[et_pb_section][et_pb_row][et_pb_column type=”4_4″][et_pb_text]So I’ve recently had to lock down a public-facing CentOS server. Always a fun process, as I’m sure you know. When all was said and done, I created a quick checklist for my next Linux server hardening project. I’m of course keeping it general; everyone’s purpose, environment, and security standards are different. Hope you find it useful!
Linux Server Hardening Checklist
Documentation
- Write down all relevant machine details – hostname, IP address, MAC address, OS version
- Store in your relevant database
The Basics
- Update the system (yum, apt, etc)
- Set up disk encryption
- Disable USB and peripheral devices
- Create a non-root user for daily use
- Remove any unused accounts
- Disable shell or elevated access for standard/built-in users
- Disable logon as root
- Disable all unnecessary running services (init.d and xinetd)
- Uninstall/disable all unnecessary or insecure apps (ftp, telnet, X11)
- Set up and configure a firewall
- Use an antivirus and IDS/IPS
- Schedule backup of log files and lock down directory storage
- Separate disk partitions – /usr, /home, /var & /var/tmp, /tmp
- Run only one network service per system
Security Policies and Standards
- Enable SELinux
- Use complex passwords for all accounts
- Enable a strong policy (minimum length, blend of character types, etc)
- Use a strong hashing algorithm like SHA512
- Create a “lock account after X failed login attempts” policy
- Set up password aging and expiration
- Restrict use of previous passwords
- Make sure all accounts have a password set
awk -F: '($2 == "") {print}' /etc/shadow
- Verify no non-root account have a UID set to 0 (full permissions to machine)
awk -F: '($3 == "0") {print}' /etc/passwd
- Enable disk usage quotas
- Lock down SSH
- Use public/private keypairs
- Prohibit logins as root
- Don’t allow logins using a password
- Disable either IPv4 or IPv6 depending on what’s not used
- Use an IP whitelist to control who can use SSH
- Enable 2FA
- Set chmod 0700 for all cron tasks so only the root account can see them
- Delete symlinks and disable their creation (more info here)
- Encrypt communication – SSH, VPNs, rsync, PGP, SSL, SFTP, GPG
- Make sure no files have no owner specified
find /dir -xdev ( -nouser -o -nogroup ) -print
- Verify no files are world-writeable
find /dir -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print
- Configure auditd
- Configure regular backups
Other Useful Tools
- Fail2ban (link) – a great tool for automatically banning suspicious IP addresses
- ClamAV (link) – an open-source antivirus engine
- Lynis (link) – open-source auditing tool for Linux
