Hardening The Linux BoX

After setting up the Gateway, the next Q was how could I H4RD3N this machine ?

Hardening A Linux Machine…huhh… You can write a book for that. Securing a Linux system called hardening can be done using both manual methods and open source security solutions. So I ask some Q to

0. What am I supposed to do with the system.
It should act as a gateway to access my resources from outside (dedicated) networks.

1. Does it has any wild connection to meet up any unknown people.
No; so far it is not connected to the Internet

2. How about users.
I am going to provide a common usrname and passwd, yeah…but I don’t know them personaly.

3. Should I allow the users to play with the system and keep their files.
NO, not even the execute permission. Please, no junk/bulky files.

4. After all, how do I monitor this box.
iptraf [its just a breeze]
…so my hardening process focuses on the operating system than any extra powerful tools.


0. The message before get authenticated.
Access to this computer system is restricted to personnel of the
[your wish is my command]. All connections are logged.
By attempting connection without permission, you are in violation of law and ethics.

1.a Edited /etc/motd

1. No: of users to access the system
a) root
b) admin (enable sudo)
c) Let there be users :)
2. Iptables and TCP wrappers enabled ( Allow access to SSH and HTTPD)

sshd:ALL EXCEPT 10. 192.168.
httpd:ALL EXCEPT 10. 192.168.

3. Disable remote ssh as root; only console access.
4. ssh service enabled only for usr xxx and local networks.

Changes done on /etc/ssh/sshd_config
Protocol 2 restriction [Protocol 2]
PermitRootLogin no
Banner /etc/warn.txt [The file which contains the message,
that displays before get authenticated]
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no

5. Disable creating an executables, a device or a set-uid executables in /home directory

Changes done on /etc/fstab
LABEL=/home /home ext3 noexec,nodev,nosuid,usrquota 1 2
6. Set-up quota for usr xxx.
Soft limit 200MB and can be used 250MB maximum (grace period for 50 MB is 7 days)

7. Disable GCC for normal users; including Admin :) chmod 750

7-5-0 2 root root 94800 Feb 30 2004 /usr/bin/gcc

8. Disable all un-wanted service.

camel # chkconfig –list | grep on
camel # chkconfig –list | awk ‘/xinetd based services/,/”"/’
9. enable syslog service and configure iptraf
10. Keep updated with latest security news and watch weekly advisories were issued by vendors.
11. Rule of Thumb: click OO here
12. Reference - 0

UNIX System Hardening Checklist

Unix Articles
Reference +1
Linux System Security: The Administrator’s Guide to Open Source Security Tools [ I own this book]

Leave a Reply