Linux security and system hardening checklist

OpenSUSE gives the choice of SELinux or AppArmor during the installation process. You should stick to the default for each variant (AppArmor for Tumbleweed and SELinux for MicroOS). Most desktop Linux distributions including Fedora, openSUSE, Ubuntu, and so on come with NetworkManager by default to configure Ethernet and Wi-Fi settings. Depending on your distribution, encrypted swap may be automatically set up if you choose to encrypt your drive. Fedora uses ZRAM by default, regardless of whether you enable drive encryption or not. Of course, there can be several other ways you can secure SSH and your Linux server.

linux hardening and security

This includes expanding the role that identity and access management plays in reducing cyber security risk. An identity-first approach to security shifts the focus from network security linux hardening and security lessons and other traditional controls to identity and access management (IAM). It makes IAM a key contributor to organisations’ cyber security outcomes, and therefore to business outcomes.

Remove KDE/GNOME Desktops

Testing verifies that backups contain the right (and most current) files and can be recovered easily in the event of data loss. If you’ve recently completed a manual backup, use the “lastbackup” command https://remotemode.net/ to find details. Likewise, the “scan” command will help you verify that files are properly backed up. Open ports may reveal network architecture information while extending attack surfaces.

  • The initramfs is often left unverified, unencrypted, and open up the window for an evil maid attack.
  • The software for the system is typically selected during the installation phase.
  • For package installation, use one of the commands based on your Linux distribution (e.g., apt-get, yum, rpm, zypper).
  • This is even more important for changes made to systems that are in production.
  • It requires serious effort to improve Linux security and apply system hardening measures correctly.
  • To try and minimize the risks from the use of quantum computing, cryptographers have worked on post-quantum cryptography (PQC).

To try and minimize the risks from the use of quantum computing, cryptographers have worked on post-quantum cryptography (PQC). Beyond the use of proxy services, we have seen attackers utilize certain local fixed-line ISPs, potentially exposing their geographical locations. Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted. Along with the message broker, you can optionally execute several additional “components”, such as Camel and/or the Web console.

Change default SSH ports

There are no ’10 things’ that are the best, as it depends strongly on each system and its purpose. When you come across other checklists with a number in the title, then most likely it’s not a real checklist. Like hardening and securing an operating system, a good checklist requires dedication and a lot of work.

Furthermore, strict enforcement of IOMMU TLB invalidation should be applied so devices will never be able to access stale data contents. Simultaneous multithreading (SMT) has been the cause of numerous hardware‑level vulnerabilities and is thus disabled here. If the option is available, you should disable SMT/“Hyper‑Threading” in your firmware as well. If you are using Flatpak packages, you can set an override to block network access. Some distributions like Debian do not have fwupd installed by default, so you should check for its existence on your system and install it if needed. Debian does not ship microcode updates by default, so be sure to enable the non-free repository and install the microcode package.

Adding new security measures

Secure web servers by updating server software, configuring SSL/TLS for encrypted connections, implementing strong authentication methods, and regularly scanning for vulnerabilities. 2FA adds an extra layer of security by requiring two forms of identification before granting access. In Linux, it can be implemented using tools like Google Authenticator or Duo Security.