Most Common Linux Server's Hardening Tips
1. Enable Timestamps in History Command
When we run the 'history' command it only gives you command along with the line numbers. Sometimes it’s useful to have a time stamp attached to each command to build a clearer picture.To enable the timestamps in history command , set 'HISTTIMEFORMAT' environment variable.
# export HISTTIMEFORMAT="%d-%b-%Y %r "
To permanently set this variable , add below entry at the end of file /etc/profile
export HISTTIMEFORMAT="%d-%b-%Y %r "
2. Configure NTP for Clock Synchronization
The Network Time Protocol (NTP) is a protocol used to help synchronize Linux system's clock with an accurate time source. In CentOS / RHEL we can use NTP software. This package provides client and server software programs for time synchronization.The ntp package contains utilities and daemons that will synchronize your Linux Server's time to Coordinated Universal Time (UTC) via the NTP protocol and NTP servers.
Install NTP :
# yum -y install ntp
Sync the Server's Time with NTP Server using below command :
# /usr/sbin/ntpdate time1.nextstep4it.com
Where : time1.nextstep4it.com is the ntp server , just replace the ntp server according to your setup.
To permanently Set the NTP Configuration ,edit the file /etc/ntp.conf , add the ntp server like
# server time1.nextstep4it.com
Comment out all the ntp Server's entries in the file /etc/ntp.conf and start the service
# service ntpd start ; chkconfig ntpd on
3. Enable Log Rotation Policy
Most of the log files are located in the /var/log/ directory. Some applications such as httpd and samba have a directory within /var/log/ for their log files.
You may notice multiple files in the /var/log/ directory with numbers after them (for example, cron-20130102). These numbers represent a timestamp that has been added to a rotated log file. Log files are rotated so their file sizes do not become too large. The logrotate package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory.
The following is the example of /etc/logrotate.conf configuration file:
# rotate log files weekly
# keep 4 weeks worth of backlogs
# uncomment this if you want your log files compressed
All of the lines in the example configuration file define global options that apply to every log file. In our example, log files are rotated weekly, rotated log files are kept for the duration of 4 weeks, and all rotated log files are compressed by gzip into the .gz format. Any lines that begin with a hash sign (#) are comments and are not processed .
You have to define configuration options for a specific log file and place it under the global options. However, it is recommended to create a separate configuration file for any specific log file in the /etc/logrotate.d/ directory and define any configuration options there.
4. Centralized Authentication / Gateway Server Authentication
Linux servers should be integrated With LDAP Server for servers authentication.Without a centralized authentication system, user auth data becomes inconsistent, which may lead into out-of-date credentials and forgotten accounts which should have been deleted in first place.
A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data.
5. Boot the CentOS/RHEL Server in run level 3
As X server consumes lot resources like CPU & Memory , so it is better to run the linux servers in run level 3 (CLI mode). To boot the server in run level 3 , edit the file /etc/inittab & make the below change