Linux Hardening: Kernel, Filesystem, and Network

Date: 2025-11-24 Tags: Linux, Security, SysAdmin, Hardening Author: Wissam Ztaoui

Introduction

A default Linux installation is designed for compatibility, not security. To survive in a hostile network environment, we must reduce the attack surface. This guide covers advanced hardening techniques for production servers.

1. Kernel Hardening (Sysctl)

Modify /etc/sysctl.conf to mitigate network attacks and memory corruption.

# Disable IP Forwarding (unless it's a router)
net.ipv4.ip_forward = 0

# Ignore ICMP Echo Requests (Ping)
net.ipv4.icmp_echo_ignore_all = 1

# Enable TCP SYN Cookies (Anti-DoS)
net.ipv4.tcp_syncookies = 1

# Disable Source Routing (Anti-Spoofing)
net.ipv4.conf.all.accept_source_route = 0

# Restrict dmesg access (Info leak prevention)
kernel.dmesg_restrict = 1

# Restrict eBPF (JIT spraying mitigation)
kernel.unprivileged_bpf_disabled = 1

Apply with sysctl -p.

2. Filesystem Security

Partitioning

Separate partitions for /tmp, /var, and /home. Mount /tmp and /var/tmp with noexec,nosuid,nodev to prevent malware execution.

Permissions

• UMASK: Set default umask to 027 in /etc/login.defs.
• SUID/SGID: Audit binaries with setuid bits.

  find / -perm /6000 -type f -exec ls -ld {} \;

  Remove SUID from utilities that don’t need it (e.g., ping if you use setcap instead).

3. Mandatory Access Control (MAC)

Standard permissions (DAC) are insufficient. Use AppArmor or SELinux.

AppArmor

Enforce profiles for exposed services (Nginx, MySQL).

sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx

This ensures Nginx can only read its config and write to its logs, even if exploited (RCE).

4. Network Defense

SSH Hardening (/etc/ssh/sshd_config)

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers admin
Port 2222
Protocol 2

Fail2Ban

Install Fail2Ban to ban IPs that fail authentication repeatedly.

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

5. Auditing (Auditd)

Install auditd to log syscalls. Configure rules in /etc/audit/audit.rules to watch critical files:

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k priv_esc

Conclusion

Hardening is a continuous process. Use tools like Lynis to regularly audit your system against compliance standards (CIS Benchmark).