linux security tricks
Server Administration

Useful Linux Security Tricks to Harden Your System

In the previous post, we talked about Linux network commands and we saw some useful examples of troubleshooting your network, today we will talk about some Linux security commands that you will need to harden your system.

At the beginning, we need to ask a question. Is Linux secured 100% or at least secured enough? The answer is no. The danger posed by these unskilled attackers has also increased these days. New vulnerabilities are discovered daily and sometimes hourly.

Exploits are rapidly built on these vulnerabilities within a few hours of them being discovered. Some vulnerabilities are not even discovered until someone uses them to exploit a host.

The security is the main concern for all of us and we will see some practical examples of how to harden your system security.

No single post on Linux security, even a book, will ever answer all the security questions or address all the possible threats. So what we will cover in this post is not everything. If the people like the post I’m going to make more posts about Linux security tricks.


Securing the Console

You can limit where root can log on by restricting it to a specific set of terminals. To do this, edit the contents of the /etc/securetty  file.

All devices you want to allow root to log in from should be listed in the file.

It is recommend allowing root login only on one terminal and forcing all other logins to be a non-root user and if required use su to gain root privileges.

Password Aging

Password aging enables you to specify a period of time for which a password is valid. After the time period has expired, so that will force the user to enter a new password. This has the benefit of ensuring passwords are changed regularly and that a password that is stolen, cracked or known by somebody.

There are two ways to achieve that, the first way is by command line using the change command like this:

$ chage -M 20 likegeeks

We use the -M option to set the password expiry period for the user likegeeks to 20 days.

You can type chage without options and it will prompt you about your choices.

$ chage likegeeks

The second way is to set defaults for all users in the /etc/login.defs file.

You can change these values according to your needs.

Keep in mind that you should force users to use strong password using pam_cracklib.

Once you’ve installed it you can go to /etc/pam.d/system-auth  and type something like this:

password required minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1

sudo Notification

sudo command makes life easier and can lead to Linux Security issues that can ruin your life.

We know that sudo command enables non root users to run commands as if they were root, you can check all sudo configurations in the /etc/sudoers  file.

You can disable users from running the commands you want as root.

You can configure sudo to send an e-mail when the sudo command is used by adding the following line to the file.


And then modify when sudo sends that e-mail.

mail_always on

Tuning SSH

If we will talk about Linux security we must talk about SSH service.SSH is a vital service to your system, it enables you to connect easily to your system, and sometimes it is the only way to make your system survive when things go bad, so tuning SSH is very important.

Since we use CentOS 7 in our posts, so the SSH configuration file is in:


Let’s take a deep look into it.

The scanners or bots that the attackers use try to connect to SSH on port 22 which is the default.

It is common to change your SSH port to another unused port, let’s say 5555 or whatever.

Port 5555

You can also restrict the root login by updating the value of PermitRootLogin to no.

PermitRootLogin no

And surely disable tunneled clear passwords and use public-private key login instead.

Another tweak that may not prevent an attack, but by requiring SSH to look up, the remote hostname through forward and reverse DNS will generate the appropriate warnings in the system log files. To do this, simply enabling UseDNS value.

UseDNS yes

Additionally, it is possible that a difficulty may come from the use of GSSAPI authentication. This is not common as it is a feature of SSH that is called upon when a GSSAPI server is required to validate the associated user credentials. To avoid this set GSSAPIAuthentication to no.

GSSAPIAuthentication no

Regarding SSH timeouts. This traditional problem can be handled by configuring the correct ServerAliveInterval, ServerAliveCountMax, and TCPKeepAlive values.

For example, the following rules imply that a packet will be issued every 60 seconds.

By adjusting those values you can provide a longer connection.

You can make the SSH service just a little bit more secure by specifying the usernames that will be allowed to use SSH.

AllowUsers user1 user2

Or you can make it per group.

AllowGroup group1 group2

Further to this, you can use two-factor authentication for SSH like google authenticator.

$  yum install google-authenticator

Then run it to verify the installation.

