Skip to content
pyllyukko edited this page Mar 28, 2021 · 5 revisions

Bare minimum hardening

Just some ideas about what should be bare minimum hardening on any given Linux installation. In addition to keeping it fully patched at all times that is!! :)

Network

  • TCP wrappers
  • IP stack hardening (sysctl.conf)
  • Disable IPv6 if not needed

Basic firewall

What should it do? Just some ideas...

  • Set FORWARD chain's policy to DROP
  • Allow loopback traffic 127.0.0.1 <-> 127.0.0.1
  • Disallow ICMP timestamp requests & responses
  • Some rate limiting?
  • Drop INVALID packets
  • IPv6

Services

  • SSH hardening
  • Make sure NTP is running
  • su/sudo?

To disable

  • avahi-daemon
  • cups

User accounts

  • Lock down system accounts
  • Create ftpusers
  • Disable unnecessary shells
  • TMOUT
  • Configure securetty
  • Configure /etc/#.access || /etc/security/access.conf
  • Restrict at & cron

Passwords

  • Tweak password policy
  • Improve password hashing & rounds
  • Enable password complexity checking through passwdqc or cracklib when the distro is using PAM

Hardware/modules

Disable stuff with /etc/modprobe.d/.

File system

  • fstab hardening

System

  • System accounting (sysstat)
  • Auditing
  • CA certs
  • ulimit?
  • Disable core dumps
  • Create legal banners if needed
  • Consider log retention time
  • Enable YAMA
Clone this wiki locally