The Practical Linux Hardening Guide


Master


"Did you know all your doors were locked?" - Riddick (The Chronicles of Riddick)


Branch License

Created by trimstray and contributors

:collision: Work in progress, just a moment... First, I update a [Table Of Content](#table-of-content). **** ## Table Of Content - [Checklist - document the host information](#checklist-document-the-host-information) - [Pre install tasks](#pre-install-tasks) * [Physical system security](#physical-system-security) + [BIOS protection](#bios-protection) * [Partitioning scheme](#partitioning-scheme) * [Hard disk encryption](#hard-disk-encryption) * [Bootloader configuration](#bootloader-configuration) - [Post install tasks](#post-install-tasks) * [Disk partitions](#disk-partitions) + [Lock the boot directory](#lock-the-boot-directory) + [Secure /tmp and /var/tmp](#secure-tmp-and-var-tmp) + [Disk quotas](#disk-quotas) * [Keep system updated](#keep-system-updated) * [Package management](#package-management) + [Remove packages with known issues](#remove-packages-with-known-issues) * [Netfilter ruleset](#netfilter-ruleset) * [TCP wrapper](#tcp-wrapper) * [Users and groups](#users-and-groups) + [Limit su access](#limit-su-access) + [Disable root account](#disable-root-account) + [Logins to system console](#logins-to-system-console) + [Disable shell accounts](#disable-shell-accounts) + [Strong password policy](#strong-password-policy) + [Password aging](#password-aging) + [Previous passwords](#previous-passwords) + [Login failures](#login-failures) * [System path permissions](#system-path-permissions) + [World writable files](#world-writable-files) * [PAM module](#pam-module) * [Limits](#limits) * [Shadow passwords](#shadow-passwords) * [Linux kernel hardening](#linux-kernel-hardening) * [Kernel parameters](#kernel-parameters) + [Improve network security](#improve-network-security) + [Improve system security](#improve-system-security) * [Remove unused modules](#remove-unused-modules) * [Secure shared memory](#secure-shared-memory) * [IRQ balance](#irq-balance) * [Disable compilers](#disable-compilers) * [Email notifications](#email-notifications) * [Backups](#backups) * [External devices](#external-devices) + [Disable USB usage](disable-usb-usage) - [Tools](#tools) * [Logging and Auditing](#logging-and-auditing) + [Auditd](#auditd) + [Tiger](#tiger) + [Aide](#aide) + [Logwatch](#logwatch) * [Other](#other) + [Fail2ban](#fail2ban) + [PSAD](#psad) + [SELinux](#selinux) + [Entropy daemon](#entropy-daemon) + [Centralized authentication service](#centralized-authentication-service) * [Testing tools](#testing-tools) + [Lynis](#lynis) + [Chrootkit](#chrootkit) - [Hardening Services](#hardening-services) * [Disable all unnecessary](#disable-all-unnecessary) * [System services](#system-services) + [OpenSSH](#openssh) + [NTP](#ntp) + [Cron](#cron) + [Anacron](#anacron) + [GnuPG 2](#gnupg2) + [Unattended key generation](#unattended-key-generation) * [DNS services](#dns-services) + [Bind9](#bind9) * [Mail services](#mail-services) + [Postfix](#postfix) * [Web services](#web-services) + [Nginx](#nginx) + [Apache](#apache) + [Securing and tuning HTTP/HTTPS protocols](#securing-and-tuning-http-https-protocols) - [Use HTTPS](#use-https) - [Enable HTTP2](#enable-http2) - [Separate domains](#separate-domains) - [Redirect all unencrypted traffic to HTTPS](#redirect-all-unencrypted-traffic-to-https) - [Enable HTTP Strict Transport Security](#enable-http-strict-transport-security) - [Security related headers](#security-related-headers) * [Databases](#databases) + [PostgreSQL](#postgresql) + [MySQL](#mysql) + [Redis](#redis) * [Queues](#queues) + [AMQP](#amqp) - [Deployment](#deployment) - [Testing configuration](#testing-configuration) - [External resources](#external-resources)