Ultimate Linux Server Security Checklist: Harden Accounts, Detect Rootkits, and Respond to Attacks

Overview

Server security is a critical topic in IT, especially after incidents like the "Prism" leaks. Proper security measures protect both the system and the business it supports. This article provides a detailed, five‑part checklist for securing Linux servers.

1. Account and Login Security

Secure accounts are the first line of defense. Remove unnecessary system users and groups such as adm, lp, sync, shutdown, games, etc., and delete unused groups like dip, pppusers, slipusers. Reducing the number of accounts limits the attack surface.

2. Remote Access and Authentication Security

Replace insecure telnet with SSH for remote logins. Use key‑based authentication instead of passwords to avoid brute‑force attacks. Manage privileged commands with sudo rather than sharing the su password, and configure /etc/sudoers for fine‑grained permissions.

3. File System Security

Lock critical files using chattr (e.g., chattr +i /etc/passwd) and avoid setting immutable attributes on directories such as /, /dev, /tmp, or /var. Adjust permissions on temporary directories to prevent misuse, for example by adding nosuid,noexec,nodev options in /etc/fstab:

LABEL=/tmp  /tmp  ext3  rw,nosuid,noexec,nodev 0 0

For a dedicated /tmp partition, mount it with the above options; for a shared partition, use a loopback filesystem:

dd if=/dev/zero of=/dev/tmpfs bs=1M count=10000
mke2fs -j /dev/tmpfs
cp -av /tmp /tmp.old
mount -o loop,noexec,nosuid,rw /dev/tmpfs /tmp
chmod 1777 /tmp
mv -f /tmp.old/* /tmp/
ln -s /tmp /var/tmp

4. Rootkit Detection Tools

Rootkits are stealthy backdoors that replace system binaries. Use tools like Chkrootkit and RKHunter to scan for infections.

Install and run Chkrootkit: http://www.chkrootkit.org/ Run RKHunter and schedule daily checks:

/usr/local/bin/rkhunter --check --skip-keypress
30 09 * * * root /usr/local/bin/rkhunter --check --cronjob

5. Post‑Attack Handling Process

If a server is compromised, follow these steps:

Disconnect the network to stop ongoing attacks.

Identify the attack source by reviewing logs ( /var/log/messages, /var/log/secure) and checking open ports and processes.

Analyze the intrusion vector (vulnerabilities, exploited services).

Backup user data securely.

Reinstall the operating system to ensure a clean environment.

Patch all discovered vulnerabilities.

Restore data and bring the server back online.

Key Commands for Investigation

Find files with insecure permissions:

find / -type f -perm -2 -o -perm -20 | xargs ls -al
find / -type d -perm -2 -o -perm -20 | xargs ls -ld

Locate set‑uid/set‑gid binaries:

find / -type f -perm -4000 -o -perm -2000 -print | xargs ls -al

Check for root‑owned files with special bits:

find / -user root -perm -2000 -print -exec md5sum {} ;
find / -user root -perm -4000 -print -exec md5sum {} ;

Detect orphan files without owners: find / -nouser -o -nogroup Verify package integrity (RPM based systems): rpm -Va Inspect suspicious processes:

pidof sshd
ls -al /proc/13276/exe
ls -al /proc/13276/fd

After remediation, re‑apply the hardening measures described above to maintain a secure posture.