Admin: New server guide

2026-04-14T20:01:38Z

New server guide

New page

## Linux Security Hardening: A Practical Guide

Securing your Linux server is paramount to protecting your data and services from unauthorized access and malicious attacks. This guide provides practical steps for enhancing your server's security posture, covering essential techniques like sysctl tuning, SELinux/AppArmor, audit logging, and adhering to CIS benchmarks. Implementing these measures can significantly reduce your server's vulnerability.

### Prerequisites

Before you begin, ensure you have the following:

* A running Linux server (e.g., Ubuntu, CentOS, Debian).
* Root or sudo privileges on the server.
* Basic understanding of the Linux command line.
* SSH access to your server.

### Understanding the Risks

Failing to secure your Linux server can lead to severe consequences, including data breaches, service disruptions, and financial losses. Attackers may exploit unpatched vulnerabilities, weak configurations, or insufficient access controls to gain unauthorized entry. Proactive security hardening is a critical defense against these threats.

### 1. Kernel Parameter Tuning with sysctl

The `sysctl` command allows you to modify kernel parameters at runtime, impacting network security and system behavior. Tuning these parameters can help mitigate common network-based attacks.

#### Adjusting Network Settings

Many security-focused `sysctl` parameters relate to network packet handling. For instance, disabling IP forwarding prevents your server from acting as a router, which could be exploited in man-in-the-middle attacks.

1. **View current settings:**
```bash
sudo sysctl -a | grep net.ipv4
```
2. **Edit the sysctl configuration file:**
```bash
sudo nano /etc/sysctl.conf
```
3. **Add or modify the following lines for enhanced security:**

* **Disable IP Forwarding:**
```
net.ipv4.ip_forward = 0
```
This stops your server from routing traffic between networks.

* **Ignore ICMP Broadcast Requests:**
```
net.ipv4.icmp_echo_ignore_broadcasts = 1
```
This prevents your server from responding to broadcast pings, reducing susceptibility to Smurf attacks.

* **Ignore ICMP \"ping\" broadcasts:**
```
net.ipv4.icmp_ignore_bogus_error_responses = 1
```
This ignores malformed error messages.

* **Enable SYN Cookies:**
```
net.ipv4.tcp_syncookies = 1
```
SYN cookies are a technique to defend against SYN flood attacks by using cryptographic cookies in TCP sequence numbers.

* **Disable Source Routed Packets:**
```
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
```
This disallows packets with source-routed options, preventing potential network traversal exploits.

* **Enable TCP Strict Conntrack:**
```
net.netfilter.nf_conntrack_tcp_loose = 0
```
This enforces stricter tracking of TCP connections.

4. **Apply the changes:**
```bash
sudo sysctl -p
```

### 2. Mandatory Access Control (MAC) with SELinux and AppArmor

Mandatory Access Control (MAC) systems like SELinux (Security-Enhanced Linux) and AppArmor provide an additional layer of security by enforcing policies on what processes can do, regardless of user permissions.

#### SELinux

SELinux operates with security contexts, assigning labels to files, processes, and other system objects. Policies then define interactions between these contexts.

1. **Check SELinux status:**
```bash
sestatus
```
If SELinux is not installed or enabled, you might need to install it and configure your bootloader.

2. **Common SELinux modes:**
* **Enforcing:** All SELinux security policy rules are enforced.
* **Permissive:** SELinux policy rules are checked, and warnings are logged, but no actions are blocked. Useful for troubleshooting.
* **Disabled:** SELinux is completely turned off.

3. **Temporarily switch to Permissive mode (for troubleshooting):**
```bash
sudo setenforce 0
```
4. **Switch back to Enforcing mode:**
```bash
sudo setenforce 1
```
5. **Permanently change SELinux mode (requires reboot):**
Edit `/etc/selinux/config` and set `SELINUX=enforcing` or `SELINUX=permissive`.

#### AppArmor

AppArmor uses path-based rules to confine programs to a defined set of capabilities. It's generally considered simpler to manage than SELinux.

