Simple Server Hardening

These days, it's more important than ever to tighten up the security on your servers, yet if you were to look at several official hardening guides, they read as though they were written for Red Hat from 2005. That's because they were written for Red Hat in 2005 and updated here and there through the years. I came across one of these guides when I was referring to some official hardening benchmarks for a PCI audit and realized if others new to Linux server administration were to run across the same guide, they likely would be overwhelmed with all of the obscure steps. Worse though, they likely would spend hours performing obscure sysctl tweaks and end up with a computer that was no more protected against a modern attack. Instead, they could have spent a few minutes performing a few simple hardening steps and ended up with a more secure computer at the end. So in this article, I describe a few hardening steps that provide the most bang for the buck. These tips should take only a few minutes, yet for that effort, you should get a much more secure system at the end.

Classic Hardening

Before I talk about some hardening recommendations, I figured I'd start by highlighting some of those classic security steps you are likely to see in those older hardening guides. Now this isn't to say that all of these steps are necessarily bad advice, it's just that in many cases the advice refers to deprecated systems or describes steps that modern Linux server distributions have taken by default for years.

For instance, many hardening guides spend a lot of time focusing on tcpwrappers, a classic Linux service that lets you restrict which IPs can access particular services. These days, most administrators use iptables firewall rules to restrict access to ports instead. You also will be advised to enable the use of shadow passwords and to disable shells on common role accounts (like the mail, bind, www and mysql users). Although that isn't bad advice, the fact is that all Linux distributions already do this for you out of the box.

Another tip you usually will see in a hardening guide is to disable all unnecessary services, and in particular, the guides will tell you to disable telnet, daytime, chargen and a number of other obscure inetd services that not only haven't been turned on by default in a long time, but in many cases they also aren't even installed by default anymore. The fact is that most server distributions ship with all network services apart from SSH turned off. Speaking of SSH, now that I've talked a bit about some classic hardening tips, let me discuss a few modern hardening tips starting with SSH.


Kyle Rankin is VP of engineering operations at Final, Inc., the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu Server Book, and a columnist for Linux Journal. Follow him @kylerankin