restoring original configuration files.

Enforcing password length and periodic rotation.

Protecting audit logs and archiving them via a log server.

For Ubuntu systems, run the script with bash instead of sh to avoid syntax errors.

Source repositories:

https://github.com/xiaoyunjie/Shell_Script

https://github.com/NatChao/check_script