Linux Service Security Hardening Guide

April 17, 2024

linux security services

Disclaimer: The examples, configurations, and code snippets provided in this article are for educational purposes only. While we strive for accuracy, there is no guarantee these will work in your specific environment. Always test configurations in a safe environment first and adapt them to your specific needs and security requirements.

Service Management

Identifying Running Services

# List all running services
systemctl list-units --type=service

# Check enabled services
systemctl list-unit-files --state=enabled

Disabling Unnecessary Services

# Stop and disable services
sudo systemctl stop unnecessary-service
sudo systemctl disable unnecessary-service

# Mask services to prevent starting
sudo systemctl mask telnet.service

SSH Hardening

SSH Configuration

# Edit sshd_config
sudo nano /etc/ssh/sshd_config

# Security settings
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

# Use strong algorithms
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256

Service-Specific Security

Apache/Nginx Hardening

# Remove server tokens
ServerTokens Prod
ServerSignature Off

# Enable security headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"

Regular Updates

# Enable automatic security updates
sudo apt install unattended-upgrades

# Configure
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};