The document outlines essential Linux hardening techniques to enhance system security, including securing BIOS, encrypting disk storage, and updating kernels. It emphasizes the importance of disabling unnecessary services, using firewalls, and enforcing strict login policies to prevent unauthorized access. Additionally, it recommends managing user accounts and permissions, configuring logging, and preventing data breaches through encryption and proper file management.

1. Linux Hardening Techniques
1. Secure BIOS and disable USB boot options
2. Encrypt and secure GRand Unified Bootloader (GRUB) bootloader
3. Lock the boot directory
4. Disable SUID and SGID Permission
5. Encrypt disk storage using LUKS or similar tools
6. Create separate disk partitions for /boot, /usr, /home, /var, /var/tmp,
/tmp, /etc/apache2 etc. and use ext4 or XFS filesystem only
7. Enable disk quotas to limit usage of the Linux filesystem for other users.
8. Keep Linux kernel and packages updated
9. Enable SELinux. SELinx can help prevent intruders from exploiting a
system.
10. Ensure server logging and log rotation is turned on.
11. Remove or disable Linux packages which are not needed or not used to
minimize vulnerabilities related to out of date packages.
12. Disable unnecessary services such as anacron, bluetooth, hidd, cups,
autofs.
13. Encrypt data communication and avoid legacy communication proto-
coals and services such as xinetd, nis, tftpd, telnet, rsh-server, rsh-redone-
server etc.
14. Disable login as “Super User” and control the users’ access with the
Sudo privileges by putting the root users in a group. Example # groupadd
<list of users to be given SU rights>.
CYBERDEFENDERS AT WORK

2. 14. Inventorize User accounts and enforce Password policy
15. Set login lockouts after 5 or more consecutive login failures to slow
down brute force attacks.
16. Harden the SSH Server - no empty password, default port change, dis-
abling legacy SSh v1 protocol, disabling root access and enabling MFA for
SSH logins can be some the critical hardening activities.
17. Configure IPtables and Firewalls to block specific IP addresses or a
range of them using iptables.
18. Disbale IP forwarding, send packet redirects and ICMP redirects
19. Disable IPv6 (Internet Protocol version 6) Connectivity if you are not
using IPv6 at all.
20. Remove or change permissions for Word-Writable files and set the ap-
propriate sticky bits to prevent compromises to files by any users.
21. Define ownership or remove Noowner Files - files without any user own-
ership.
22. Disable USB, Firewire/Thunderbolt Devices
23. Prevent standard user RW access to Cron by adding their usernames in
the /etc/cron.deny.
24. Restrict Core Dumps
25. Enable Exec Shield :to provide protection against buffer overflow at-
tacks. Exec Shield features include prevention of execution in memory data
space, and special handling of text buffers.
Linux Hardening Techniques
CYBERDEFENDERS AT WORK