Linux Security And Server Hardening Part-2

In the previous guide, we have discussed some security configurations for your Linux server. In this part, we discuss some of the tools which can help improve security on a Linux server.


When you are running a service which needs to be exposed to outside world, there is always a threat of attack from an anonymous individual or group. Attackers will always try to access or crack the service with a continuous attempt for authentication or brute force attack. fail2ban is an intelligent service which will parse this kind of activity from the log and alter the iptables dynamically. Let's take an example using the SSH service. If any user tries multiple attempts of authentication through SSH, fail2ban will alter the iptables of that machine to block the intruder’s IP for a few minutes (or longer, depending on setup). These configurations can be defined in the fail2ban configuration files. You can also configure email notifications which informs the administrator about any triggered actions.

Install Fail2ban


root@ip-172-31-6-82:~# apt-get install fail2ban


[root@ip-172-31-15-73 ~]# yum update && yum install epel-release
[root@ip-172-31-15-73 ~]# yum install fail2ban

Default configuration files for fail2ban can be found at "/etc/fail2ban/fail2ban.conf". This configuration file contains basic settings like log level, log configuration, file path, pid file, path, etc. You can also change the log level to CRITICAL, ERROR, WARNING, NOTICE, INFO, or DEBUG.

Fail2ban comes with a jail.conf file which contains configuration policies for fail2ban. It is recommended to create a jail.local file for the configuration of local policies.

[root@ip-172-31-15-73 ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Under the default section, you will find default fail2ban policies:

ignoreip =         # Whitelisting the IP address. fail2ban will ignore these IPs.
bantime = 600 # Setting up ban time length in seconds.
findtime = 600 # Interval after fail2ban will take an action.
maxretry = 3 # Number of attempt define for findtime windows after action will be triggered.
backend = auto # Define the monitoring log policy.
usedns = warn # "usedns" specifies if jails should trust hostnames in logs, warn when DNS lookups are performed, or ignore all hostnames in logs
destemail = root@localhost # Email address that will be sent notification mail for alerts
banaction = iptables-multiport # Action performed for banning. This will trigger action for iptables
mta = sendmail # Define mail agent
protocol = tcp # Define the protocol of dropeed traffic in case of ban
chain = INPUT # Specify chain where jumps would need to be added in iptables-* actions
port = 0:65535 # Port ranges to be banned
Service Specific Section

Service specific sections will define the configuration specifically for the defined service. Let use an example for SSH:


enabled = true
port = ssh
filter = sshd
maxretry = 6

The "enable" parameter will enable SSH, the "port" section will set the port to SSH, and the "maxretry" parameter will define the maximum failed authentication attempts before triggering the ban of that IP address. This parameter will overwrite the maxretry parameter in default section. You can define many more parameters as you want.

You can enable and define policies for other services. Don’t hesitate to Google out additional information and functionalities of fail2ban or use the man pages.

psacct and acct tools

psacct and acct are tools to track user activities on the system. If your system is accessed by multiple users, then these tools will help you to track user access time for the system, which command they are performing, etc. The psacct package is available for RHEL, CentOS, and Fedora; whereas the acct package is available for Ubuntu and Debian.

Install psacct and acct 

Install psacct for Red Hat/CentOS:

[root@ip-172-31-15-73 ~]# yum install psacct

Install acct for Ubuntu/Debian:

root@ip-172-31-6-82:~# apt-get install acct

You can print the statistics for a user's time connected to the system:

[root@ip-172-31-15-73 ~]# ac
total 10.46

The command below will print user login time hourly with each day:

[root@ip-172-31-15-73 ~]# ac -d
Jul 20 total 2.31
Today total 8.16

Display individual user login time:

[root@ip-172-31-15-73 ~]# ac ec2-user
total 10.60

Display individual user login time hourly with each day:

[root@ip-172-31-15-73 ~]# ac -d ec2-user
Jul 20 total 2.31
Today total 8.31

Display total statistic of all users:

[root@ip-172-31-15-73 ~]# ac -p
ec2-user 10.63
total 10.63

Display all the command that are executed by users:

[root@ip-172-31-15-73 ~]# sa
21 165.09re 0.00cp 0avio 12413k
12 165.09re 0.00cp 0avio 15922k ***other*
7 0.00re 0.00cp 0avio 1077k ac
2 0.00re 0.00cp 0avio 31040k ls

Display commands performed by all users:

[root@ip-172-31-15-73 ~]# sa -u
root 0.00 cpu 1040k mem 0 io accton
root 0.00 cpu 3838k mem 0 io systemd-tty-ask
root 0.00 cpu 70928k mem 0 io pkttyagent
root 0.00 cpu 32096k mem 0 io systemctl
root 0.00 cpu 2672k mem 0 io systemd-cgroups
root 0.00 cpu 0k mem 0 io kworker/0:2H *
root 0.00 cpu 1077k mem 0 io ac
root 0.00 cpu 1077k mem 0 io ac
root 0.00 cpu 0k mem 0 io kworker/0:1 *
root 0.00 cpu 1077k mem 0 io ac
root 0.00 cpu 1076k mem 0 io ac
postfix 0.01 cpu 22288k mem 0 io pickup

Display commands executed previously:

[root@ip-172-31-15-73 ~]# lastcomm
sa root pts/0 0.00 secs Tue Jul 25 08:51
sa root pts/0 0.00 secs Tue Jul 25 08:49
touch S root pts/0 0.00 secs Tue Jul 25 08:49
ls root pts/0 0.00 secs Tue Jul 25 08:49
ls root pts/0 0.00 secs Tue Jul 25 08:49
sa root pts/0 0.00 secs Tue Jul 25 08:49
ac root pts/0 0.00 secs Tue Jul 25 08:48
ac root pts/0 0.00 secs Tue Jul 25 08:47
kworker/0:0H F root __ 0.00 secs Tue Jul 25 08:26

Use the man page to explore more options.


