Linux Server Hardening

Below is an example check list for Linux server hardening –

  • All ports except SSH, http is blocked. On some of the servers, DNS and SMTP ports are open for name resolution and mail sending purposes.
  • We have hardened the kernel to disable all the unnecessary services. This has been done at the kernel level and kernel is being recompiled. Also unwanted services are switched off at startup.
  • Latest version of kernel for SMP is being installed, which fixes all the bugs for Linux x.x versions
  • Unwanted services from /etc/rc.d/init.d/ area are disabled.
  • We have set the proper file permissions to the respective system and application areas so that a process runs under the specified user that is supposed to invoke and run it.
  • inetd services are not running.
  • Separate partitions are created for /usr/, /usr/local/, /var, database, programs, data files and backup. This is to prevent hacking on well known partitions and for fine tuning application performance.
  • Appropriate patches have been applied for all the major vulnerable modules for the existing versions and most compatible with Linux x.x version, including PHP and apache.
  • Patched version of bind for Linux x.x, is installed on all DNS servers.
  • Patched version of sendmail for Linux x.x, is installed on all servers which uses sendmail.
  • Patched version of file Utilities for Linux x.x, is installed on all the servers.
  • Patched version of file module for Linux x.x, is installed on all the servers.
  • Patched version of samba module for Linux x.x, is installed on all servers that utilize samba.