- Initial System Setup
- BIOS/UEFI Security
- User Account Management
- Hardware Security
- Network Security
- Security Auditing
- Advanced Hardening
- Warnings
- Contributing
- License
Security begins with the initial installation. Nearly every Linux distribution offers the option to choose a minimal setup during installation.
Disable all unnecessary services to reduce the attack surface. You can check running services immediately after installation or periodically using:
sudo netstat -tulpenThis command displays all listening ports and associated processes, helping you identify unwanted services.
- Choose minimal installation when available
- Regularly audit running services
- Remove unnecessary packages and dependencies
- Keep the system updated
Consider replacing the current proprietary BIOS with Coreboot for enhanced security:
- Website: https://www.coreboot.org/
- Benefits: Potentially more secure than proprietary BIOS options due to reduced attack surface
- Limitation: Not all hardware is compatible with Coreboot
Note: Research hardware compatibility thoroughly before attempting Coreboot installation.
Reduce local user accounts with shell access to the absolute minimum required for system operation.
# Option 1: Set nologin shell
sudo usermod -s /usr/sbin/nologin username
# Option 2: Set false shell
sudo usermod -s /bin/false usernameConfigure access restrictions using the access.conf file:
sudo nano /etc/security/access.confThis provides granular control over user access patterns and login restrictions.
pactl list short sourcesIdentify the ID or name of the microphone you want to disable, then:
pactl set-source-mute [ID or Name] 1Physical Security Note: In some cases, physical disconnection of the microphone may be the only reliable method to ensure complete deactivation.
Reference: NSA Plans to Infect Millions of Computers with Malware
The exact module depends on your hardware. For most webcams, the uvcvideo module is responsible:
sudo modprobe -r uvcvideoNote: This change is temporary and will revert after reboot. For permanent deactivation, add the module to the blacklist.
sudo rfkill block bluetoothA firewall provides an additional security layer and serves as an important basic configuration measure.
#!/bin/sh
# iptables Firewall Script
echo "Loading Firewall ..."
##################
# iptables
##################
IPTABLES="/sbin/iptables"
##################
# Purge/Flush
##################
# Delete all rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Delete all rule chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
##################
# Rules
##################
# IPv4 Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# Allow loopback interface traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Allow ICMP response packets
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept all packets for existing TCP connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Properly reject all other packets
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -j REJECT --reject-with icmp-port-unreachable
echo "................ done!"This script configures the iptables firewall to:
- Block all incoming and forwarded connections by default
- Allow outgoing connections
- Permit specific incoming traffic:
- Loopback interface traffic
- Specific ICMP traffic types
- Responses to existing connections
GUFW provides a graphical frontend for easier firewall management.
sudo apt install gufwLynis is an open-source tool that assists in analyzing and improving system security.
- Website: https://cisofy.com/lynis/
- Purpose: System analysis, package inventory, and configuration assessment
- Benefits: Identifies security weaknesses and provides recommendations
- System information gathering
- Installed package analysis
- Configuration file examination
- Security recommendations and scoring
Additional measures such as kernel modifications with grsecurity/PaX can further improve security:
- Enhanced Protection: Provides additional kernel-level security features
- Implementation Complexity: Requires more effort and expertise
- Maintenance Overhead: May complicate system updates and maintenance
- Backup Systems: Always create full system backups before implementing hardening measures
- Test Environment: Test all configurations in a non-production environment first
- Service Dependencies: Disabling services may break application functionality
- Hardware Compatibility: Verify hardware compatibility before BIOS/firmware modifications
- Physical Access: Physical security measures are essential - software hardening cannot protect against physical attacks
- Regular Updates: Keep all security tools and system components updated
- Professional Consultation: Consider consulting security professionals for critical systems
We welcome contributions to improve this hardening guide:
- Fork the repository
- Create a feature branch
- Test your changes thoroughly
- Submit a pull request with detailed descriptions
- Follow security best practices in your contributions
- Verify all commands and configurations
- Include relevant security references
- Test on multiple distributions when possible
- Maintain clear, concise documentation
This Linux System Hardening Guide is released under the MIT License.
- Permission: Free to use, modify, and distribute
- Condition: Include original copyright notice
- Limitation: No warranty provided
For the complete license text, see the LICENSE file in the repository root.
