Module 3 – System Hardening

Security Is Configuration Discipline

A default Linux installation is not hardened.

It is functional.

Functional systems can still be:

  • Overexposed
  • Misconfigured
  • Privilege-escalation vulnerable
  • Logically insecure

Before installing Docker.
Before deploying services.
Before opening ports.

You harden the base system.

1. Hardening Philosophy

Hardening is not paranoia.

It is reducing:

  • Attack surface
  • Unnecessary services
  • Privilege scope
  • Configuration ambiguity

Every exposed service is a liability.
Every open port is a potential failure point.

2. Service Exposure Analysis

Start by identifying active services.

sudo systemctl list-units --type=service --state=running

Ask:

  • Do I need this?
  • What port does it use?
  • Who can access it?

List open ports:

sudo ss -tulnp

If you cannot explain why a port is open, close it.

3. SSH Hardening

SSH is the primary attack vector in most environments.

Default SSH configuration is too permissive.

Edit:

sudo nano /etc/ssh/sshd_config

Recommended adjustments:

Disable root login:

PermitRootLogin no

Disable password authentication (after setting keys):

PasswordAuthentication no

Limit users:

AllowUsers youruser

Restart SSH:

sudo systemctl restart sshd

Never restart SSH without confirming access remains.

Open a second terminal session before testing.

4. Firewall Configuration (firewalld)

Enterprise Linux systems use firewalld by default.

Check status:

sudo systemctl status firewalld

If not running:

sudo systemctl enable --now firewalld

List active zones:

sudo firewall-cmd --get-active-zones

List open ports:

sudo firewall-cmd --list-all

Open only required services:

sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Never leave services exposed “temporarily.”

Temporary becomes permanent.

5. User & Privilege Discipline

Never operate daily as root.

Create a privileged user:

sudo useradd -m devopsuser
sudo passwd devopsuser
sudo usermod -aG wheel devopsuser

Verify sudo:

sudo whoami

Principle:

Least privilege always.

Only escalate when required.

6. Disabling Unnecessary Services

Identify services you don’t need:

sudo systemctl disable service-name

Examples often disabled in lab systems:

  • Unused mail services
  • Printing services
  • Avahi (if not required)

Every unnecessary service increases:

  • Boot time
  • Memory usage
  • Attack surface

7. Log Monitoring Fundamentals

Logs are your visibility layer.

Primary log locations:

  • /var/log/messages
  • /var/log/secure
  • journalctl

View SSH logs:

sudo journalctl -u sshd

Monitor live:

sudo journalctl -f

If you do not monitor logs, you do not control the system.

8. File Permission Awareness

Critical files:

  • /etc/passwd
  • /etc/shadow
  • SSH key directories

Verify permissions:

ls -l /etc/shadow

It should not be world-readable.

Understand:

r = read
w = write
x = execute

Never grant 777 permissions out of convenience.

Convenience creates compromise.

9. Automatic Updates (Controlled Approach)

Automatic updates improve security but reduce control.

Option 1:
Manual updates with discipline.

Option 2:
Enable automatic security updates only.

Understand trade-offs before enabling automation.

10. Hardening Checklist

Before moving forward, confirm:

✔ Root SSH login disabled
✔ Password authentication disabled (if keys configured)
✔ Firewall enabled
✔ Only required ports open
✔ Non-root sudo user configured
✔ Unnecessary services disabled
✔ Logs reviewed
✔ Snapshot taken (03-hardened-base)

Take snapshot:

03-hardened-base

Infrastructure must be versioned after major configuration changes.

11. Lab Assignment

  1. Harden your primary node:
    • Configure SSH restrictions
    • Enable firewall
    • Close unnecessary ports
    • Create dedicated sudo user
  2. Attempt to break your own system:
    • Try root SSH login
    • Try password login (if disabled)
    • Attempt connection from non-allowed user
  3. Document:
    • What changed?
    • What would happen if firewall was disabled?
    • What would happen if root login was allowed?

Hardening is validated through testing.

12. Production Reflection

Consider:

  • What happens if SSH is exposed publicly without hardening?
  • What happens if firewall rules are too permissive?
  • How does this map to cloud Security Groups?
  • What does “defense in depth” mean in practice?

Security is layered.

Network segmentation + firewall + SSH discipline + least privilege.

Remove one layer, risk increases.

Module Completion Criteria

You are ready for Module 4 when:

  • You understand open ports and service exposure.
  • You can explain your firewall configuration.
  • You operate as non-root.
  • You have a hardened snapshot saved.

Next:

→ Module 4 – Storage Engineering (LVM & Partitions)

Back To Top
Search
error: Content is protected !!