Master Linux Security Hardening: Essential Baseline Scripts and Checks

Most enterprises run Linux servers because the OS is open‑source and generally more secure than Windows, but misconfigurations of sensitive ports and services can still be exploited, so a security baseline hardening process is essential.

What is a security baseline?

A security baseline is a set of configuration standards for the operating system, middleware, and databases that must be applied after installation to ensure the system is secure, efficient, and compliant.

Baseline scanning

Automated tools collect the current configuration of the system and compare each value with the standard baseline, reporting any deviations. Some tools separate the collection phase from the comparison phase, converting the raw data into a human‑readable report.

Preparation – backup original files

#!/bin/bash
cp /etc/login.defs /etc/login.defs.bak
cp /etc/security/limits.conf /etc/security/limits.conf.bak
cp /etc/pam.d/su /etc/pam.d/su.bak
cp /etc/profile /etc/profile.bak
cp /etc/issue.net /etc/issue.net.bak
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
cp /etc/host.conf /etc/host.conf.bak
cp /etc/hosts.allow /etc/hosts.allow.bak
cp /etc/ntp.conf /etc/ntp.conf.bak
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
echo "============Backup completed=================="

Key hardening checks (illustrated with screenshots in the original article)

Ensure minimum password change interval (PASS_MIN_DAYS) is set to 6 days.

MINDAY=$(grep -v '^#' /etc/login.defs | grep PASS_MIN_DAYS | awk '{print $1}')
sed -i "${MINDAY}s/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 6/" /etc/login.defs
echo "Checked minimum password change interval"

Set password expiration warning (PASS_WARN_AGE) to 30 days.

WARNAGE=$(grep -v '^#' /etc/login.defs | grep PASS_WARN_AGE | awk '{print $1}')
sed -i "${WARNAGE}s/.*PASS_WARN.*/PASS_WARN_AGE 30/" /etc/login.defs
echo "Checked password warning days"

Set maximum password age (PASS_MAX_DAYS) to 90 days.

MAXDAY=$(grep -v '^#' /etc/login.defs | grep PASS_MAX_DAYS | awk '{print $1}')
sed -i "${MAXDAY}s/.*PASS_MAX.*/PASS_MAX_DAYS 90/" /etc/login.defs
echo "Checked password maximum age"

Enforce minimum password length of 6 characters.

MINLEN=$(grep -v '^#' /etc/login.defs | grep PASS_MIN_LEN | awk '{print $1}')
sed -i "${MINLEN}s/.*PASS_MIN_LEN.*/PASS_MIN_LEN 6/" /etc/login.defs
echo "Checked minimum password length"

Set passwords for GRUB and LILO boot loaders.

grub="/etc/menu.lst"
if [ ! -x "$grub" ]; then touch "$grub"; echo "password=123456" >> "$grub"; else echo "password=123456" >> "$grub"; fi
lilo="/etc/lilo.conf"
if [ ! -x "$lilo" ]; then touch "$lilo"; echo "password=123456" >> "$lilo"; else echo "password=123456" >> "$lilo"; fi

Disable core dumps for all users.

c=$(grep "#root" /etc/security/limits.conf | awk '{print $1}')
d=$(grep "#root" /etc/security/limits.conf | awk '{print $5}')
sed -i "${c}s/${d}/0/" /etc/security/limits.conf
echo "Set * hard core 0"

Prevent Ctrl+Alt+Del from rebooting the system.

a=$(grep -v '^#' /etc/control-alt-delete.conf | grep /sbin/shutdown | awk '{print $1}')
if [ -z "$a" ]; then echo ok; else sed -i "${a}s/^/#/" /etc/control-alt-delete.conf; fi

Limit history file size and number of entries.

echo "HISTFILESIZE=5" >> /etc/profile
echo "HISTSIZE=5" >> /etc/profile

Restrict su access to the wheel group via PAM.

cd /etc/pam.d
if [ -f system-auth ]; then cp system-auth /etc
# Example line to enforce password reuse limit
sed -i "${kk}c password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500" /etc/system-auth
fi

Disable IP spoofing and binding.

snu=$(awk '{print $2}' /etc/host.conf)
if [ "$snu" = "on" ]; then echo "IP spoofing not disabled"; fi
sed -i 's/on/off/g' /etc/host.conf

Configure /etc/hosts.allow and /etc/hosts.deny.

if [ -f hosts.allow ]; then cp /etc/hosts.allow /etc
echo "all:172.18.12.:all" >> /etc/hosts.allow
fi
if [ -f hosts.deny ]; then cp /etc/hosts.deny /etc
echo "all:all" >> /etc/hosts.deny
fi

Set strict file permissions for critical files.

chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 400 /etc/shadow
chmod 600 /etc/security
chmod 600 /etc/grub.conf
chmod 600 /boot/grub/grub.conf
chmod 600 /etc/lilo.conf

Configure SSH banner and disable root login.

touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo "Authorized only. All activity will be monitored and reported" > /etc/ssh_banner
echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
service sshd restart

Enforce protocol 2 for SSH.

openssh=$(grep -v '^#' /etc/ssh/sshd_config | grep Protocol | awk '{print $1}')
sed -i "${openssh}s/.*Protocol.*/Protocol 2/" /etc/ssh/sshd_config

Check for malicious scripts (PHP, JSP, Perl, Python) and copy suspicious files to /tmp for analysis.

# Example for PHP backdoors
find / -type f -name "*.php" | xargs egrep -l "mysql_query|eval|backdoor" && echo "PHP backdoor detected"

Verify system logs (syslog, messages) exist and are active.

if [ -e /var/log/syslog ]; then echo "syslog exists"; else echo "syslog missing"; fi
if [ -e /var/log/messages ]; then echo "messages exists"; else echo "messages missing"; fi

Perform MD5 integrity checks on critical binaries.

file="/etc/md5db"
if [ -e "$file" ]; then md5sum -c /etc/md5db; else
md5sum /etc/passwd >> /etc/md5db
md5sum /etc/shadow >> /etc/md5db
# (additional files omitted for brevity)
fi

Run basic performance and health checks (CPU, memory, disk, network, zombie processes, top CPU/memory consumers).

echo "CPU info"; cat /proc/cpuinfo
echo "Memory info"; free -m
echo "Disk usage"; df -h
netstat -an
ps -ef | grep zombie
ps auxf | sort -nr -k3 | head -5   # top CPU
ps auxf | sort -nr -k4 | head -5   # top memory

By executing the above scripts and verifying each check, administrators can bring a newly installed Linux host into compliance with a security baseline, reducing the attack surface and ensuring consistent, auditable configurations.