English English

Linux Server Hardening - Security Recommendations

This is an introduction on how to improve your security of your Linux server. The mentioned applications are available for Ubuntu 16.04 and newer.

CSF Firewall

This is a firewall with extensive features such as notifications about SSH access, DDOS protection and more. It is not available in the apt package manager in contrast to the firewall "ufw".

These packages are required before you install this application:

apt-get install e2fsprogs libwww-perl

You can download the application from this URL:

wget http://download.configserver.com/csf.tgz

Disable "ufw" or your existing firewall of your operating system. Unpack the downloaded folder and change to that folder.

sh install.sh

You can configure the application in this config file:



Change this line to this value, if you do want to activate the firewall:


All ports are blocked except the ones you mentioned in your config file. You can unblock TCP or UDP ports incoming or outcoming connections. Example:

TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123

If you did do changes in your config files, then please restart the "csf" firewall with this command:

csf -r


Change your SSH port to a high and random port number

vim /etc/ssh/sshd_config

And add also these settings:

Protocol 2
X11Forwarding no
IgnoreRhosts yes
UseDNS yes
PermitEmptyPasswords no
MaxAuthTries 3

It is also recommended to use key files instead of passwords for authentication Access to the "root" user should be blocked as well.


Network settings of your operating systems

Add the following settings in the file "syctl.conf" to improve your network security:

vim /etc/sysctl.conf 
# Disabling IPv6 autoconf in your operating system
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.eth0.autoconf = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.eth0.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.eth0.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.eth0.accept_ra = 0

# Protection against IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignoring ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disabling source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignoring send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Ignoring ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Blocking SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Logging Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignoring Directed pings
net.ipv4.icmp_echo_ignore_all = 1


Port Scanning Detector - PSAD

This application will block ip addresses that are doing suspicious network activities on your server (e.g.: port scanning, etc. ).

apt-get install psad


This application can also be installed from source with the file "install.pl". Check out the website:


Iptables should log all network activities:

sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
sudo ip6tables -A INPUT -j LOG
sudo ip6tables -A FORWARD -j LOG


Edit this file to configure the application:

vim /etc/psad/psad.conf
EMAIL_ADDRESSES - Change this to your email address.
HOSTNAME - This is set during installation - But change it to the FQDN of your server.
IPT_SYSLOG_FILE - Set this to "/var/log/syslog" or another log files that logs network activities;
ENABLE_AUTO_IDS - Set this to "Y". This will block the ip address that are causing suspicious network activities
ENABLE_AUTO_IDS_EMAILS - OPTIONAL: Set this to "Y", if you would like to receive email notifications of intrusions that are detected.
ALERTING_METHODS - If you want to deactivate email alerts, then set this to "noemail"


Update your application signature and restart the application:

psad --sig-update
psad -R


Intrusion Detection System - Fwsnort

This application does detect network intrusions with the help of signatures that can be downloaded.

apt-get install fwsnort

This application can be installed from source as well. Website: http://www.cipherdyne.org/fwsnort/


Rules database of this application can be manually updated with the following command:

fwsnort --update-rules


Convert all rules into iptables rules. Please check the output of this command as well for more information.

fwsnort --ipt-drop


After that the iptables rules have to be imported to iptables, which will activate the rules:


This command can be in a different path.

Add the update commands of "fwsnort" and other security application in to a cronjob.

10 3     * * 6  psad --sig-update && service psad restart
22 3     * * 6  (fwsnort --update-rules && fwsnort --ipt-drop && /var/lib/fwsnort/fwsnort.sh)


Intrusion Detection System for the file system - Tripwire

This application will check the file integrity of important files and other files in your file system. These will detect suspicious changes in your file system.

apt-get install tripwire

Follow the installation wizard. Please remember your site key passphrase and local key passphrase, because you will need them later.

Change the file "twcfg.txt" to your needs. Such as the report level ("REPORTLEVEL").

