Linux System Hardening

A general overview of techniques to harden Linux systems. The techniques here are aimed at Ubuntu systems.

General best practices

  • Regularly update your system: Keep your Linux distribution and all installed software up to date by applying security patches and updates. This helps protect against known vulnerabilities.

  • Use strong passwords: Enforce strong password policies, including password complexity requirements and regular password changes. Consider using a password manager to generate and securely store complex passwords.

  • Disable unnecessary services: Disable or uninstall any unnecessary services and daemons to minimize the attack surface of your system. Only enable the services required for your system's functionality.

GRUB password

Many BIOS and UEFI firmware allows you to add a boot password. This password will prevent unauthorized users from booting the system.

One tool to do so is grub2-mkpasswd-pbkdf2, which prompts you to input your password twice and generates a hash for you. The resulting hash should be added to the appropriate configuration file

Filesystem Partitioning and Encryption

VeraCrypt nice and easy tool to use.

However we can also use LUKS (Linux Unified Key Setup).

Most distributions let you encrypt a drive using a graphical interface. However, if you would like to set up LUKS from the command line, the steps are along these lines:

  • Install cryptsetup-luks. (apt install cryptsetup)

  • Confirm the partition name using fdisk -l, lsblk or blkid. (Create a partition using fdisk if necessary.)

  • Set up the partition for LUKS encryption: cryptsetup -y -v luksFormat /dev/sdb1. (Replace /dev/sdb1 with the partition name you want to encrypt.)

  • Create a mapping to access the partition: cryptsetup luksOpen /dev/sdb1 EDCdrive.

  • Confirm mapping details: ls -l /dev/mapper/EDCdrive and cryptsetup -v status EDCdrive.

  • Overwrite existing data with zero: dd if=/dev/zero of=/dev/mapper/EDCdrive.

  • Format the partition: mkfs.ext4 /dev/mapper/EDCdrive -L "Strategos USB".

  • Mount it and start using it like a usual partition: mount /dev/mapper/EDCdrive /media/secure-USB.

Firewall (iptables)

We can configure firewall rules in Linux systems with iptables. Other firewalls include nftables. It is often easier to use a GUI than a CLI, as managing firewall rules is quite cumbersome.

Example: Enable SSH traffic.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  • -A INPUT appends to the INPUT chain, i.e., packets destined for the system.

  • -p tcp --dport 22 applies to TCP protocol with destination port 22.

  • -j ACCEPT specifies (jump to) target rule ACCEPT.

iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

  • -A OUTPUT append to the OUTPUT chain, i.e., packets leaving the system.

  • -p tcp --sport 22 applies to TCP protocol with source port 22.

Remote Access

Always use SSH and

  1. Disable remote login as root; force login as non-root users.

  2. Disable password authentication; force public key authentication (with password) instead.

  3. Preferable enforce whitelisting approach of public keys

The configuration of the OpenSSH server can be controlled via the sshd_config file, usually located at /etc/ssh/sshd_config. You can disable the root login by adding the following line:

PermitRootLogin no

We can disable passwords authentication and enabling public key authentication as such:

  • PubkeyAuthentication yes to enable public key authentication

  • PasswordAuthentication no to disable password authentication

PreviousIT Security Knowledge BaseNextPhishing Analysis

Last updated