Lynis is open source auditing tool. Linux/Unix administrators use it to evaluate current system security. Lynis is lightweight and easy to use, and you can get detailed security reports in few minutes. Lynis will perform many tests during the run and provide the current security state. During the test, Lynis will scan whatever it can find in the system. For example, if you have webserver installed, such as Apache or nginx, then it will initiate the test for that service.

Install  Lynis 

Install Lynis on Red Hat/CentOS:

[root@ip-172-31-15-73 ~]# yum install lynis

Install Lynis on Ubuntu/Debian:

root@ip-172-31-2-242:~# apt-get install lynis

Run Lynis in system:

[root@ip-172-31-15-73 ~]# lynis -c

You will get detailed report of each and every aspect of system, as shown below:

[+] File systems
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ OK ]
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs squashfs udf
[+] Name services
- Checking search domains [ FOUND ]
- Searching DNS domain name [ FOUND ]
Domain name: ec2.internal
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ SUGGESTION ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]

Security check will include:

  • Boot and services
  • Kernel
  • Memory and processes
  • Users, groups, and authentication
  • File systems
  • Home directories
  • File permissions
  • Software: Malware
  • Security frameworks
  • Logging and files
  • SSH support

and more..

If you are setting up a Linux server, and you want to get through all security loopholes, then Lynis is the tool for you.


Nessus is a network and vulnerability testing tool which gives you a quick scan of your network security. Hackers generally first go through a vulnerability test and then do the penetration testing to measure the security of your server. They will look for security holes, open ports, weak passwords, etc. You can install Nessus in one machine to scan the systems in your network.

Installing Nessus

You can download Nessus from Nessus's home page. Choose your OS distributions and download the package. I am using the Ubuntu 16 distribution for demo purposes.

Install the package:

root@ip-172-31-13-46:/home/ubuntu# dpkg -i Nessus-6.10.9-ubuntu1110_amd64.deb
Selecting previously unselected package nessus.
(Reading database ... 51032 files and directories currently installed.)
Preparing to unpack Nessus-6.10.9-ubuntu1110_amd64.deb ...
Unpacking nessus (6.10.9) ...
Setting up nessus (6.10.9) ...
Unpacking Nessus Core Components...
nessusd (Nessus) 6.10.9 [build M20097] for Linux
Copyright (C) 1998 - 2016 Tenable Network Security, Inc

Processing the Nessus plugins...

All plugins loaded (1sec)

- You can start Nessus by typing /etc/init.d/nessusd start
- Then go to https://ip-172-31-13-46:8834/ to configure your scanner

Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...

Open your browser and use the link given after installation. You will get the console below:

user_35668_598882e1ac7f7.png_800.jpgSet your username and password:


On next page, you have to register the product. You'll get activation code in an email. You can choose the home or commercial version, as per your needs.


After the initialization of resources, you will get a login page. Log in with your username and password, which you set during the previous steps. Click on the "New Scan" button on top left corner.


On this page,  you can see many plugins. If you are using home version, then you’ll be having limited access for plugins. Here we will go for advanced scanning.


Enter the name, description, and IP address of the machines which you want to scan:


After completion,  you can see detailed reports:



In this guide, we discussed a few tools for security, auditing, and network testing; but there are many more tools out there like auditd, bastille, nmap, etc. if you want to further explore your security options. If you want to sharp your skills in security and server hardening, Go check out Linux Academy Red Hat Certificate of Expertise in Server Hardening Prep Course in Linux section.  Cheers !!

  • post-author-pic
    Kevin J

    A good how to guide.

  • post-author-pic
    Murtuza K

    Thank you Kevin :)

  • post-author-pic
    Mohamed S

    Thanks, very helpful

  • post-author-pic
    Murtuza K

     @sabry  Thank you very much!!

  • post-author-pic
    Amjed J

    this is great. thank you.

  • post-author-pic
    Murtuza K

     @amjed  Thank you !!  

  • post-author-pic
    Munusamy P

    Really Nice... Grateful!!!

  • post-author-pic
    Murtuza K

     @munu3  Thank you :)


  • post-author-pic
    Jeremy C

    Thank you!

  • post-author-pic
    Murtuza K

     @jeremycollins92  My Pleasure :)

  • post-author-pic
    Andrey R

    Also, you can add in /etc/ssh/sshd_config a row "AlloweUsers your_username" => to restrict access with other usernames execept your_username.

  • post-author-pic
    Charles C

    For those of you who like to copy-paste commands, don't copy the 'e' in the middle of Andrey's command. It's just "AllowUsers userid userid . . ."  :-)

Looking For Team Training?

Learn More