How to Harden a Linux Host: BIOS Protection, Disk Encryption, SSH Hardening and More

Most users assume Linux is inherently secure, but this article demonstrates that without proper hardening a stolen laptop can be compromised using default credentials such as the Kali Linux "root"/"toor" pair. It provides a step‑by‑step checklist for securing any Linux machine, regardless of distribution.

1. Record Host Information

Before starting, create a document that records the device name, IP address, MAC address, responsible person, date, and, for corporate environments, the asset number.

2. BIOS Protection

Set a BIOS password and disable boot from external media (USB/CD/DVD). If the motherboard includes a remote‑access web interface, change its default password or disable the feature entirely.

3. Disk Encryption (Confidentiality)

During installation, choose the option “Guided‑use entire disk and set up encrypted LVM”. If the distribution lacks built‑in encryption, tools like TrueCrypt can be used.

4. Disk Protection (Availability)

Implement regular backups and store them offline. Partition the system disk into multiple logical areas, e.g. //boot /usr /home /tmp /var /opt, to isolate failures.

5. Lock the /boot Directory

Edit /etc/fstab to mount /boot as read‑only, then set ownership and permissions:

# chown root:root /etc/fstab
# chmod 644 /etc/fstab

Also protect the GRUB configuration:

# chown root:root /etc/grub.conf
# chmod og-rwx /etc/grub.conf

6. Disable USB Storage Devices

Add blacklist usb_storage to /etc/modprobe.d/blacklist.conf and prevent the module from loading via /etc/rc.local:

# nano /etc/modprobe.d/blacklist.conf
blacklist usb_storage

# nano /etc/rc.local
modprobe -r usb_storage
exit 0

7. System Updates

After the first boot, update the system. On Kali Linux the commands are:

# apt update && apt upgrade -y

8. Review Installed Packages

List all installed packages and remove unnecessary ones, especially on servers. Example command: # dpkg --list Common services to uninstall include Telnet, RSH, NIS, TFTP, and TALK.

9. Check Open Ports

Identify internet‑facing ports with tools such as netstat -tuln or nmap to reduce the attack surface.

10. Harden SSH

Modify /etc/ssh/sshd_config:

Change the default port (e.g., Port 99).

Disable root login: PermitRootLogin no.

Allow specific users: AllowUsers alice bob.

Apply additional hardening options (Protocol 2, disable Rhosts, disable X11 forwarding, limit authentication attempts, specify strong ciphers, set client alive intervals, etc.).

Finally, secure the file itself:

# chown root:root /etc/ssh/sshd_config
# chmod 600 /etc/ssh/sshd_config

11. Enable SELinux

Set SELinux to enforcing mode by editing /etc/selinux/config:

# nano /etc/selinux/config
SELINUX=enforcing

12. Network Parameters

Tune kernel networking settings in /etc/sysctl.conf:

# sysctl -w net.ipv4.ip_forward=0
# sysctl -w net.ipv4.conf.all.send_redirects=0
# sysctl -w net.ipv4.conf.default.send_redirects=0
# sysctl -w net.ipv4.conf.all.accept_redirects=0
# sysctl -w net.ipv4.conf.default.accept_redirects=0
# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

13. Password Policies

Enforce password reuse limits and complexity via PAM modules. Example entries:

auth sufficient pam_unix.so remember=4
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

Set password expiration to 90 days:

# chage --maxdays 90 username
# echo "PASS_MAX_DAYS 90" >> /etc/login.defs

14. Permissions and Validation

Secure cron files, password/shadow files, and other critical system files:

# chown root:root /etc/anacrontab /etc/crontab /etc/cron.*
# chmod og-rwx /etc/anacrontab /etc/crontab /etc/cron.*
# chmod 644 /etc/passwd /etc/group
# chmod 600 /etc/shadow /etc/gshadow

15. Additional Hardening Measures

Apply kernel hardening flags in /etc/sysctl.conf such as:

kernel.exec-shield=1

kernel.randomize_va_space=2

fs.suid_dumpable=0

hardcore 0

in /etc/security/limits.conf These steps provide a solid baseline for securing a Linux host; further hardening can be added as needed.