$ google-authenticator

You should have Google authenticator application installed on your Mobile phone.

And add the following line to /etc/pam.d/sshd

auth required

And the last thing to do is to tell SSH about this by adding the following line to /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Now restart you SSH.

$ systemctl restart sshd

And when you log in using SSH, will ask about verification code, so your SSH is secured against brute-force attacks and more solid now.

Intrusion Detection with Tripwire

Tripwire is one of the great tools in Linux security. It’s a host-based intrusion detection system (HIDS). It works by collecting configuration and filesystem details and uses this information to provide a reference point between the previous state of a system and its current state, a process that is achieved by monitoring which files or directories were added or modified recently, who changed them, what changes were made, and when that change happened. So you have an eye on your files.

In order to get tripwire, you need access to EPEL repository. You can add it easily:


$ rpm -ivh epel-release-7-9.noarch.rpm

Once you’ve installed EPEL repo you can install tripwire.

$ sudo yum install tripwire

To begin using Tripwire, you will need to create the appropriate local and site keys like this:

$ tripwire-setup-keyfiles

It will prompt you to enter a passphrase for both the site and local key file. Tripwire will advise you to use a combination of uppercase and lowercase letters, digits, and punctuation marks.

Now you can customize Tripwire by making changes to this file.


This file is very easy to read and modify since every line has a comment that describes it well.

You can update Tripwire policy file like this:

$ tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt

Tripwire will now step over many onscreen phases to reference your changes; when it has finished, you should now be able to initialize the Tripwire database like this:

$ tripwire --init

Tripwire will now begin to scan the system, it will take some time depends on the overall size of the system.

Any changes to the filesystem are considered to be system intrusion, the administrator will be notified and he will need to restore the system with files that can be trusted. For this reason, any system changes must be validated through Tripwire. You can validate your current policy file like this:

$ tripwire --check

One last thing about tripwire, I would recommend that you secure both the twpol.txt and twcfg.txt files as another step of security.

Tripwire has a lot of options and settings; you can check them with man tripwire.

Using Firewalld

Firewalld is a replacement for iptables and improves the management of Linux security by enabling configuration changes without stopping the current connections.

Firewalld runs as a service that allows for rules to be added and changed immediately and it uses network zones to define a level of trust for any and all associated network connections.

To know if Firewalld is currently running type this command:

$ firewall-cmd --state

linux security firewall-cmd state

You can list the predefined zones like this:

$ firewall-cmd --get-zones

linux security firewall-cmd --get-zones

The value can be updated like this:

$ firewall-cmd --set-default-zone=<new-zone-name>

You can obtain all the relevant information about any particular zone like this:

$ firewall-cmd --zone=<zone-name> --list-all

You can list all supported services:

$ firewall-cmd --get-services

linux security firewall get services

Then you can add additional services or remove them within a zone:

You can list all ports open in any particular zone:

$ firewall-cmd --zone=<zone-name> --list-ports

You can manage the addition or removal of TCP/UDP ports like this:

You can add or remove port forwarding like this:

Firewalld is very comprehensive and the best thing about Firewalld is that you can manage firewall architecture without ever needing to stop or restart the firewall service and this is something that cannot be achieved with iptables.

Returning to Iptables

Some people prefer iptables over Firewalld, so in case you find yourself in a situation where you do not want to use Firewalld, you can return to iptables, you can do that easily.

First, disable Firewalld:

Then install iptables:

Now you can start iptables service:

And in order for the kernel to account for the new configuration, you have to reboot your system.

Restricting the Compilers

If your system compromised, there is an important thing that the attacker interested in, which is compilers, but why? Because he could download a simple C file (POC) and compile it on your system and become root user in a matter of seconds, or even he could do some serious things on your system if the compilers are ON.

First, you need to query individual packages to see what binaries are contained in them. Then you need to restrict the permissions of those binaries.

$ rpm -q --filesbypkg gcc | grep 'bin'

linux security restrict compilers

Now we need to create a group that will have access to the compiler binaries.

