Securing Linux Opearting System – Bare minimum checklist

tuxAuthor: Ranabir Kundu

Please find below the bare minimum checklists for Linux Hardening Guide.

Network Configuration :


  • On by default. Used by avahi for local service discovery. Disable this service. Edit /etc/sysconfig/network. Add NOZEROCONF=yes . Then remove the avahi package and its dependencies
  • /etc/sysctl.conf settings :
  1. Don’t reply to broadcasts. Prevents joining a smurf attack. net.ipv4.icmp_echo_ignore_broadcasts = 1
  2. Enable protection for bad icmp error messages. net.ipv4.icmp_ignore_bogus_error_responses = 1
  3. Enable syncookies for SYN flood attack protection. net.ipv4.tcp_syncookies = 1
  4. Log spoofed, source routed, and redirects packets. net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
  5. Don’t allow source routed packets. net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0
  6. Turn on reverse path filtering. net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
  7. Don’t allow outsiders to alter the routing tables. net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
  8. Don’t pass traffic between networks or act as a router. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0

XINETD configuration

  • Disable any service, application and/or user accounts that are not being utilized
  • Limit connections to service running on the host for authorized users

Unused Daemon Removal

  • Remove all daemons / packages not being used

  1. Viewing : Chkconfig –list
  2. Disabling Chkconfig off
  • System Time
  1. Keep system time in sync
  2. If require , create a cron job to sync with local NTP server

Configuration example for some Daemon :

  • At and Cron

  1. Only allow root and people with verified need to run cron jobs
  2. Setup cron.allow and cron.deny
  • SSHD

  1. Enable only ssh2 protocol (this is default in RHEL5)
  2. Do not allow root logins
  • BIND

  1. Use chroot package
  2. Use ACLs
  3. Do not allow ZONE TRANSFER
  • Init

  1. Disable interactive boot by editing /etc/sysconfig/init Make PROMPT=no
  2. Add password to Single user mode. Add the following: S: wait:/sbin/sulogin

Access Control :

  • Do not allow ROOT login over SSH or gdm

  • Check the desired settings for :

  1. Pam_tally2
  2. Pam_access
  3. Pam_time
  4. Pam_limits
  5. Pam_loginuid

Secure PHYSICAL machine :

  • Disable boot to anything except hard drive

  • Disable any hardware unused

  • Set BIOS/firmware with PASSWORD

  • Set “GRUB” boot loader password

  • Install Anti Virus (depends upon the criteria). If installed, schedule daily update.

Apart from the above all, from the OS hardening perspective, if anyone wish to install and configure Bastille, s/he is most welcome.

Article Source:

About the Author

Ranabir is working with a MNC, India as a Senior Information Security Consultant. He had successfully carried out countless assignments on vulnerability assessment, penetration testing, web application security in multiple MNCs through out India. Like major contributions in Threat modeling and PCI DSS Compliance for various Banking sector firms, financial institutions, Govt. organizations, Software development Companies, leading BPOs and various small-mid-large industries.

About News