We have many hands on guides on specific softwares with all commands. Most of them needs time and not exactly covered all the issues. Here is a List of Linux Server Security Hardening Commands For the New SSH Users & New Sysadmins. Guide is For Cloud & Virtual Instances. The way to secure a dedicated server or colocation server will be different for various extra ways of access to physical hardware.
What to Read Before Running Linux Server Security Hardening Commands
Readers must look once at the three part IPTables guides :
It is actually difficult to easily get hacked by script kiddie, if you follow those guides. As a general purpose guideline, I have to say that :
---
- Install security updates
- Update Kernel
- Disable root access as SSH user
- Use secure passwords
- Bind processes to localhost
- Implement firewall
- Secure various configurations
- Limit access
- Remotely monitor systems
- Regularly backup
- Perform system auditing
- Separate IPv6 with reverse proxy
Linux Server Security Hardening Commands
Faillog
We can run faillog command to check records, set login failure limits etc. faillog command reads from the failure log files like /var/log/faillog. Here is manual page of faillog for Ubuntu :
1 | http://manpages.ubuntu.com/manpages/zesty/man8/faillog.8.html |
If you run :
1 | faillog -a |
You’ll get :
1 2 3 4 5 6 7 | Login Failures Maximum Latest On root 2592 0 01/01/70 05:30:00 +0530 daemon 0 0 01/01/70 05:30:00 +0530 bin 0 0 01/01/70 05:30:00 +0530 sys 0 0 01/01/70 05:30:00 +0530 ... |
Accounts
We need to make sure that no accounts have empty password and except root no account have UID 0. We can run these two commands :
1 2 | awk -F: '($2 == "") {print}' /etc/shadow awk -F: '($3 == "0") {print}' /etc/passwd |
Under normal condition, only second command will give this output :
1 | root:x:0:0:root:/root:/bin/bash |
Check Services and Packages
We can check the services on newer CentOS, Ubuntu with this command :
1 | systemctl list-unit-files --type=service |
We can check the installed packages on Ubuntu, Debian with this command.
We can check the running network services :
1 | sudo netstat -tulpn |
Other things we actually covered though different previously published article like
- List of Essential Security Tools For GNU/Linux Servers
- Day to Day Commands for Sysadmins
- server logs
- tools and commands for brute forcing
- checking Fail2Ban log etc.
What we listed in tis guide is usually not used and will work as my self reminder as well. It will be too big article too list all the possible commands. From those linked guides, here is a command to check the auth log for Failed passwords:
1 | cat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c |
Same for gzip files :
1 | zcat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c |
Example output :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | 49 Feb 27 55 Feb 28 50 Mar 1 78 Mar 10 58 Mar 11 53 Mar 12 72 Mar 13 58 Mar 14 58 Mar 15 61 Mar 16 51 Mar 17 62 Mar 18 16 Mar 19 63 Mar 2 58 Mar 3 50 Mar 4 67 Mar 5 55 Mar 6 89 Mar 7 57 Mar 8 75 Mar 9 |
Now there are application specific matters like securing Apache2, Nginx, PHP, MySQL etc. We can protect files with chattr. We can use :
1 | chattr -R +i my-directory |
to make it “undeletable”.
Obviously that is possible on files :
1 | chattr +i /etc/my.cnf |
If you want to “undo” that undeletable state, you need to use chattr -i command.
