Comprehensive Linux System Hardening Guide for Production Environments

1. Disable SELinux

SELinux provides mandatory access control but is often disabled in production for simplicity; firewall rules can replace its protection.

1.1 Permanently disable SELinux

vim /etc/selinux/config
SELINUX=disabled

A system reboot is required for the change to take effect.

1.2 Temporarily disable SELinux

getenforce            # view current SELinux mode
setenforce 0         # 0 = permissive (warnings only), 1 = enforcing

Temporary disabling allows changes without an immediate reboot; the permanent configuration can be edited later.

2. Trim Startup Services

Reducing enabled services saves resources and lowers attack surface. Essential services typically include:

sshd (remote login)

rsyslog (system logging)

network (network interfaces)

crond (scheduled tasks)

sysstat (performance monitoring tools)

For CentOS 5/6 use chkconfig :

chkconfig --list
chkconfig --del service_name
chkconfig --add service_name
chkconfig --level 35 service_name on|off
chkconfig --level 5 service_name off

For CentOS 7+ use systemctl :

systemctl list-unit-files
systemctl enable service_name
systemctl disable service_name

3. Principle of Least Privilege

Key minimization rules:

Install only required packages.

Enable only necessary startup services.

Use minimal command options (e.g., rm -f instead of rm -rf ).

Prohibit remote root login; grant ordinary users only needed privileges.

Set file and directory permissions to the minimum required.

4. Control Command Access with sudo

Edit the sudoers file with visudo and add entries in the form:

username_or_group hostname=(runas) command

Example granting user zhangsan permission to reboot and add users:

zhangsan ALL=(ALL) /usr/sbin/reboot,/usr/sbin/useradd

5. Server Time Synchronization

Accurate time is critical for logging and business processes. Use tools such as ntpdate and schedule periodic syncs via cron.

6. Adjust System File Descriptor Limits

Check current limit:

ulimit -n   # default 1024

Temporary increase:

ulimit -SHn 102400

Permanent user‑level limits (edit /etc/security/limits.conf ):

* hard nofile 102400
* soft nofile 102400

System‑wide limit (edit kernel parameter):

sysctl -w fs.file-max=102400

Persist by adding fs.file-max=102400 to /etc/sysctl.conf and applying with sysctl -p .

7. Lock Critical System Files

Prevent modification of password and group files:

chattr +i /etc/passwd /etc/shadow /etc/group /etc/inittab

Unlock with:

chattr -i /etc/passwd /etc/shadow /etc/group /etc/inittab

8. Disable Ping Responses

Permanent disable via sysctl:

echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p

Alternatively, use iptables to drop ICMP echo requests:

# sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

9. SSH Configuration Optimization

Backup /etc/ssh/sshd_config then adjust key parameters:

Port 12011
PermitRootLogin no
UseDNS no

These changes move the SSH port, disable remote root login, and prevent DNS lookups that can cause delays. Enable key‑based authentication as needed and restart SSH to apply.

10. Change Hostname

Rename the host to reflect business needs, facilitating monitoring and batch management.

11. Prevent Accidental rm -rf /*

Install safe-rm and replace the default rm command:

wget https://launchpad.net/safe-rm/trunk/1.1.0/+download/safe-rm-1.1.0.tar.gz
tar -zxvf safe-rm-1.1.0.tar.gz
cp safe-rm-1.1.0/safe-rm /usr/local/bin/
ln -s /usr/local/bin/safe-rm /usr/local/bin/rm

Configure protected paths in /etc/safe-rm.conf , e.g.:

/
/root
/root/blue
/root/blue/students

These settings help avoid catastrophic deletions in production environments.