Linux security and system hardening

Checklist

Physical access

Hardware security

If you want to achieve the maximum security of your Linux distribution, consider first how well the hardware is protected. Most of these related settings can be done in the BIOS, often accessible by pressing a key during the boot process.

  • Set a password to protect the BIOS
  • Consider using a boot password
  • Disable unused storage devices (e.g. firewire port)

Installation

Partitioning structure and encryption

The installation process is a good first indicator on well a system is hardened. During this phase, the operating system is installed on a local disk. A proper partitioning structure helps with splitting executable code from data. It enables to protect them both, by setting mount options and prevent a file system being filled unexpectedly.

During this part of the installation, there is also the option to encrypt all the data. This protects the disk when the system is stolen. It is done by setting a password or passphrase, that needs to be provided during the boot of the Linux system.

  • Define multiple partitions (/, /tmp, /usr, /var, /var/log)
  • Set an encryption password

Bootloader

During the boot process, a so-called bootloader is one of the components that is started first. Typically the GRUB loader is used on Linux systems.

  • Set a configuration password on the bootloader
  • Check and tighten file permissions of configuration files

Minimal installation

The software for the system is typically selected during the installation phase. That means that you have the choice to select roles, a group of packages, or individual packages. Using fewer packages is the best option. It speeds up the installation, reduces disk space, and decreases the risk of vulnerable software packages later on.

  • Only install what you really need
  • When possible, use the 'minimal installation' option.

Software

Software and package management

Most software packages are a collection of one or more tools bundled together. Sooner or later one of these packages might contain a vulnerability. This is simply a known weakness in the software, which can lead to instability or even a security breach. For that reason, the system should be 'patched' on a regular basis. This means, testing and installing any updates that are announced as security updates.

  • Limit the number of packages to reduce the footprint of the system
  • Disable services that are not needed
  • Install security updates regularly and with priority

Configuration

Firewall

As part of the network configuration, a firewall is a useful defense mechanism. It should be configured to block all traffic and only allow data streams that are required for the machine to do its job.

  • Deny all incoming traffic by default
  • Open services by port and protocol (typically ICMP, UDP or TCP)
  • Restrict ICMP when needed, yet allow the machine to function properly

Resources

Blogs

There is a wide range of blogs available that write about Linux and security. See our resource section for blogs and websites that provide additional guidance on Linux security.