Linux Mint – Hardening your system

Install PHP on CentOS 8

Although Linux is a very secure platform, further hardening can be performed to make the security even stronger. The first and most important rule of security is that if you are not using a particular service, turn it off. Every unused service you disable makes your attack surface that much smaller.

To view a list of open ports on your computer and the applications that are listening to them, install the nmap package with the following shell command:

sudo apt-get install nmap

Then, execute the following shell command to list your open ports:

sudo nmap -sS -O localhost

Note that in the previous command, we’re including the letter O and not a zero. After executing it, you’ll see some text appear in your terminal. This text will include a list of ports and also the service that is listening on that port. By default, you may not have many ports open and listening, other than NetBIOS and a few others, and this is perfectly fine. However, if you’ve installed extra packages that provide a service, you may see others listed. If you aren’t using them, remove the package that is responsible for them to lower your attack surface a bit.

In addition, browser plugins can theoretically cause issues with not only security but stability as well. If there is a package installed on your system that runs in your browser and it’s not something that you use, you can simply remove it to lower your browser’s attack surface. One common example of this is Java. While Java was very commonly used on websites at one time, its usage has been declining. Unfortunately, Java is also a very common attack target for crackers on Windows and Mac platforms, and it’s theoretically possible that attacks that take advantage of Java may start being engineered toward the Linux platform. If you don’t need it, you can uninstall it.

In Firefox, Mint’s default browser, it’s easy to see which plugins are in use. To do so, open a new tab and then type about:plugins in the address bar. You’ll be taken to a hidden page, where you can see which plugins are in use on your system. To remove a plugin, you’ll need to uninstall the package that corresponds to that plugin. To do so, try searching for the name of the plugin in Synaptic, where you can easily remove the package responsible for it.

By default, Mint ships with an SSH client, so that you can connect to other machines via SSH. If you want to allow other machines to connect to you, you’ll have to install the openssh-server package in order to add the necessary daemon (service) that allows other machines to connect. If you don’t need to allow other systems to connect to you, make sure to remove the openssh-server package. If you do need the package, consider editing the sshd_config file located in /etc/ssh to harden SSH a bit, using the following statement:

sudo nano /etc/ssh/sshd_config

There are some clauses inside the sshd_config file that you should look out for. For example, consider the following entry within the file:

PermitRootLogin yes

This line is effectively stating that direct logins to root are allowed. Although the root account is disabled, disabling this option will go an extra step to help minimize the risk of someone finding a backdoor to the root account anyway. This is done using the following statement:

PermitRootLogin no

Port 22 is the default port that is assumed whenever you use the ssh command to connect to a machine. As this port is assumed, crackers would try port 22 before any other port. If you want to make it a bit tougher for crackers to guess, consider changing the port number. At the top of the file, you’ll see the following line:

Port 22

Change the port number to something else, preferably above 1024 and below 65000. Then, when connecting to the machine from another one, you’ll need to clarify the port. This is done using the following statement:

ssh jdoe@ -p 45632

As you changed the port, the following command (without the -p flag) would be denied a connection:

ssh jdoe@

After making changes to the sshd_config file, you will need to restart the SSH daemon for the changes to take effect, using the following statement:

sudo service ssh restart

Comments are closed.