$ groupadd compilerGroup

Then you can change the ownership of any binary you want to this group.

$ chown root:compilerGroup /usr/bin/gcc

And one last important thing is to change the permission of this binary to be only the compilers group.

$ chmod 0750 /usr/bin/gcc

Now, any user tries to use gcc will see permission denied message.

I know that some people might say that the attacker will download the compiler itself if he found the compilers OFF, this is another story we can cover in future posts.

Awesome Immutable Files

Immutable files are one of the most powerful Linux security features available on Linux systems. Immutable files cannot be written to by any user, even by the root user, regardless of their file permissions. They cannot be removed or renamed, and you can’t create a hard link from them.


They are ideal for securing configuration files or you can think about securing any files that you want to prevent changes to them.

To make any file immutable use chattr command.

$ chattr +i /myscript

linux security immutable files

You can remove immutable attribute like this:

$ chattr -i /myscript

linux security remove immutalbe flag

The contents of the /sbin and /usr/lib directories can be made immutable to prevent an attacker from replacing a critical binary or library file with an altered malicious version.

I will leave the rest of the examples about using immutable files to your imagination.

Managing SELinux with aureport

It is a common thing if you are using hosting control panels, or when a specific application seem to be experiencing such difficulties that they will not run with SELinux enabled, you will find SELinux disabled.

Disabling SELinux will leave the system exposed. I agree, SELinux has some complexity, and for those of us who wish to enjoy the security it offers, you live can be made simpler through the option of running aureport.

The aureport utility is designed to create column-based reports that show the events recorded in the audit log files.

$ aureport --avc

linux security aureport

You can also use this same utility to create a list of executable files.

$ aureport -x

linux security aureport -x

You can use aureport to generate a full authentication report.

$ aureport -au -i

linux security aureport -au

Or you can list the failed authentication events.

$ aureport -au --summary -i --failed

linux security aureport failed summery

Or maybe a summary of successful authentication events.

$ aureport -au --summary -i --success

linux security aureport success summery


When you are working with a system that runs SELinux, your first point of call as a system administrator is to consider the benefits of aureport when troubleshooting the system.

Using sealert Tool

In addition to aureport tool, you can use a good Linux security tool called sealert, you can install it with this command.

$ yum install setools

Now we have a tool that will actively return announcements from the log file found at /var/log/audit/audit.log  and translate them into something far more “human-friendly”.

This tool is called sealert and its goal is to issue reports regarding any issues related to SELinux.

You can use it like this:

$ sealert -a /var/log/audit/audit.log

linux security sealert -a

The best thing about the generated report is at the end of each alert if found, you will find what explains how to resolve the problem.

In this post we’ve covered just some of the Linux security tricks that could help you harden your system, However, there are a lot of Linux security tricks for many running services that needs hardening.

I hope you found the post useful and interesting.

Thank you.

  • Jouni Järvinen

    SSH’s DNS runs delay, and maybe even block SSH connections when the run takes too long for any reason. That’s the main reason I disable it, but I also switch from pw to key pair with very high bit size, which makes SSH intrusion impossible.

    • key pair login is very good option

      • Jouni Järvinen

        Normally the only option.

        • With two factor authentication life become easier.

  • Pingback: Linux security | Infrastructure:land()

  • Jared

    NIST has issued new guidelines that discourage frequent password expiration. If someone has to change their password often, they’ll choose less secure passwords that follow a predictable pattern

    • That should be done with password restrictions. so only complicated passwords are accepted

    • Jouni Järvinen

      Pw changing is impossible for some. It took me 15 years to make my current best pw !

      • No the system will enforce you to change it, otherwise you can’t login to the system.
        also you will be enforced to enter strong password.

        • Jouni Järvinen

          Inability to produce strong passwords doesn’t mean anything … ?

          • Sorry didn’t got your point.

            what do you mean by Inability to produce strong passwords?

  • Halim Ben

    Im glad to be one of your followers

    • Thanks for the warm feelings.

      Honor to me.