Intermediate System & Host

Linux Hardening — users, SSH, firewall, SUID, and auditing

A freshly installed Linux server already carries dozens of attack vectors: unnecessary accounts, open services, insecure SUID bits, and no auditing. Hardening is the process of shrinking that surface before the server goes into production.

User management

Remove or lock accounts that do not need interactive login:

# List accounts with a valid shell
grep -v '/nologin\|/false' /etc/passwd

# Lock an account
sudo usermod -L username
sudo usermod -s /usr/sbin/nologin username

# Check for unauthorized UID 0 (root)
awk -F: '($3 == 0) { print $1 }' /etc/passwd

Enforce strong passwords with expiration:

sudo chage -M 90 -W 14 username   # expires in 90 days, warn at 14
sudo passwd -l root                # disable direct root login

SSH hardening

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers deploy ops
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

Reload after changes:

sudo systemctl reload sshd

Use Ed25519 keys (stronger than RSA 2048):

ssh-keygen -t ed25519 -C "deploy@example.com"

Firewall with nftables / ufw

Default policy: deny everything, allow only what is needed.

# ufw (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose

SUID/SGID bits — privilege escalation risk

SUID binaries run with the owner’s privileges (often root):

# Find all SUID files on the system
find / -perm -4000 -type f 2>/dev/null

# Remove SUID from an unnecessary binary
sudo chmod u-s /usr/bin/at

Compare the list against a known baseline. Any unexpected SUID binary is a sign of compromise.

Auditing with auditd

sudo apt install auditd
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
sudo auditctl -w /etc/sudoers -p wa -k sudoers_changes
sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_log

# Review events
sudo ausearch -k passwd_changes
sudo aureport --summary

Quick checklist

  • Kernel up to date (sudo apt upgrade)
  • Unnecessary services stopped (systemctl disable bluetooth cups)
  • /tmp mounted with noexec,nosuid
  • Fail2ban installed for SSH
  • Logs shipped to a central SIEM