Linux Server Hardening and Security Best Practices

No matter how many Linux hardening methods you apply, you need to be always prepared for unforeseen problems. Backing up your workstation or server https://remotemode.net/ can prove extremely beneficial in the long run. Thankfully, a large number of backup utility for Linux exists to make system backups easier.

  • On rpm‑ostree distributions, make sure to use rpm-ostree kargs rather than editing GRUB configuration directly.
  • In NIC bonding, we bond two or more Network Ethernet Cards together and make one single virtual Interface where we can assign IP address to talk with other servers.
  • Although you may question its role when it comes to Linux hardening, it offers unquestionable benefits.
  • After loading the config file, the working directory is enforced to /tmp/ and the global variable primary host is set based on the b_use_secondary_host config field type.
  • It is always a good idea to disable as many peripherals as possible.
  • This family includes NerbianRAT, a cross-platform RAT with variants for Windows and Linux, and MiniNerbian, a small Linux backdoor.

If it succeeds, it forks itself, which is the only anti-debugging/anti-analysis trick embedded within the malware. Following this check, NerbianRAT begins the main initialization process. This cluster of activity, also described in a Darktrace report, was characterized by the download of a variety of payloads from an attacker-controlled infrastructure. Some of these activities were publicly described but were not linked to any particular actor. It also seems unlikely that the vendors behind OpenELA would offer support for rival distros, but just in case, we checked.

Monitor User Activities

This disables debugfs, which exposes a lot of sensitive information about the kernel. How do you create an organization that is nimble, flexible and takes a fresh view of team structure? These are the keys to creating and maintaining a successful business that will last the test of time.

A kernel exploit from within the sandbox can bypass any restrictions, as the host kernel’s entire attack surface is completely exposed. There have been efforts to limit the attack surface with seccomp; however, it is not enough to fully fix this issue. Boot parameters pass settings to the kernel at boot using your bootloader. Some settings can be used to increase security, similar to sysctl.

Secure your Linux Distro in 15 Steps

Linux Foundation Training and Certification and the Cloud Native Computing Foundation have launched the new course, Mastering Kubernetes Security with Kyverno (LFS255). The X11 or the X display server is the basic framework for a graphical environment. Some older SSH version might still have SSH protocol 1 available.

You should find any file that has SUID and SGID enabled and disable those. The following commands will respectively list all files that have SUID and SGID permission enabled. You should always use secure communication services such as ssh, scp, rsync, linux hardening and security lessons or sftp for remote data transfer. Linux also allows users to mount remote filesystems using special tools like fuse or sshfs. Other Linux tools that offer data encryption services include OpenVPN, Lighthttpd SSL, Apache SSL, and Let’s Encrypt.

Tools

For these cases, you need to reach out to the maintainer of the snap to update the manifest accordingly. My strategy to deal with this is to revoke all filesystem access first, then test if an application works without it. If it does, it means the app is already using portals and no further action is needed. If it doesn’t, then I start granting permission to specific directories.

  • This causes the kernel to panic on uncorrectable errors in ECC memory which could be exploited.
  • This command will display all quota information and create the files aquota.user and aquota.group in /home.
  • As a result, hardening your personal workstation, as well as server security, is a must.
  • He’ll eventually escalate other services and will likely to gain full system control.