Generate the configuration file with this command:

twadmin -m F -c tw.cfg -S site.key twcfg.txt

You can run this application to perform a check with this command:

tripwire -m c -s -c /etc/tripwire/tw.cfg

A daily check script for cron is installed by this application.



apt-get install selinux


Adjust the configuration file to your needs.

vim /etc/selinx/config

If you did test this application with your configuration, then change the setting "SELINUX" to the value "enforcing".

# This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing - SELinux security policy is enforced.
    # permissive - SELinux prints warnings instead of enforcing.
    # disabled - No SELinux policy is loaded.

You will get false positives. This is the reason why you should set this setting to the value "permissive", when you are still testing your configuration.



This application blocks ip addresses for a certain time, after failed login or connection attempts. Every application or service has so called "jails", which check for a certain message patterns in your log file of the respective application.

You can install this application from apt ("apt-get install fail2ban") or from source. Website: https://github.com/fail2ban/fail2ban/releases

Create this config fail to configure your "jails".

vim /etc/fail2ban/jail.local

All settings in this file will be activated by "fail2ban". An example of a "jail":


enabled  = true
port     = 22
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3


SophosAV Anti Virus Scanner

This application has a free version which can be downloaded from this website:

These are some command, which you will need.

Check If Data Collection By Sophos Is Enabled:

/opt/sophos-av/bin/savconfig query DisableFeedback

Disable Data Collection By Sophos:

/opt/sophos-av/bin/savconfig set DisableFeedback true

Enable Sophos Antivirus daemon on boot:

sudo /opt/sophos-av/bin/savdctl enableOnBoot savd

Update Sophos Antivirus:

sudo /opt/sophos-av/bin/savupdate

Set email sender for email notification. You will get an email notification, if there is a virus or a problem.

/opt/sophos-av/bin/savconfig set EmailSender This email address is being protected from spambots. You need JavaScript enabled to view it.
/opt/sophos-av/bin/savconfig set EmailNotifier enabled

Enable on-access scanning:

/opt/sophos-av/bin/savdctl enable

Disable on-access scanning:

/opt/sophos-av/bin/savdctl disable

Scan Volume Boot Records:

savscan -bs=/dev/sda1

Scan Master Boot Records:

savscan -mbr

Activate live protection:

/opt/sophos-av/bin/savconfig set LiveProtection true

Install updates:


Please check also the documentation, if you want to know more about this application:


Update your packages every day automatically

It is important that you update your installed applications on your operating system every day. You can find a shell script, which updates this procedure on "Github":


Rootkit scanner

It is recommended to use two Rootkit scanners to make it more difficult for Rootkits to hide themselves.

apt-get install chkrootkit  

Adjust the configuration file:

vim /etc/default/rkhunter
apt-get install rkhunter

Adjust the configuration file:

vim /etc/rkhunter.conf

Run Chrootkit and rkhunter in cronjobs (auto. scan with email notification):

30 3 * * * (/usr/sbin/chkrootkit -q 2>&1 | mail -s "[My server] Rootkit Check Chrootkit Ergebnisse" This email address is being protected from spambots. You need JavaScript enabled to view it.)
50 3 * * * (/usr/bin/rkhunter -c --skip-keypress --rwo 2>&1 | mail -s "[My server] Rootkit Rkhunter Check Ergebnisse" This email address is being protected from spambots. You need JavaScript enabled to view it.)

Run Chrootkit and rkhunter in cronjobs (auto. scan only log file):

30 3 * * * (/usr/sbin/chkrootkit -q 2>&1 > /var/log/chrootkit_scan_results.log)
50 3 * * * (/usr/bin/rkhunter -c --skip-keypress --rwo 2>&1 > /var/log/rkhunter_scan_results.log)


"Tlsdate" instead of "ntp" for time synchronizing

The communication with a time server will not be unencrypted through UDP, if you use this application instead.

apt-get install -y tlsdate

Please check out also my other tutorials, if you want to know more about other applications or commands for your Linux operating system.


We use cookies on our website. They are essential for the operation of the site