Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners)

Introduction

This tutorial provides essential tips for improving the security of your Linux desktop, laptop, or server. By following these steps, you can harden your system against potential threats and enhance your overall cybersecurity.

Step 1: Keep Software Up to Date

• Regularly check for updates to ensure all software is current.
• On Debian or Ubuntu systems, remove unused packages and libraries by running:

  sudo apt autoremove
  

• Enable automatic updates if you haven't done so, especially on servers where manual updates might be overlooked.

Step 2: Manage Services and SSH Access

• Review running services to minimize the attack surface. List all services with:

  systemctl list-unit-files
  

• Stop unnecessary services:

  systemctl stop SERVICE
  

• Disable these services from starting at boot:

  systemctl disable SERVICE
  

• For servers, avoid using a graphical desktop environment and prefer SSH for remote access.

Step 3: Secure SSH Configuration

• Limit SSH access to specific users by editing the SSH configuration file:

  sudo nano /etc/ssh/sshd_config
  

  Add the following line:

  AllowUsers username1 username2
  

• Disable root login to prevent unauthorized access. Edit the same SSH config file and modify:

  PermitRootLogin no
  

• Restart SSH to apply changes:

  sudo systemctl restart sshd
  

Step 4: User Management and Privileges

• Ensure only necessary users have administrative privileges.
• To disable root login completely, change the shell for the root user:

  sudo nano /etc/passwd
  

  Replace /bin/bash with /sbin/nologin for the root user.

Step 5: Implement Physical Security

• Physically secure your devices to prevent unauthorized access.
• Consider using full disk encryption to protect data in case of theft.

Step 6: Configure Security Modules and Firewalls

• Utilize security modules like SELinux or AppArmor for additional protection.
• Set up a firewall (e.g., UFW) to control incoming and outgoing traffic:

  sudo ufw enable
  sudo ufw allow ssh
  

Step 7: Disable Unused Ports and Devices

• To disable USB access, create a configuration file:

  sudo nano /etc/modprobe.d/disable-usb-storage.conf
  

  Add the line:

  install usb-storage /bin/true
  

• Similarly, create files to blacklist Firewire and Thunderbolt:
  • For Firewire:

    sudo nano /etc/modprobe.d/firewire.conf
    

    Add:

    blacklist firewire-core
    

  • For Thunderbolt:

    sudo nano /etc/modprobe.d/thunderbolt.conf
    

    Add:

    blacklist thunderbolt
    

Conclusion

By implementing these steps, you can significantly enhance the security of your Linux system. Regularly review your configurations and stay informed about security best practices. Consider further reading on topics such as password complexity and SSH security to keep your system secure.