Linux Security

linuxsystemhardening linuxfundamentals linuxprivilegeescalation

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • πŸ’€ Grub (Linux bootloader) to reset the root password
    • βœ… BIOS and UEFI firmwares allow a boot Password
    • grub2-mkpasswd-pbkdf2 (generate a hash to add to configuration)
    • Ubuntu
  • Encryption systems
    • many modern Linux distributions ship with LUKS (Linux Unified Key Setup)
    • sudo cryptsetup -y -v luksFormat device
    • sudo cryptsetup luksOpen device name
    • sudo cryptsetup luksOpen --type luks device name
    • sudo cryptsetup luksDump device
    • sudo mount /dev/mapper/name dest
  • linux-securite
  • apparmor (aa-status, shipped with many linux distros, application profiles to define which resources they can access)
  • SELinuxProject (enforce access control on processes/files, labels, policy rules between labeled)
  • Disable root account (/sbin/nologin) +service (www-data)
  • Strong password policy
  • Use LTS
  • Protection_ring
  • Exec Shield
  • unattended-upgrades, read HT2TB notes
  • LXC

Upgrade packages.

$ sudo apt update
$ sudo apt upgrade
$ sudo apt-get dist-upgrade

Disable ssh login for root/..., and change the default port.

$ sudo vim /etc/ssh/sshd_config
$ sudo systemctl restart sshd

Install a firewall.

$ sudo apt install fail2ban
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local


  • Remove/Disable unused apps/services/...
  • NTP, Syslog
  • password policy and account lock
  • rootkis: chkrootkit, rkhunter
  • Hardening: Lynis