Home / Articles / Securing Linux Servers: Hardening Practices Every Administrator Should Know
Securing Linux Servers: Hardening Practices Every Administrator Should Know
Linux

Securing Linux Servers: Hardening Practices Every Administrator Should Know

Default Linux installations prioritise convenience over security. Hardening practices transform servers into defensible systems that resist attack.

Published 24 December 2024 16 min

# Securing Linux Servers: Hardening Practices Every Administrator Should Know

Fresh Linux installations work out of the box. You can deploy applications immediately. This convenience comes at cost. Default configurations prioritise usability over security. Services run that you do not need. Permissions allow more than necessary.

Hardening transforms default installations into properly secured systems. Each change reduces attack surface or increases detection capability. Layered together, these practices create systems that resist attack and limit damage when breaches occur.

## Minimise the Attack Surface

The simplest vulnerabilities to eliminate are in software you do not run. Every service is potential attack vector.

**Start with minimal installations.** Full desktop environments on servers install unnecessary software. Select minimal or server installations.

**Inventory running services.** Use systemctl to list active services. Question each one. Does this server need cups printing service? Disable services that serve no purpose.

**Remove unnecessary packages.** What was installed during initial setup may not be needed now. Review and remove what lacks purpose.

**Close unnecessary ports.** Servers should expose only services they provide. Firewall rules should default deny with specific allows.

## User and Access Management

User accounts and their privileges determine who can access what.

**Disable or remove default accounts.** Fresh installations may include accounts you never use.

**Implement strong authentication.** Passwords should meet complexity requirements. Consider multi factor authentication for privileged access. SSH key authentication beats passwords.

**SSH configuration matters significantly.** Disable root login. Disable password authentication when using keys. Limit which users can connect.

**Sudo configuration** controls privilege escalation. Grant least privilege necessary. Avoid NOPASSWD where possible. Configure logging of sudo usage.

## Mandatory Access Controls

Discretionary access controls based on file permissions have limits. Mandatory access controls like SELinux and AppArmor provide stronger containment.

**SELinux** enforces policies beyond traditional permissions. Processes can only access resources explicitly allowed by policy. Even root cannot bypass SELinux restrictions without changing the policy.

Running SELinux in **enforcing mode** provides protection. Permissive mode only logs violations without preventing them.

**AppArmor** provides similar capability with different approach. Path based controls may be easier to understand.

## Network Security

**Firewall configuration** should default deny. Only allow traffic specifically required. Use iptables, nftables, or firewalld.

**Host based intrusion detection** like Fail2ban blocks repeated authentication failures. OSSEC provides more comprehensive detection.

**Segment networks** where possible. Application servers should not reach management networks.

## Patching and Updates

Unpatched vulnerabilities are low hanging fruit for attackers.

**Establish patching processes.** Regular update schedules ensure patches apply. Emergency processes handle critical updates quickly.

**Automatic security updates** reduce exposure. Some distributions offer unattended upgrades for security patches.

**Monitor vulnerability announcements.** Security mailing lists for your distribution provide notice.

If your organisation needs help hardening Linux servers, contact us through our contact page.