7 Linux Hardening steps to keep your Server Protected

March 10, 2014 | By
| 1 Reply More

Server hardening  is  the process of enhancing server security through various methods.We have lot of steps to secure a server.You can turn a vulnerable box into a hardened server via following steps. It will help you to prevent outside attacks. Here I’m  describing   about  the  server hardening of CentOS.

1. Remote  access configuration

Disable unneeded SSHD authentication methods

Change  ChallengeResponseAuthentication no to  ChallengeResponseAuthentication  yes  in /etc/ssh/sshd_config

# sed -i 's/.*ChallengeResponseAuthentication.*no/ ChallengeResponseAuthentication yes/g'  /etc/ssh/sshd_config

Change GSSAPIAuthentication  yes  to  GSSAPIAuthentication  no  in  /etc/ssh/sshd_config

#sed -i 's/.*GSSAPIAuthentication.*yes/ GSSAPIAuthentication no/g'  /etc/ssh/sshd_config

Disable direct root login

Change PermitRootLogin  yes to PermitRootLogin  no in /etc/ssh/sshd_config

#sed -i 's/.*PermitRootLogin.*yes/PermitRootLogin no/g' /etc/ssh/sshd_config

Change default SSHD listening port (eg : 8500)

Change Port 22 to Port 8500 in /etc/ssh/sshd_config

2. Narrow Down Permissions

Narrow down permissions for system files and folders.

#chmod 700 /root

#chmod 700 /var/log/audit

#chmod 740 /etc/rc.d/init.d/iptables

#chmod 740 /sbin/iptables

#chmod –R 700 /etc/skel

#chmod 600 /etc/rsyslog.conf

#chmod 640 /etc/security/access.conf

#chmod 600 /etc/sysctl.conf

3. Tune kernel parameters

Sysctl is an interface  for  examining  and dynamically changing parameters in the Linux operating system.Edit  /etc/sysctl.conf  file  to optimize  kernel parameters

Sysctl is the command used to modify kernel parameters at run time.

# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter

To load settings, enter: 

# sysctl -p

Copy-Paste  following content into /etc/sysctl.conf



# Turn on execshield




# Enable IP spoofing protection



# Disable IP source routing



# Ignoring broadcasts request




# Make sure spoofed packets get logged

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1


# Disable ICMP routing redirects

sysctl -w net.ipv4.conf.all.accept_redirects=0

sysctl -w net.ipv6.conf.all.accept_redirects=0

sysctl -w net.ipv4.conf.all.send_redirects=0

sysctl -w net.ipv6.conf.all.send_redirects=0


# Disables the magic-sysrq key

kernel.sysrq = 0


# Turn off the tcp_sack

net.ipv4.tcp_sack = 0


# Turn off the tcp_timestamps

net.ipv4.tcp_timestamps = 0


# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1


# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

5. Security Enhaced Linux (SELinux)

SELinux is a set of security rules that determine which process can access which file, directories, ports ,etc. Every file , process , directory and port has a special security label called SELinux contexts.A context is simply a name that is used by the SELinux policy to determine whether or not a process can access a file, directory or port.By default ,the policy does not allow any interaction, so explicit rules grant access.If there is no allow rule, no access is allowed.

getneforce   command tell us what mode SELinux is in.

We  can change SELinux mode into enforcing by changing SELINUX=enforcing in /etc/sysconfig/selinux


There are three directives in this file as explained below.

• enforcing - SELinux security policy is enforced.

• permissive - SELinux prints warnings instead of enforcing.

• disabled - SELinux is fully disabled.

6. Setup IPTABLE Rules

iptables is a user space  application program that allows a system administrator to configure the tables provided by the Linux Kernel Firewall and the chains and rules it stores.

Close all the Unwanted ports

iptables -A INPUT -p tcp --dport PORT_NUMBER -j DROP

Ban bad IP's

iptables -A INPUT -s IP_ADDRESS -j DROP

You can see all iptable rules by the command

Iptables –L –n –v

iptables -L -n -v

7. Verifying File system

All SUID/SGID bits enabled file can be used for malicious activities, when the SUID/SGID executable has a security problem.All local or remote user can use such file.

Identify unwanted SUID and SGID binaries

find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls

Identify world writable files

find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Identify Orphaned files and folders

find /dir -xdev \( -nouser -o -nogroup \) -print


Free Linux Ebook to Download

Comments (1)

Trackback URL | Comments RSS Feed

  1. Laurens Rietveld says:

    I'd suggest not to run ssh on an unprivileged port, as it allows non-root users to listen in on that same port (see here for a nice blog post: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/)

    At least make sure you change the port number to a privileged port (<1024), as users require root access to run a service on that port range.

Leave a Reply

All comments are subject to moderation.