Hardening Linux: Security Best Practices with Bash Commands

In the world of Linux, system security is a priority for admins and users alike. While Linux is often praised for its robust security model, no system is infallible. Hardening your Linux system minimises the risk of attackers exploiting your machine. In this blog post, we will cover key security best practices and operational steps using Bash commands, tailored for various Linux package managers like apt (Debian/Ubuntu), dnf (Fedora), and zypper (openSUSE).

1. Keep Your System Updated

One of the simplest and most effective ways to secure your Linux system is to keep it updated. Updates often include patches for security vulnerabilities, so regular updates can prevent potential exploits.

Debian/Ubuntu (using `apt`)

sudo apt update && sudo apt upgrade

Fedora (using `dnf`)

sudo dnf check-update
sudo dnf upgrade --refresh

openSUSE (using `zypper`)

sudo zypper refresh
sudo zypper update

2. Minimise Installed Packages

The fewer programs you have installed, the smaller the attack surface of your system. Removing unnecessary packages can reduce potential vulnerabilities.

Debian/Ubuntu

sudo apt autoremove

To remove a specific package:

sudo apt remove [package-name]

Fedora

sudo dnf autoremove

To remove a specific package:

sudo dnf remove [package-name]

openSUSE

sudo zypper rm --clean-deps [package-name]

3. Manage User Privileges

Avoid using the root account for daily operations. Instead, create a non-privileged user for daily tasks and use sudo for commands requiring administrative privileges.

Adding a New User

sudo adduser [username]

Granting sudo privileges:

sudo usermod -aG sudo [username]

4. Harden Network Security

Configuring and hardening the firewall is crucial to managing what traffic is allowed to enter or exit your system.

Check Firewall Status and Enable It

For systems using ufw (Uncomplicated Firewall):

sudo ufw status
sudo ufw enable

To allow specific traffic, such as HTTP:

sudo ufw allow http

Fedora/openSUSE (using `firewalld`)

Checking status:

sudo firewall-cmd --state

Enabling and setting default zone:

sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --set-default-zone=public

5. Secure SSH Access

Securing SSH is vital to preventing unauthorized access.

Edit SSH Configuration

Edit /etc/ssh/sshd_config with your preferred editor:

sudo nano /etc/ssh/sshd_config

Make changes such as:

PermitRootLogin no
PasswordAuthentication no
AllowUsers [username]

Restart SSH service to apply changes:

sudo systemctl restart sshd

6. Set Up Automatic Security Audits

Installing and configuring audit tools like auditd can help you keep track of security-related events.

Install `auditd`

sudo apt install auditd # Debian/Ubuntu
sudo dnf install auditd # Fedora
sudo zypper install auditd # openSUSE

Configuring `auditd`

Edit /etc/audit/audit.rules and then restart the audit daemon:

sudo systemctl restart auditd

Conclusion

Hardening your Linux system is an ongoing process and requires regular review and updates. By keeping your system updated, minimizing installed packages, managing user privileges, hardening network security, securing SSH access, and setting up security audits, you enhance your Linux system's defenses significantly. Regularly revisiting these steps will help keep your system secure against the evolving landscape of cyber threats.