How To Strengthen Linux


Handy step-by-step guide to strengthen your Linux security. 

  1. Configure UEFI:
  • Boot in UEFI mode instead of legacy BIOS
  • Set a password for changing UEFI settings
  • Activate SecureBoot mode
  • Set an UEFI password for system boot
  1. Choose appropriate distro:
  • Popular distros (Arch, Ubuntu, Debian) have better support and are patched faster
  • Pick a distro with digitally signed packages
  • It should have UEFI and SecureBoot support
  • It has to support disk encryption out-of-the-box
  • Consider an entire system encryption with LUKS
  • Swap should be encrypted as well
  • Set strong password for root access
  • Don’t grant administrative permissions for a regular user
  • A user password must differ from a superuser password
  1. Regular Updates:
  • Update regularly and check for unnecessary packages
  • Subscribe to security alerts
  • Configure available update notification using yum or apticron
  • Configure unattended upgrades
  1. Use Intrusion Detection System (NIDS):
  • AIDE is included in Debian/Ubuntu, Gentoo, RedHat, CentOS, Fedora and OpenSUSE. This tool is used to check a system integrity and report malicious changes
  • Fail2Ban protects a system from brute-force attacks
  • PSAD is useful to detect and block port-scan attacks in real time
  1. Check Open Ports:
  • netstat -tunlp will show open ports and associated services
  • Use chkconfig nameofservice off to disable unwanted services 
  1. Disable Services that are not in Use:
  • Avoid using FTP, Telnet and rsh services
  • Get encrypted services (SFTP, FTPs and SSH) instead
  1. Backup Important Files:
  • Set up encrypted backups to external storage, like NAS or a Remote Cloud computing service
  1. Use RSA-keys for SSH connection:
  • Password-less authentication is more secure against brute-force attack, rather than traditional login
  • 2FA can significantly improve security
  1. Configure Firewall:
  • Enable iptables to filter incoming, outgoing and forwarding packets
  • Allow only necessary traffic
  • Opt for UFW or FirewallD for less complex configuring 
  1. Monitor User Activity and Review Logs Regularly
  • Create check list of users with cat /etc/passwd
  • Use psacct and acct tools to monitor processes on your system
  • Logs are to be stored in /var/log
  1. Setup Your System to Use Security Enhanced Linux:
  • SELinux provides strong Mandatory Access Control
  • Set of sample configuration files is included to meet common security needs
  • Alternatively, AppArmor can be used, as it is a less complex tool for an average user
  1. Make Sure Your System is Physically Secured:
  • Even if your system is not vulnerable to network attacks, it could be stolen or damaged physically. Consider good locks, high fences and 24/7 watch guard
  • Consider visible, invisible and trackable tags