Five Easy Ways to Secure Your Linux System

When it comes to system security, there's no single correct solution. But with vigilance and these techniques, you will be five steps closer.

On the heels of last week’s entry on using DenyHosts, and Nikto the week before that; I thought it appropriate to continue in the security vein with five more simple techniques that you can use to protect your systems. These include using account locking, limiting cron use, using DENY access to services, refusing root SSH logins and changing SSHD’s default port.

There’s no excuse to run insecure systems on your network. Your data’s integrity (and your job) depend on your ability to keep those systems running correctly and securely for your co-workers and customers. Shown here are five simple techniques to make your systems less vulnerable to compromise.

Account Locking

Account locking for multiple failed tries puts extra burden on the system administrators but it also puts some responsibility on the user to remember his passwords. Additionally, locking allows the administrator to track the accounts that have potential hack attempts against them and to notify those users to use very strong passwords.

Typically, a system will drop your connection after three unsuccessful attempts to login but you may reconnect and try again. By allowing an infinite number of failed attempts, you’re compromising your system’s security. Smart system administrators can take the following measure to stop this threat: Account lockout after a set number of attempts. My preference is to set that limit to three.

Add the following lines to your system’s /etc/pam.d/system-auth file.

auth    required   /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required   /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

Your distribution might not include the system-auth file but instead uses the /etc/pam.d/login file for these entries.

Cron Restriction

On multiuser systems, you should restrict cron and at to root only. If other users must have access to scheduling, add them individually to the /etc/cron.allow and /etc/at.allow files. If you choose to create these files and add user accounts into them, you also need to create /etc/cron.deny and /etc/at.deny files. You can leave them empty but they need to exist. Don’t create an empty /etc/cron.deny unless you add entries to the /etc/cron.allow because doing so allows global access to cron. Same goes for at.

To use the allow files, create them in the /etc directory and add one user per line to the file. The root user should have an entry in both allow files. Doing this restricts cron to the root user only.

As the system administrator, you can allow or deny cron and at usage based upon the user’s knowledge and responsibility levels.

Deny, Deny, Deny

“Deny everything” sounds eerily Presidential doesn’t it? But for system security and certain political indiscretions, it’s the right answer. System security experts recommend denying all services for all hosts using an all encompassing deny rule in the /etc/hosts.deny file. The following simple entry (ALL: ALL) gives you the security blanket you need.

# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!


Edit the /etc/hosts.allow file and insert your network addresses (192.168.1., for example) where you and your users connect from before you logout or you’ll have to login via the console to correct the problem. Insert entries similar to the following to allow access for an entire network, single host or domain. You can add as many exceptions as you need. The /etc/hosts.allow file takes precedence over the /etc/hosts.deny to process your exceptions.

Deny SSH by Root

Removing the root user’s ability to SSH provides indirect system security. Logging in as root to a system removes your ability to see who ran privileged commands on your systems. All users should SSH to a system using their standard user accounts and then issue su or sudo commands for proper tracking via system logs.

Open the /etc/ssh/sshd_config file with your favorite editor and change PermitRootLogin yes to PermitRootLogin no and restart the ssh service to accept the change.

Change the Default Port

While changing the default SSH port (22) will have limited effectiveness in a full port sweep, it will thwart those who focus on specific or traditional service ports. Some sources suggest changing the default port to a number greater than 1024, for example: 2022, 9922 or something more random, such as 2345. If you’re going to use this method as one of your strategies, I suggest that you use a port that doesn’t include the number 22.

Edit your /etc/ssh/sshd_config and change the “Port” parameter to your preferred port number. Uncomment the Port line too. Restart the sshd service when you’re finished and inform your users of the change. Update any applicable firewall rules to reflect the change too.

System security is important and is a constant battle. You have to maintain patch levels, updates and constantly plug newly discovered security holes in system services. As long as there are black hat wearing malcontents lurking the Net looking for victims, you’ll have a job keeping those wannabe perpetrators at bay.

Comments on "Five Easy Ways to Secure Your Linux System"


\”On multiuser systems, you should restrict cron and at to root only.\” You don\’t elaborate on the reason for this, as though the security risk in allowing non-root users access to cron or at is common knowledge. This is news to me. Could you provide more info or a relevant reference?


I think he\’s going for the \”disabled by default\” approach. Although cron and at are relatively mundane to make such a fuss about. If a user even knows they exist, they probably meet the criteria for \”based upon the user’s knowledge and responsibility levels.\”

If you allow long-running background process (screen) they can achieve the same results with some trivial shell coding.


I don\’t agree with the root ssh lockout suggestion. During a crisis situation you need to be able to get into a system as root very quickly. Support can\’t fumble around with su & looking up passwords for the root account. We manage a medium sized data center (approx 150 to 200 systems), and have exchanged root public keys from the bastion to all the remote systems. To improve security and reduce risk, we use the /etc/security/access.conf file and limit root ssh login to just a couple of machines; only systems the support staff have access to (the bastion). Our current monitoring scripts rely on remote root access, and by locking out root ssh, that would break all our monitoring. It\’s not perfect, but to manage a few hundred systems in batch, it\’s necessary.


Ha Ha, three strike. I had a junior admin who tried that once. We just kept trying to login to his account until it locked for days. Then he decided that 99 was a better number. A DOS attack on a system could be done by just attempting logins a few times.


