📰 Home 🔒 Admin Login
Tech Tutorial May 30, 2026 ⏰ 5 min read

đź”’ Fortify Your Fortress: Essential Linux Hardening Tips for SysAdmins

👤 Admin #

đź”’ Fortify Your Fortress: Essential Linux Hardening Tips for SysAdmins

In today’s ever-evolving threat landscape, even the most robust Linux distributions are not immune to attacks. Whether you’re managing a single server or a fleet of cloud instances, hardening your Linux system is a critical first line of defense. As an IT system administrator, I’ve seen too many breaches that could have been prevented with basic security hygiene. In this post, I’ll share actionable, battle-tested Linux hardening tips that will help you lock down your systems without sacrificing usability. ---

1. Keep Your System Updated

The simplest yet most overlooked step is patching. Outdated software is a goldmine for attackers.
  • Enable automatic security updates (e.g., `unattended-upgrades` on Debian/Ubuntu).
  • Regularly run:
```bash sudo apt update && sudo apt upgrade -y # Debian/Ubuntu sudo dnf update -y # RHEL/CentOS/Fedora ```
  • Subscribe to security advisories for your distribution (e.g., Ubuntu Security Notices, Red Hat CVE database).
  • Remove unused packages to reduce attack surface.
---

2. Harden SSH Access

SSH is the most common entry point for remote management—and a prime target for brute-force attacks.
  • Disable root login via SSH:
Edit `/etc/ssh/sshd_config`: `PermitRootLogin no`
  • Use key-based authentication only (disable password authentication):
`PasswordAuthentication no`
  • Change the default port (22 → e.g., 2222) to reduce automated scans.
  • Implement fail2ban to block IPs after repeated failed attempts.
  • Restrict SSH access by user/group using `AllowUsers` or `AllowGroups`.
  • Enable SSH protocol 2 (disable protocol 1, which is insecure).
After changes, restart SSH: `sudo systemctl restart sshd` ---

3. Implement Strong Password Policies

Even with key-based SSH, local accounts need robust password rules.
  • Install and configure `libpam-pwquality` (or `pam_cracklib`).
  • Set minimum length (e.g., 14 characters), complexity (uppercase, lowercase, digits, special chars), and password history.
  • Enforce password aging:
```bash sudo chage -M 90 # Max days sudo chage -m 7 # Min days ```
  • Lock accounts after failed login attempts using `pam_tally2` or `faillock`.
---

4. Lock Down User Accounts and Permissions

Principle of least privilege is non-negotiable.
  • Remove unnecessary users (e.g., `games`, `lp`, `uucp`).
  • Disable unused service accounts (e.g., `nobody` should not have login shell).
  • Use `sudo` instead of root for administrative tasks. Restrict sudo access via `/etc/sudoers` (use `visudo`).
  • Set strict file permissions on critical files:
```bash chmod 600 /etc/shadow chmod 644 /etc/passwd chmod 640 /etc/ssh/sshd_config ```
  • Audit SUID/SGID binaries regularly:
`find / -perm /6000 -type f -exec ls -ld {} \;` ---

5. Configure the Firewall (iptables/nftables/UFW)

A properly configured firewall is your network’s bouncer.
  • Use `ufw` (Uncomplicated Firewall) for simplicity on Ubuntu:
```bash sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw enable ```
  • For advanced setups, use `nftables` (modern replacement for iptables).
  • Block ICMP ping requests (disable `net.ipv4.icmpechoignore_all` in sysctl).
  • Rate-limit incoming connections to mitigate DDoS.
  • Log dropped packets for forensic analysis.
---

6. Disable Unnecessary Services and Kernel Modules

Every running service is a potential vulnerability.
  • List all services: `systemctl list-unit-files --type=service`
  • Disable unused ones: `sudo systemctl disable `
  • Remove or mask high-risk services like `telnet`, `rsh`, `rlogin`.
  • Blacklist unused kernel modules (e.g., `bluetooth`, `firewire`) in `/etc/modprobe.d/blacklist.conf`.
---

7. Harden the Kernel with sysctl

Tweak kernel parameters to reduce attack surface. Edit `/etc/sysctl.conf` or add files to `/etc/sysctl.d/`: ```bash

IP Spoofing protection

net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1

Ignore ICMP redirects

net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0

Disable source packet routing

net.ipv4.conf.all.acceptsourceroute = 0 net.ipv6.conf.all.acceptsourceroute = 0

Log martian packets (spoofed addresses)

net.ipv4.conf.all.log_martians = 1 ``` Apply with `sudo sysctl -p`. ---

8. Enable Logging and Monitoring

You can’t secure what you don’t monitor.
  • Enable auditd for system call auditing:
`sudo apt install auditd` and configure rules in `/etc/audit/rules.d/`.
  • Centralize logs with `rsyslog` or `syslog-ng` to a remote server.
  • Use `logwatch` or `aide` for log summary and file integrity monitoring.
  • Install `rkhunter` or `chkrootkit` for rootkit detection.
  • Monitor failed login attempts via `/var/log/auth.log`.
---

9. Secure Physical Access and Boot

Physical access = full compromise.
  • Set a BIOS/UEFI password to prevent boot device changes.
  • Encrypt the disk with LUKS during installation.
  • Secure GRUB with a password:
```bash grub-mkpasswd-pbkdf2 ``` Then add the hash to `/etc/grub.d/40_custom`.
  • Disable boot from removable media in BIOS.
---

10. Use SELinux or AppArmor

Mandatory Access Control (MAC) systems add a layer of protection beyond standard Unix permissions.
  • SELinux (Red Hat/CentOS/Fedora): Enforce targeted policies.
Check status: `getenforce` Set enforcing: `setenforce 1` (persist in `/etc/selinux/config`)
  • AppArmor (Ubuntu/Debian): Profile-based MAC.
Install: `sudo apt install apparmor apparmor-utils` Enforce profiles: `sudo aa-enforce /path/to/profile` ---

Conclusion

Linux hardening is not a one-time task—it’s an ongoing process of vigilance and adaptation. Start with these 10 tips, then build a custom security baseline for your environment. Remember, the goal is not to make your system impenetrable (that’s impossible), but to make it so hard to breach that attackers move on to easier targets. A hardened Linux system is a boring system for attackers—and that’s exactly what you want. Stay safe, stay patched, and keep those logs flowing. 🛡️
← Back to Homepage

💬 0 Comments