Linux Service Security Hardening Guide

Service Management

Identifying Running Services

# List all running services
systemctl list-units --type=service

# Check enabled services
systemctl list-unit-files --state=enabled

Disabling Unnecessary Services

# Stop and disable services
sudo systemctl stop unnecessary-service
sudo systemctl disable unnecessary-service

# Mask services to prevent starting
sudo systemctl mask telnet.service

SSH Hardening

SSH Configuration

# Edit sshd_config
sudo nano /etc/ssh/sshd_config

# Security settings
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

# Use strong algorithms
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256

Service-Specific Security

Apache/Nginx Hardening

# Remove server tokens
ServerTokens Prod
ServerSignature Off

# Enable security headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"

Regular Updates

# Enable automatic security updates
sudo apt install unattended-upgrades

# Configure
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};