The Practical Linux Hardening Guide

"Did you know all your doors were locked?" - Riddick (The Chronicles of Riddick)

_{Created by trimstray and contributors}

I'm back, work in progress...

---

Table Of Contents

• Contributing
• Other hardening guides
• Pre install tasks
  • Physical system security
    • Introduction
    • Secure rooms
    • Monitoring
    • Air conditioning
    • Fire protection
    • Locked racks
    • Console security
    • BIOS protection
    • Summary checklist
  • Hard disk encryption
    • Introduction
    • Encrypt root filesystem
    • Encrypt /boot partition
    • Swap partition
    • Summary checklist
• Post install tasks
  • Bootloader configuration (grub)
    • Introduction
    • Protect bootloader with password
    • Protect bootloader config files
    • Summary checklist
  • Disk partitions
    • Introduction
    • Separate disk partitions
    • Mount options: nodev, noexec and nosuid
    • Secure /boot directory
    • Secure /tmp and /var/tmp
    • Secure /dev/shm
    • Secure /proc filesystem
    • Swap partition
    • Disk quotas
    • Summary checklist
  • Keep system updated
  • Package management
    • Automatic security updates
    • Remove packages with known issues
  • Netfilter ruleset
  • TCP wrapper
  • Users and groups
    • Limit su access
    • Disable root account
    • Logins to system console
    • Disable shell accounts
    • Strong password policy
    • Password aging
    • Previous passwords
    • Login failures
    • Protect single user mode
  • System path permissions
    • World writable files
  • PAM module
  • Limits
  • Shadow passwords
  • Linux kernel hardening
    • Kernel parameters
      • Network security
      • System security
  • Remove unused modules
  • Secure shared memory
  • IRQ balance
  • Disable compilers
  • Email notifications
    • Rebooting the system
  • Backups
  • External devices
    • Disable USB usage
• Tools
  • Logging and Auditing
    • Auditd
    • Tiger
    • Aide
    • Logwatch
  • Other
    • Fail2ban
    • PSAD
    • SELinux
    • Entropy daemon
    • Centralized authentication service
  • Testing tools
    • Lynis
    • Chrootkit
• Services
  • Disable all unnecessary services
    • Common unix print system
    • Summary checklist
  • System services
    • OpenSSH
    • NTP
    • Cron
    • Anacron
    • GnuPG 2
      • Unattended key generation
  • DNS services
    • Bind9
  • Mail services
    • Postfix
  • Web services
    • Nginx
      • Files and directories permissions
      • Use HTTPS
      • Enable HTTP2
      • Separate domains
      • Redirect all unencrypted traffic to HTTPS
      • Enable HTTP Strict Transport Security
      • Diffie Hellman Ephemeral Parameter
      • Security related headers
    • Apache
  • Databases
    • PostgreSQL
    • MySQL
    • Redis
  • Queues
    • AMQP
• Deployment
• Testing configuration
• External resources

Contributing

If you find something which doesn't make sense, or one of these doesn't seem right, or something seems really stupid; please make a pull request or please add valid and well-reasoned opinions about your changes or comments.

Before add pull request please see this.

Other hardening guides

Distribution	Comment
STIGs Master List
Arch Linux
CentOS Linux
Debian GNU/Linux	old guide
Fedora Linux	old guide
Red Hat Enterprise
Slackware Linux	limited
Ubuntu Linux	limited