How to Harden Linux Servers: Essential Security Practices Every Ops Engineer Should Know

1. Account and Login Security

Account security is the first line of defense. Remove unnecessary system users and groups such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher and groups like adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers to reduce attack surface.

1) Delete special accounts and groups

After installation, Linux creates many default accounts and groups that are rarely needed; they should be removed promptly.

2) Disable unnecessary services

Identify and stop services that are not required for the server’s purpose (e.g., on a web server, only keep httpd and essential system services). Example of services that can often be disabled: anacron, auditd, autofs, avahi-daemon, bluetooth, cpuspeed, firstboot, gpm, haldaemon, ip6tables, ipsec, isdn, lpd, mcstrans, messagebus, netfs, nfs, nfslock, nscd, pcscd, portmap, readahead_early, restorecond, rpcgssd, rpcidmapd, rstatd, sendmail, setroubleshoot, yppasswdd, ypserv.

3) Password security policies

Use key‑based authentication instead of password authentication for remote logins. Store private keys securely and disable password logins via SSH configuration.

Linux servers are typically managed with tools like SecureCRT, PuTTY, or Xshell; key authentication is implemented through these tools and the SSH service.

4) Proper use of su and sudo

su allows switching to the root user but can expose the root password to many users. sudo grants limited privileges without revealing the root password, and its configuration resides in

/etc/sudoers

.

5) Trim login welcome messages

Remove or modify files that disclose system version information:

/etc/issue

,

/etc/issue.net

,

/etc/redhat-release

, and

/etc/motd

. To hide

/etc/issue.net

during SSH login, add

Banner /etc/issue.net

to

/etc/ssh/sshd_config

and then clear the file content.

2. Remote Access and Authentication Security

1) Replace telnet with SSH

Telnet transmits credentials in clear text; SSH encrypts traffic and should be used exclusively for remote access.

2) Manage shell history

Use the

history

command and protect

~/.bash_history

to retain audit trails, backing up the file if necessary.

3) Enable tcp_wrappers firewall

Combine

iptables

with

tcp_wrappers

to provide a two‑layer firewall, controlling service access more granularly.

3. File System Security

1) Lock critical files

Use

chattr

to set immutable or append‑only attributes on important files, noting that this cannot be applied to directories such as

/

,

/dev

,

/tmp

, or

/var

.

2) Check and modify file permissions

Identify world‑writable files and directories and programs with set‑uid/set‑gid bits:

Find files with write permission for anyone: find / -type f -perm -2 -o -perm -20 | xargs ls -al Find directories with write permission for anyone: find / -type d -perm -2 -o -perm -20 | xargs ls -ld Find files with set‑uid or set‑gid bits: find / -type f -perm -4000 -o -perm -2000 -print | xargs ls -al Find files owned by root with set‑uid/set‑gid: find / -user root -perm -2000 -print -exec md5sum {} \; Find files without an owner: find / -nouser -o -nogroup

3) Secure /tmp, /var/tmp, and /dev/shm

Mount

/tmp

with

nosuid,noexec,nodev

options if it is a separate partition, or create a loopback filesystem with those options for a directory‑based

/tmp

. Example commands are provided in

fstab

and using

dd

,

mke2fs

, and

mount

.

4. Linux Rootkit Detection Tools

1) chkrootkit

Install and run

chkrootkit

to scan for known rootkits. Sample output shows infected binaries such as

ifconfig

,

ls

,

login

,

netstat

,

ps

, and

top

. If infection is detected, backing up data and reinstalling the system is recommended.

2) RKHunter

Use

rkhunter --check --skip-keypress

for automated scanning. Schedule daily checks via

/etc/crontab

with a line like

30 09 * * * root /usr/local/bin/rkhunter --check --cronjob

.

5. Post‑Attack Handling Process

1) General response steps

1) Cut network connectivity. 2) Identify the attack source via logs and open ports. 3) Analyze intrusion vectors and vulnerabilities. 4) Backup user data. 5) Reinstall the operating system. 6) Patch software and system flaws. 7) Restore data and reconnect to the network.

2) Lock suspicious users

If immediate network isolation is impossible, lock any suspicious accounts and terminate their sessions.

3) Review system logs

Examine

/var/log/messages

,

/var/log/secure

, and users'

.bash_history

files, especially

/root/.bash_history

, for malicious commands.

4) Inspect and terminate suspicious processes

Use

ps

,

top

, or

pidof

to locate processes, then check the executable path via

/proc/<pid>/exe

and file descriptors via

/proc/<pid>/fd

.

5) Verify file system integrity

Run

rpm -Va

to verify package files and detect altered binaries.

6) Reinstall and recover

After backing up data, perform a clean OS installation and restore the data, then apply the security hardening measures described above.