Questions tagged [hardening]

All about making systems more resilient against attacks

Hardening is the process of making a system more resilient in malicious environments. There are basically three hardening strategies:

Reduce the attack surface. For instance, deactivate unnecessary services, remove unnecessary accounts and software, and revoke unnecessary privileges.
Strengthen the defences. For instance, data execution prevention, address space layout randomization, packet and content filtering as well as rigid access controls can make attacks much harder to mount.
Segregation and containment. For instance, sandboxes, containers, and virtualization can help to reduce the attack impact.

Use this tag of your question is primarily concerned about actions and measures that make a system or an application significantly more secure than average. If you tag your question with hardening, then avoid the use of security unless your question is about the security of a particular hardening mechanism.

45 questions

votes

2 answers

How does one change the delay that occurs after entering an incorrect password?

After entering an incorrect password at a login prompt, there s an approximately 3-second delay. How can I change that on a Linux system with PAM?

asked Jun 16 '12 at 16:37

Shawn J. Goff

45,338
25
134
145

votes

3 answers

Myth or reality: SELinux can confine the root user?

I read or heard somewhere (maybe in LinuxCBT's SELinux course; but I'm not sure) that there are online Linux servers, for which the password of the root user is also given. The Linux server is hardened using SELinux rules, such that everyone can…

security selinux access-control hardening

asked Dec 25 '13 at 16:31

Sadeq Dousti

votes

2 answers

What to use to harden Linux box? Apparmor, SELinux, grsecurity, SMACK, chroot?

I am planning to go back to Linux as a Desktop machine. I would like to make it more secure. And try a few hardening techniques, especially since I plan to get my own server. What would be a good, sane hardening strategy? Which tools should I use -…

security chroot selinux grsecurity hardening

asked Oct 23 '10 at 10:41

jottr

1,286
3
14
19

votes

2 answers

Hide processes from other users based on groups (under Linux)?

Is it possible to configure process hiding for certain user groups under a linux system? For example: Users from group X should not see processes owned by users from group Y in ps/top or under /proc. Is it possible to configure such a setup with…

security process selinux grsecurity hardening

asked Aug 27 '10 at 20:01

maxschlepzig

56,316
50
205
279

votes

1 answer

What are the groups 'users' and 'other' for?

There is a proprietary document about system hardening/security standard stating that group users, nogroup, other, and some other groups should not contain any user except system administrators. I've found an explanation about nogroup group here.…

rhel security users group hardening

asked Nov 29 '16 at 07:21

fikr4n

votes

3 answers

How to harden su with dpkg-statoverride?

I am reading an Ubuntu 14 hardening guide and this is one of the suggestions: It generally seems like a sensible idea to make sure that only users in the sudo group are able to run the su command in order to act as (or become) root:…

ubuntu sudo dpkg su hardening

asked Jun 14 '16 at 19:15

Drew

votes

1 answer

Securing VPS against access by server company

I have a few linux VPS boxes that contain the private keys to Bitcoin. I've taken a few steps to harden them: Blocked all ports except those needed for my server with uncomplicated firewall Disabled login with password; setup SSH keypairs; disabled…

security vps hardening

asked Jun 29 '14 at 18:41

Zach

votes

2 answers

Deleting users with nologin shell

On a security audit performed on our production Linux servers , we were asked to remove nobody user if no application are using it. I checked and could see that there are no files owned by 'nobody' user. find / -path /proc -prune -o -user nobody…

security users hardening

asked Jun 11 '13 at 07:09

Zama Ques

3,186
12
39
54

votes

1 answer

Why is the "harden" suite of packages not available for Debian Jessie (8.0)?

These include all the harden packages listed in the Debian automatic hardening documentation (https://www.debian.org/doc/manuals/securing-debian-howto/ch-automatic-harden.en.html), including: harden harden-tools harden-servers harden-clients etc.,…

debian hardening

asked Jul 01 '15 at 03:53

user339676

votes

1 answer

How to disable remote access on a linux distribution?

So I've read in Mark Sobell's book on Linux, that Linux by default is open to remote administration. Now seen as I'm running a Fedora 17, on a laptop I never have to administrate anything on remotely, I see this as a door to my house needlessly…

security remote remote-management hardening remote-control

asked Oct 27 '12 at 08:28

Happy

votes

2 answers

Remove busybox from buildroot

As part of Linux hardening we want to remove busybox from filesystem created with buildroot. But I am not sure if system can boot without it. I am quite sure that there are init files that depends on busybox. Is it possible to boot without busybox…

boot busybox init buildroot hardening

asked Oct 20 '18 at 07:02

ransh

1,397
2
10
19

votes

2 answers

Disabling the security hardening options for a `nix-shell` environment

In an attempt to build GCC (6.3) on NixOS (16.09), within a nix-shell, I get this: make[1]: Entering directory '/coreboot/util/crossgcc/build-i386-elf-GCC/build-x86_64-pc-linux-gnu/libcpp' test -f config.h || (rm -f stamp-h1 && make…

gcc printf nixos nix hardening

asked Apr 05 '17 at 23:25

Andrew

votes

2 answers

Hardening debian?

So I have thought a bit about hardening a Debian squeeze file & VPN server lately. Right now, we've placed the machine behind a firewall only allowing SSH connections from LAN, set a strong root password and installed unattended-upgrades to keep us…

debian security hardening

asked Feb 04 '12 at 11:42

Industrial

1,771
4
13
12

votes

0 answers

How does the use_pty sudoers option prevent a persistence attack?

As a rule in the Debian 10 hardening guide, and various other audit guides of the Center for Internet Security (CIS), setting the use_pty sudoers option is recommended for the following rationale: Attackers can run a malicious program using sudo…

security sudo configuration pty hardening

asked Nov 17 '22 at 12:40

Flo

votes

0 answers

lshw segfaults on Linux >= 4.8 due to hardened usercopy on many computers

We use a custom built opsi.org bootimage to automatically install Windows on customers' client computers. The userland of this bootimage is based on an upstream bootimage, with some modifications from us, and a kernel taken from Ubuntu. Since we've…

kernel segmentation-fault hardening

asked Apr 27 '17 at 14:57

Martin von Wittich

13,857
6
51
74

2 3 Next