Master Enterprise Linux Security Hardening: From Basics to Advanced

Master Enterprise Linux Security Hardening: From Beginner to Expert

Overview

Linux system security hardening is a crucial part of enterprise IT infrastructure security. This article provides quick, practical hardening measures to ensure system security.

1. System Basic Security

Update System

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# CentOS/RHEL
sudo yum update -y

Disable Unnecessary Services

# List running services
systemctl list-units --type=service --state=running

# Disable risky services
sudo systemctl disable telnet rsh ftp tftp

2. User Permission Management

Password Policy

# Edit password policy
sudo nano /etc/security/pwquality.conf

# Key settings
minlen = 12      # Minimum length 12 characters
minclass = 3     # At least 3 character classes
maxrepeat = 2    # Maximum repeated characters

Account Lockout

# Configure login failure lockout
sudo nano /etc/pam.d/common-auth
# Add: auth required pam_tally2.so deny=5 unlock_time=900

3. SSH Security Configuration

Modify SSH Config

sudo nano /etc/ssh/sshd_config

# Key security settings
Port 2222                # Change default port
PermitRootLogin no      # Disallow root login
PasswordAuthentication no  # Disable password authentication
MaxAuthTries 3          # Max authentication attempts
ClientAliveInterval 300 # Session timeout

Restart SSH Service

sudo systemctl restart sshd

4. Firewall Configuration

Use UFW (recommended)

# Reset firewall
sudo ufw --force reset

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH on custom port
sudo ufw allow 2222/tcp

# Enable firewall
sudo ufw enable

Basic iptables Rules

# Basic firewall script
#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4

5. Intrusion Detection

Install Fail2ban

# Install
sudo apt install fail2ban

# Configure
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log

6. File System Security

Set Permissions for Critical Files

# Important config file permissions
sudo chmod 600 /etc/ssh/sshd_config
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd

# Temporary directory permissions
sudo chmod 1777 /tmp
sudo chmod 1777 /var/tmp

File Integrity Monitoring

# Install AIDE
sudo apt install aide

# Initialize database
sudo aideinit

# Periodic check
sudo aide --check

7. Log Auditing

Configure rsyslog

sudo nano /etc/rsyslog.d/50-security.conf
# Security log configuration
auth,authpriv.*    /var/log/auth.log
*.info             /var/log/messages
kern.*             /var/log/kern.log

Enable auditd

# Install audit system
sudo apt install auditd

# Basic audit rules
sudo nano /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd_config

8. Quick Security Check Script

#!/bin/bash
echo "=== Linux security check report ==="
echo "Check time: $(date)"
echo

# System update status
echo "1. System update status:"
apt list --upgradable 2>/dev/null | grep -c upgradable || echo "No updates available"

# User account check
echo "2. User account check:"
echo "sudo users: $(getent group sudo | cut -d: -f4)"
echo "Empty password accounts: $(awk -F: '($2 == "") {print $1}' /etc/shadow)"

# Network services
echo "3. Network services:"
netstat -tlnp | grep LISTEN | wc -l
echo "listening ports"

# Firewall status
echo "4. Firewall status:"
ufw status | head -1

# Recent failed logins
echo "5. Recent failed logins:"
grep "Failed password" /var/log/auth.log | tail -5 | wc -l
echo "failed login attempts"

echo "=== Check completed ==="

9. Regular Maintenance Tasks

Create crontab Jobs

# Edit scheduled tasks
sudo crontab -e

# Add tasks
# Daily security updates
0 2 * * * apt update && apt upgrade -y

# Weekly log cleanup
0 1 * * 0 find /var/log -name "*.log" -mtime +30 -delete

# Monthly password expiry check
0 9 1 * * /usr/local/bin/check-password-expiry.sh

10. Emergency Response

Rapid Response When Intrusion Is Detected

# 1. Network isolation
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP

# 2. Backup logs
sudo cp -r /var/log /backup/incident-$(date +%Y%m%d)

# 3. Check processes
ps aux | grep -v "[""]"

# 4. Check network connections
netstat -antp

# 5. Check file modifications
find /etc -mtime -1 -type f

Conclusion

Linux system security hardening is an ongoing process that requires regular updates, minimal‑privilege user management, SSH hardening, firewall configuration, log monitoring, and periodic audits to maintain a robust security posture.

Regular Updates – Keep system and packages up to date.

Least Privilege – Manage users with minimal permissions.

SSH Hardening – Configure ports, disable root login, and use key authentication.

Firewall Configuration – Restrict network access with UFW or iptables.

Log Monitoring – Detect anomalies promptly.

Regular Audits – Continuously assess system security status.