Ask any geek and they'll tell you how fun it is to install Linux on a new machine. Whether you're trying out a new distro or installing an upgraded version, there is something cathartic about jumping on the Linux bandwagon and hacking away on a new system.Although Linux by nature is more secure than Windows, there are still steps that need to be taken after installation to assure that you have hardened your system and prepped it for hours of fun use. Follow these steps to help harden your Linux OS. While this is not a comprehensive list, it will start you on your path to a more secure OS. This article assumes the user is familiar with running commands as root. For further assistance on any of these tips, the fastest option is to perform a web search for your particular OS; there are hundreds of community forums where the answer to your question has already likely been answered.
1) Update the OS
After you have logged into your system for the first time, updating the OS should be the first action you take. Open a terminal and, depending on the flavor of Linux you are running, run the command:For Debian-based systems:
sudo apt-get update && time sudo apt-get dist-upgradeFor Red Hat-based systems:
su -c 'yum update'
2) Enable the firewallIf you are running Ubuntu, the firewall is disabled by default. I highly recommend you use the graphical firewall interface ‘GUFW,’ which is an acronym for ‘Graphical Uncomplicated FireWall.’ Install GUFW by passing the terminal command:
sudo apt-get install gufwAfter GUFW is installed, you can open it by passing the command
gufwOpen GUFW and turn the firewall ON by sliding the Status button to the right. For most users, the default options of Incoming: Deny and Outgoing: Allow will be sufficient, but custom rules can be easily added.
systemctl enable firewalldTo configure the firewall and verify blocks, you can open the firewall by navigating to: System → Administration → Firewall from the panel or type:
system-config-firewallat a shell prompt.
3) Install Antivirus SoftwareThis is a hot-button issue that elicits strong opinions from both sides. Despite the fact that malware and viruses are written primarily for Windows, my opinion is that AV software only helps harden a system. Users should seize any opportunity to make a system more secure. The best free AV solution is ClamAV but there are other Linux AV products available, such as Sophos, ESET, Comodo and Bitdefender.
4) Third-Party SoftwareThird-party software should always be installed under the directory /opt. Help minimize your attack surface by removing unneeded programs/processes that start up automatically. The command
‘netstat -npl’lists all the currently running services; if you can identify services you do not need, then take the steps necessary to uninstall the application(s) tied to those services. The
‘top’command is handy for looking at what processes are eating up the most system resources, but I recommend installing and using ‘htop’ by passing the command:
sudo apt-get install htopThe command ‘pstree’ is another cool way of looking at processes, but instead it lays them out in a tree format.
5) Disable SSH Root LoginDisable SSH Root user access by opening the file
/etc/ssh/sshd_configin your favorite text editor. Search for the line:
#PermitRootLogin noRemove the pound
#sign from the beginning of the line. Close the file and restart the SSH service by passing this command:
6) Disable X WindowsIf you are building a Linux file/mail/print server, there is no need to run X Window desktops like Gnome or KDE. You can increase the security and performance of a server by disabling X Windows. The following will disable X Windows by changing the run level command. Open the file:
/etc/inittabFind the line that reads:
id:5:initdefault:Change the line to:
7) Disable USB ‘Thumb Drive’ StorageIf you want to make sure no one can use a thumb drive on your Linux machine, here’s an easy way to disable USB storage. Open your favorite text editor and create a new text file. Add the following line into this new text file:
install usb-storage /bin/trueSave the file as
usb-storage.confunder the directory
/etc/modprobe.d/Reboot your machine and test the new configuration by connecting a USB thumb drive – it should fail to mount.
8) Disable CTRL-ALT-DELETEIf you are building a production server, it is a good idea to disable the Ctrl-Alt-Delete option that initiates the reboot process. In your text editor, open the file
/etc/inittabLocate the line that reads:
ca::ctrlaltdel:/sbin/shutdown -t3 -r nowComment the line out by prefixing it with a pound
#sign at the start of the line
9) BIOS SecurityEnter your BIOS configuration and disable booting from CD/DVD, USB, external & floppy drives. Enable the BIOS password and choose a strong password.
10) Audit your systemThere are several free tools available to audit your system. One of them I recommend is Lynis: an open source tool that performs a local security assessment and audits local services for vulnerabilities. It is light-weight and easy to use; just unzip it and run the command
./lynis audit system