1. **Check AppArmor status:**
```bash
sudo apparmor_status
```
2. **Manage AppArmor profiles:**
AppArmor profiles are typically located in `/etc/apparmor.d/`. You can load, unload, and enforce profiles using `aa-enforce`, `aa-complain`, and `aa-disable`.

* **Put a profile in complain mode (logs violations but allows actions):**
```bash
sudo aa-complain /path/to/profile
```
* **Enforce a profile (blocks violations):**
```bash
sudo aa-enforce /path/to/profile
```
* **Disable a profile:**
```bash
sudo aa-disable /path/to/profile
```

### 3. Audit Logging with `auditd`

The Linux Audit Daemon (`auditd`) provides a robust framework for logging security-relevant events. This allows you to track who did what and when, which is crucial for incident response and forensic analysis.

1. **Install `auditd` (if not already present):**
* **Debian/Ubuntu:**
```bash
sudo apt update
sudo apt install auditd audispd-plugins
```
* **CentOS/RHEL:**
```bash
sudo yum install audit
```
2. **Configure audit rules:**
Audit rules define what events to log. They are typically stored in `/etc/audit/rules.d/`.

* **Example: Log all execve system calls (program executions):**
Create a new rule file, e.g., `/etc/audit/rules.d/execve.rules`:
```
-a always,exit -S execve -k exec_calls
```
This rule tells `auditd` to always log the `execve` system call when it exits and to tag these events with the key `exec_calls`.

* **Example: Log file access to sensitive directories:**
```
-w /etc/shadow -p rwa -k sensitive_file_access
```
This watches the `/etc/shadow` file for read, write, and attribute changes.

3. **Reload audit rules:**
```bash
sudo augenrules --load
```
Or, restart the `auditd` service:
```bash
sudo systemctl restart auditd
```
4. **View audit logs:**
```bash
sudo ausearch -k exec_calls
sudo ausearch -i
```
`ausearch` allows you to query the audit logs based on various criteria.

### 4. CIS Benchmarks

The Center for Internet Security (CIS) provides hardening guides for various operating systems and applications, including Linux. These benchmarks are a set of best practices developed by security experts to help you secure your systems.

1. **Locate CIS Benchmarks:** Visit the CIS website ([https://www.cisecurity.org/](https://www.cisecurity.org/)) and download the relevant benchmark for your Linux distribution.
2. **Review and Implement:** The benchmarks detail numerous configuration checks and remediation steps. They cover areas like:
* User and Group Management
* File System Security
* Network Configuration
* Service Management
* Logging and Auditing
* Kernel Parameter Tuning

Many CIS benchmarks include automated scripts that can help you assess your system's compliance and, in some cases, automatically apply recommended settings. However, always understand the implications of any automated changes.

### Troubleshooting Tips

* **SELinux/AppArmor blocking legitimate actions:** Temporarily switch to Permissive mode (`setenforce 0` for SELinux, `aa-complain` for AppArmor) to identify the problematic policy. Review audit logs (`/var/log/audit/audit.log` or `journalctl`) for denial messages and adjust policies accordingly.
* **`sysctl` changes not taking effect:** Ensure you ran `sudo sysctl -p` after modifying `/etc/sysctl.conf`. Check for syntax errors in the file.
* **Audit logs not appearing:** Verify that `auditd` is running (`sudo systemctl status auditd`). Ensure your audit rules are correctly formatted and loaded (`sudo augenrules --load`).

### Conclusion

Implementing these Linux security hardening techniques is an ongoing process. Regularly review your configurations, patch your systems, and stay informed about emerging threats. By taking a proactive approach, you can significantly improve the security and resilience of your server infrastructure.

---

**Disclosure:** This article may contain affiliate links. If you click on a link and make a purchase, we may receive a commission at no extra cost to you. This helps support our work.

[[Category:Security]]
[[Category:Linux]]
[[Category:Server Administration]]

Linux Security Hardening - Revision history

Admin: New server guide