Top 25 Linux Commands for Scuring Linux Server:

1. Update the system:

sudo apt update
sudo apt upgrade

2. Secure SSH:

sudo nano /etc/ssh/sshd_config

Edit the following line:

PermitRootLogin no
PasswordAuthentication yes

Restart SSH:

sudo service ssh restart

3. Configure Firewall (UFW):

sudo ufw allow OpenSSH
sudo ufw enable

4. Fail2Ban (prevent brute-force attacks):

sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

5. Disable unnecessary services:

sudo systemctl list-unit-files
sudo systemctl stop <service_name>
sudo systemctl disable <service_name>

6. Disable IPv6:

echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

7. Install and configure a firewall (for ex iptables):

sudo apt install iptables
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP

8. Secure shared memory:

sudo nano /etc/fstab

9. Enable automatic security updates:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

10. Check for rootkits:

sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --check

11. Install and configure AppArmor:

sudo apt install apparmor
sudo aa-status

12. Enable and configure SELinux:

sudo apt install selinux
sudo setenforce 1

13. Secure Apache (if applicable):

sudo nano /etc/apache2/conf-available/security.conf

set appropriate values for ServerTokens and ServerSignature.

14. Install and configure ModSecurity (if using Apache):

sudo apt install libapache2-mod-security2

15. Disable unused modules in Apache or Nginx:

For Apache:

sudo a2dismod <module_name>

For Nginx:

sudo nano /etc/nginx/nginx.conf

16. Disable directory listing in web server:

For Apache:

sudo nano /etc/apache2/apache2.conf

Add or modify:

<Directory /var/www/>
    Options -Indexes
</Directory>

17. Harden PHP settings:

sudo nano /etc/php/7.4/apache2/php.ini

Adjust settings like a expose_php, allow_url_fopen, etc.

18. Secure MySQL/MariaDB:

sudo mysql_secure_installation

19. Use strong passwords:

sudo passwd <username>

20. Configure sudo access:

sudo nano /etc/sudoers

Add user privileges:

<username> ALL=(ALL:ALL) ALL

21. Set file permissions:

sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;

22. Monitor system logs:

tail -f /var/log/auth.log
tail -f /var/log/syslog

23. Install and configure logwatch:

sudo apt install logwatch

24. Use AIDE for file integrity checking:

sudo apt install aide
sudo aideinit

25. Secure GRUB bootloader:

sudo nano /etc/default/grub

Leave a Reply