How To Strengthen Linux

Handy step-by-step guide to strengthen your Linux security. 

  1. Configure UEFI:
  • Boot in UEFI mode instead of legacy BIOS
  • Set a password for changing UEFI settings
  • Activate SecureBoot mode
  • Set an UEFI password for system boot
  1. Choose appropriate distro:
  • Popular distros (Arch, Ubuntu, Debian) have better support and are patched faster
  • Pick a distro with digitally signed packages
  • It should have UEFI and SecureBoot support
  • It has to support disk encryption out-of-the-box
  • Consider an entire system encryption with LUKS
  • Swap should be encrypted as well
  • Set strong password for root access
  • Don’t grant administrative permissions for a regular user
  • A user password must differ from a superuser password
  1. Regular Updates:
  • Update regularly and check for unnecessary packages
  • Subscribe to security alerts
  • Configure available update notification using yum or apticron
  • Configure unattended upgrades
  1. Use Intrusion Detection System (NIDS):
  • AIDE is included in Debian/Ubuntu, Gentoo, RedHat, CentOS, Fedora and OpenSUSE. This tool is used to check a system integrity and report malicious changes
  • Fail2Ban protects a system from brute-force attacks
  • PSAD is useful to detect and block port-scan attacks in real time
  1. Check Open Ports:
  • netstat -tunlp will show open ports and associated services
  • Use chkconfig nameofservice off to disable unwanted services 
  1. Disable Services that are not in Use:
  • Avoid using FTP, Telnet and rsh services
  • Get encrypted services (SFTP, FTPs and SSH) instead
  1. Backup Important Files:
  • Set up encrypted backups to external storage, like NAS or a Remote Cloud computing service
  1. Use RSA-keys for SSH connection:
  • Password-less authentication is more secure against brute-force attack, rather than traditional login
  • 2FA can significantly improve security
  1. Configure Firewall:
  • Enable iptables to filter incoming, outgoing and forwarding packets
  • Allow only necessary traffic
  • Opt for UFW or FirewallD for less complex configuring 
  1. Monitor User Activity and Review Logs Regularly
  • Create check list of users with cat /etc/passwd
  • Use psacct and acct tools to monitor processes on your system
  • Logs are to be stored in /var/log
  1. Setup Your System to Use Security Enhanced Linux:
  • SELinux provides strong Mandatory Access Control
  • Set of sample configuration files is included to meet common security needs
  • Alternatively, AppArmor can be used, as it is a less complex tool for an average user
  1. Make Sure Your System is Physically Secured:
  • Even if your system is not vulnerable to network attacks, it could be stolen or damaged physically. Consider good locks, high fences and 24/7 watch guard
  • Consider visible, invisible and trackable tags

Yes, we are an IT consulting business, but you are important to us regardless of the industry. We treat our clients like additional members of our family. Our customer support lines and social network handles are always open to assist you with anything.
Rate this post