Master Linux Security: Essential Baseline Hardening Scripts Explained

Why Linux Baseline Hardening Is Needed

Most enterprises use Linux as their server OS because it is open‑source and generally more secure than Windows, but misconfigurations or administrator oversights can leave sensitive ports and services exposed to attackers.

What Is a Security Baseline?

A security baseline is a set of configuration standards for the operating system, middleware, and databases that meet security best‑practice requirements. After installing a system, administrators adjust configuration values to achieve a secure, efficient, and reasonable state.

Baseline Scanning

Automated tools collect current configuration items, compare them with the standard values, and generate a report highlighting deviations. Some tools separate the collection phase from the comparison phase, converting raw data into a human‑readable document.

Sample Hardening Scripts

Before running any script, back up critical files:

#!/bin/bash
cp /etc/login.defs /etc/login.defs.bak
cp /etc/security/limits.conf /etc/security/limits.conf.bak
cp /etc/pam.d/su /etc/pam.d/su.bak
cp /etc/profile /etc/profile.bak
cp /etc/issue.net /etc/issue.net.bak
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
cp /etc/host.conf /etc/host.conf.bak
cp /etc/hosts.allow /etc/hosts.allow.bak
cp /etc/ntp.conf /etc/ntp.conf.bak
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
echo "============Backup Completed=================="

Key Checks Implemented by the Scripts

Ensure minimum password change interval (PASS_MIN_DAYS) is set to 6 days.

Set password expiration warning (PASS_WARN_AGE) to 30 days.

Set maximum password age (PASS_MAX_DAYS) to 90 days.

Enforce minimum password length (PASS_MIN_LEN) of 6 characters.

Configure GRUB and LILO passwords.

Disable core dumps for all users.

Disable Ctrl+Alt+Del reboot shortcut.

Limit history file size and number of entries.

Restrict su access to the wheel group via PAM.

Remove unnecessary files such as /etc/issue.net.

Delete unused accounts.

Limit password reuse count.

Configure account lockout after failed authentication attempts.

Disable IP spoofing and enable proper host.conf settings.

Set up /etc/hosts.allow and /etc/hosts.deny rules.

Check status of critical services.

Detect SUID/SGID permissions on important binaries.

Apply strict file permission settings for /etc/passwd, /etc/shadow, etc.

Each check is performed with sed or awk commands that locate the line number, replace the value, and echo a completion message.

Classic Comprehensive Script Example

#!/bin/bash
echo "---------------Start--------------------"
cd /etc
if [ -f login.defs ]; then
  cp /etc/login.defs /home/test1
  MINDAY=$(awk '/PASS_MIN_DAYS/ && !/^#/ {print NR}' /home/test1/login.defs)
  sed -i "${MINDAY}s/.*/PASS_MIN_DAYS 6/" /home/test1/login.defs
  WARNAGE=$(awk '/PASS_WARN_AGE/ && !/^#/ {print NR}' /home/test1/login.defs)
  sed -i "${WARNAGE}s/.*/PASS_WARN_AGE 30/" /home/test1/login.defs
  MAXDAY=$(awk '/PASS_MAX_DAYS/ && !/^#/ {print NR}' /home/test1/login.defs)
  sed -i "${MAXDAY}s/.*/PASS_MAX_DAYS 90/" /home/test1/login.defs
  MINLEN=$(awk '/PASS_MIN_LEN/ && !/^#/ {print NR}' /home/test1/login.defs)
  sed -i "${MINLEN}s/.*/PASS_MIN_LEN 6/" /home/test1/login.defs
fi
echo "--------------------ok---------------------------"
# ... (additional sections for grub, lilo, history, issue files, host allow/deny, core dump, PAM, etc.)

The script demonstrates a systematic approach: backup, modify configuration files, and report each step.

Additional Scanning Utilities

Beyond the hardening script, the article provides a diagnostic script that prints system information, checks for weak passwords, verifies service status (SSH, Telnet, syslog), inspects firewall rules, searches for malicious PHP/JSP/HTML/Python/Perl backdoors, and evaluates file integrity via MD5 hashes.

These utilities together form a practical baseline hardening and auditing toolkit for Linux system administrators.