Linux system hardening commands

When I first started diving into Linux, I quickly realized that installing it wasn't enough; keeping it secure was a whole different challenge! It felt overwhelming at first, but over time, I've developed a routine and a solid checklist to ensure my systems are hardened against common threats. One of my first and most crucial steps is always keeping the system updated. Whether I'm on a Debian/Ubuntu system using sudo apt update && sudo apt upgrade, a Fedora/RHEL system with sudo dnf update --security to get those vital security patches, or an Arch Linux machine with sudo pacman -Syu, it’s non-negotiable. Outdated software is a common entry point for attackers, so this is my first line of defense. Next, I focus on user and SSH security. I always disable direct root login via SSH by setting PermitRootLogin no in the sshd_config file and enforce strong, unique passwords for all users. For remote access, I exclusively use key-based authentication, which is far more secure than passwords. As an extra layer of obscurity, I often change the default SSH port. Regularly checking for inactive user accounts and removing them (e.g., using lastlog -b 90 for users not logged in for 90 days) is also part of my routine. A properly configured firewall is another critical component. On Ubuntu, I typically use ufw (sudo ufw enable, sudo ufw allow ssh, sudo ufw allow http), while on other distributions, firewalld is my go-to. The key is to only open the ports that are absolutely necessary. To keep tabs on what's exposed, I regularly use ss -tuln (or netstat -tuln on older systems) to monitor open ports and identify any unexpected services listening. Incorrect file permissions are a silent killer in terms of security. I make it a habit to regularly review critical system files and directories. Tools like find / -perm /o+w -type f 2>/dev/null can help me quickly spot world-writable files that shouldn't be, which are major security holes. Ensuring my ~/.ssh directory and its contents have strict permissions (chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys) is always on my checklist. Minimizing the attack surface also means disabling unnecessary services. I often use systemctl list-units --type=service --state=running to see what's active and then sudo systemctl disable <service_name> for anything I don't need. This is also where systemd-analyze blame proves useful; it not only helps optimize boot times but can also identify services running longer than expected, which might hint at issues or simply unnecessary processes that can be disabled. Finally, I rely on automated tools to catch what I might miss. Lynis is fantastic for this! Running sudo lynis audit system gives me a comprehensive report, including a 'hardening index' and actionable suggestions for improvement across various aspects like system configuration, software vulnerabilities, and network settings. It’s an invaluable tool for ensuring I'm ticking off all the boxes on my 'linux hardening security checklist' and continuously improving my security posture. Don't forget to check for any lingering legacy services and, if applicable, implement policies for USB device control to prevent unauthorized use. Hardening a Linux system is definitely an ongoing process, not a one-time task. By consistently applying these steps and regularly reviewing your system, you can significantly enhance its security and keep it resilient against threats!