Hardening And Patch Management' title='Hardening And Patch Management' />Hardening Tips to Secure your Linux Server. It is important to secure a Linux system as much as possible in order to reduce the likelihood of compromise. Here are 2. 3 security tips to guide you through hardening your Linux operating system. Index. Patch the Operating System. Patch Third Party Applications. Disable Remote Root Access. Disable Root Console Access. Restrict Root Privileges. Enable and Configure Firewall. Encrypt Network Transmissions. Two Factor Authentication. Security Enhanced Linux SELinuxReduce Attack Surface. Log Review. Limit SSH Access. Physical Security. Atherosclerosis is a disease in which the inside of an artery narrows due to the build of plaque. Initially there is generally no symptoms. When severe it can result. Infrastructure Hardening Policy Page 4 of 8 0. Overview 0. 1 Hardening is the process of securing a system by reducing its surface of vulnerability. Securing the BIOSSecuring the Boot Loader. Encrypt Data. Centralized Authentication. Enforce Strong Passwords. Password Aging. Account Lockout. Using SSH Keys. Host Based Intrusion Detection System HIDSVirusMalware Scanning. Note This guide refers to a Linux system as a server, computer, or client. These terms should be read interchangeably as all tips apply to any system running Linux. Linux Server Security Hardening Tips. Patch the Operating System It is extremely important that the operating system and various packages installed be kept up to date as it is the core of the environment. Without a stable and secure operating system most of the following security hardening tips will be much less effective. To perform an update of all packages installed you can make use of these commands which will list all available updates for installation and prompt you to proceed. RHEL Based OS yum update. Debian Based OS apt get upgrade. These commands will install all available package updates from the repository, which may include the Linux kernel. Check the list of updates to be installed to see if there is a kernel update as this will require a reboot to apply. In Linux the kernel is the core component of the operating system, it manages components such as memory, the CPU, process scheduling and more. Due to this central role the kernel cannot be restarted without a reboot of the whole operating system, so to complete a kernel update the system will need to be rebooted. There are third party options available to avoid system reboot, such as those offered by Ksplice or Kernel. Care. Other packages that run in user space can simply be restarted to make use of the updated version without system reboot. It is advisable that security updates be installed as soon as possible, this can either be done manually or automatically via crontab. It is also suggested that you subscribe to the mailing list for your operating system as these will keep you updated on any security updates to the kernel and other common packages as they become available. Patch Third Party Applications Any other custom applications that you have installed that are not maintained by a package manager must also be patched frequently so that the latest security updates can be applied. Some examples of such applications include popular web applications like Word. Press, Joomla or Drupal. These types of applications are installed outside of the package manager, so a yum update or apt get upgrade will not update them. Some applications may update automatically such as Word. Press, while others may require a manual process to update such as Word. Press plugins. The update process for the particular application will differ on a case by case basis, so if you are unsure check the official documentation from the vendor and schedule regular updates. It is recommended that you subscribe to any mailing lists or alerts provided by the application vendor to keep up to date with any vulnerabilities that become disclosed so that you can update in a timely manner. Disable Remote Root Access In Linux the root user has full unrestricted access to the system, by disabling logging in directly as the root user we can improve security as attackers typically attempt to compromise the root account. Games For Acer Iconia Tab W500. This can be done by editing the etcpasswd file and changing the root shell from binbash to sbinnologin. Default etcpasswd for rootroot x 0 0 root root binbash. After disabling root loginroot x 0 0 root root sbinnologin. This will prevent root access through the GUI, SSH, SCP, SFTP and with su. It will not disable sudo or console access however. Services can also be explicitly configured to disallow root login. Remote access through SSH for instance can be disabled for the root user by modifying the etcsshsshdconfig file as below. After editing the file, restart the service to apply the change. Twin Usb Joystick Driver Windows 10. Permit. Root. Login no. Root privileges can be delegated out to other user accounts as required. As a best practice you do not want to provide the root password to multiple users as it makes auditing and tracking who is doing what with the account more difficult. To provide root access to other users, the user account can be added to the sudoers file which will grant them root privileges. This file can be modified with the visudo command. ALLALL ALL. ALLALL ALL. The root account will be there by default, other accounts can also be specified. In this instance the bob account has been added to also have full sudo privileges and can run all commands as root by prefixing them with sudo and correctly entering their password. Disable Root Console Access The previous step disables remote access for the root account, however it will still be possible for root to log in through any console device. Depending on the security of your console access you may wish to leave root access in place, otherwise it can be removed by clearing the etcsecuretty file as shown below. This file lists all devices that root is allowed to login to, the file must exist otherwise root will be allowed access through any communication device available whether that be console or other. With no devices listed in this file root access has been disabled. It is important to note that this does not prevent root from logging in remotely with SSH for instance, that must be disabled as outlined in point 3 Disable remote root access above. Access to the console itself should also be secured, a physical console can be protected by the information covered in point 1. Physical security. Restrict Root Privileges As mentioned above users that require root privileges can be added to the sudoers file, however we can further restrict what the users can run as root rather than simply providing full access by explicitly specifying the commands in the sudoers file. For instance with bob removed from the sudoers file, he is not able to reboot the server. This incident will be reported. However after running visudo and editing the sudoers file as below, this becomes possible. ALLusrsbinreboot. After this change bob is now able to perform the reboot as root but nothing else. Enable and Configure Firewall A firewall such as iptables or firewalld should be used to restrict inbound and outbound traffic to and from your Linux server. While it is ideal to restrict both inbound and outbound traffic, it is more common for a server to allow any outbound traffic and only restrict incoming traffic. This is generally because attacks initiate externally especially from the Internet, these external networks are therefore less trustworthy than the server itself. If a service on the server is compromised and the server is capable of connecting out to the Internet without restriction then it could cause further compromise of the system.