Linux Server Hardening Checklist

This checklist is based on industry standards (CIS Benchmarks, NIST, NSA guidelines) and real-world experience securing production Linux servers. Apply it to new deployments and audit existing systems regularly.

1. Physical & Boot Security

• Restrict physical access to servers
• Set BIOS/UEFI password and disable boot from external media
• Enable Secure Boot where supported
• Use full-disk encryption (LUKS) for sensitive data
• Set GRUB bootloader password
• Disable CTRL+ALT+DEL reboot in /etc/systemd/system.conf

2. Partitioning & Filesystem

• Separate partitions: /boot, /, /var, /var/log, /tmp, /home
• Mount /tmp with noexec,nodev,nosuid
• Mount /var/log and /home with nodev,nosuid
• Use ext4 or XFS with appropriate options
• Enable SELinux (enforcing) or AppArmor

3. Users & Authentication

• Minimize direct root login (disable or restrict via SSH)
• Use sudo for privilege escalation
• Enforce strong password policy (PAM cracklib/pwquality)
• Lock accounts after failed attempts
• Remove or lock unused system accounts
• Use key-based SSH authentication; disable password auth
• Set account expiration for temporary users

4. Services & Daemons

• Disable unnecessary services (use systemctl)
• Remove unused packages
• Run services as non-root users where possible
• Use systemd resource limits and sandboxing (ProtectSystem, PrivateTmp, etc.)

5. Network Security

• Configure host-based firewall (firewalld or nftables/iptables)
• Allow only required ports/protocols
• Disable IPv6 if not used
• Use SSH on non-standard port if appropriate
• Enable TCP SYN cookies and other kernel protections
• Restrict SSH to specific IPs or use VPN

6. File Permissions & Ownership

• Ensure critical files are owned correctly (root:root)
• Remove world-writable files/directories
• Minimize SUID/SGID binaries
• Set umask 027 for users
• Use find to audit permissions regularly

7. Updates & Patching

• Enable automatic security updates (unattended-upgrades or dnf-automatic)
• Subscribe to security advisories
• Test updates in staging before production
• Reboot when kernel updates require it

8. Logging & Monitoring

• Centralize logs with rsyslog
• Enable auditd for detailed auditing
• Monitor logs with tools (Prometheus, ELK, or Nagios)
• Set up alerts for suspicious activity

9. Additional Hardening

• Install and configure Fail2Ban
• Use AIDE or Tripwire for file integrity monitoring
• Disable core dumps
• Enable ASLR and other kernel hardening (sysctl)
• Regular vulnerability scanning

Hardening is an ongoing process — regular audits and updates are essential.

Need help implementing this checklist? Contact Zwiegnet for professional Linux server hardening, security audits, and compliance assistance.