If you work in a large environment, like I do (thousands of servers), account lockout after 6 tries and no root SSH is the norm. So is disabled CRON and AT for normal users.


I left my ssh port open for just a few days, to see what traffic I would get…what a mistake !!! 84 pages of security log in violations recorded. Most were from China, Brazil, and Hungary….Oh and a middle school in Japan. It was amazing to see the user names that they tried.

I use Denyhost since then, and think that my server is bored now. hehehehe.


Saying \”don\’t login as root\” is silly and useless paranoid. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreased the chance you got spoofed as to your telnet host target. You\’d get your password spoofed but not root\’s pw. Gimme a break …. this is 2010 – We have ssh 4.8, used properly it\’s secure. Used improperly NONE of the OTHER security settings of the machine will make a damn bit of difference.
Use \”Protocol 2\”, \”AllowUsers root blah1 blah2\”, \”ClientAliveInterval 300\”, \”IgnoreRhosts yes\”, \”HostbasedAuthentication no\”, use TCPWRAPPERS, use Public Key Based Authentication ONLY, \”PermitEmptyPasswords no\”, limit access from a small range of IP addresses ONLY and a few more things and ssh is secure and you can enjoy simple access to other machines and do your job, simply.
I do not want to create another \”windows X\” environment where it is difficult to do things quickly … using ssh properly I can even be ssh\’ed into a machine, do a \”yum update sshd\”, then initiate a delayed \”sshd restart\”, logout, wait a bit and login again and run the latest ssh version on a machine that is 2000km away!


On blocking out users after three bad login attempts, I have to agree with jpforte that it is a great way for someone to launch a denial of service attack. DenyHosts is a better alternative because only the attacking IP is blocked. There are definitely people out there probing. At last count my /etc/hosts.deny had 883 hosts, all put there by DenyHosts.

On root logins, I prefer to disallow root ssh logins if only for audit purposes when more than one person needs to have root privileges. If someone logs in directly as root you have no idea who it was. If someone logs in as a regular user then does su or sudo, you know who it was (or at least whose remote account has been compromised). The audit is not always because you suspect someone of being malicious. It can help recover from mistakes, too.

Good riddance to Flash. wood chipper I am sick and tired to google web sites that tell, me how to install Flash Player on my Distribution X or Y.

Hi there, I found your blog by the use of Google even as looking for a comparable topic, your website came up, it appears great. I have bookmarked it in my google bookmarks.

Appreciating the persistence you put into your site and detailed information you provide.

It’s awesome to come across a blog every once in a while that isn’t the same
unwanted rehashed material. Excellent read! I’ve bookmarked your site and I’m including your RSS feeds to my
Google account.

Truly when someone doesn’t understand afterward its up to other users that they will help, so here it occurs.

JOBST – Saying \”don\’t login as root\” is silly and useless paranoid.
Hm, I guess you don’t have to contend with Price Waterhouse at your Fortune 100 company.

Thank you for the good writeup. It in reality used to be a entertainment account it. Glance complex to more delivered agreeable from you! However, how could we keep up a correspondence?

Hello there. I found your web site via Google even as searching for a related matter, your site came up. It seems great. I have bookmarked it in my google bookmarks to visit then.

Awesome write-up. I’m a regular visitor of your blog and appreciate you taking the time to maintain the excellent site. I will be a regular visitor for a long time.

Hey there! This is my first comment here so I just wanted to give a quick shout out and tell you I really enjoy reading through your articles. Can you suggest any other blogs/websites/forums that cover the same subjects? Thanks for your time!

Very few internet websites that come about to become comprehensive below, from our point of view are undoubtedly well worth checking out.

Here is a superb Blog You might Find Exciting that we encourage you to visit.

Here are a number of the websites we advise for our visitors.

Here is an excellent Blog You might Discover Intriguing that we encourage you to visit.

Good – I should certainly pronounce, impressed with your site. I had no trouble navigating through all tabs as well as related information ended up being truly simple to do to access. I recently found what I hoped for before you know it at all. Quite unusual. Is likely to appreciate it for those who add forums or something, website theme . a tones way for your client to communicate. Excellent task..

Please check out the web pages we comply with, like this one particular, because it represents our picks from the web.

Sites of interest we have a link to.

We prefer to honor many other web web pages on the net, even when they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out.

Here are some links to internet sites that we link to because we believe they may be worth visiting.

Usually posts some really exciting stuff like this. If you are new to this site.

Here is a superb Weblog You may Come across Interesting that we encourage you to visit.

Thank you for your blog article.Really looking forward to read more. Will read on…

Here are some hyperlinks to web-sites that we link to for the reason that we consider they are really worth visiting.

I truly appreciate this post. I’ve been looking everywhere for this! Thank goodness I found it on Bing. You’ve made my day! Thank you again!

Wonderful story, reckoned we could combine some unrelated information, nevertheless genuinely worth taking a search, whoa did one particular learn about Mid East has got extra problerms too.

The post have resolved our problem,thanks very much and hope you writting more good articles.
Wholesale 9079 a Oakley Sunglasses big (1) http://www.fleetsale.ru/new-arrival-oakleys-490.html

Here are some links to websites that we link to mainly because we feel they may be worth visiting.

Below you?ll find the link to some web pages that we think you’ll want to visit.

The data mentioned inside the article are some of the ideal accessible.

Wonderful story, reckoned we could combine a handful of unrelated information, nevertheless definitely really worth taking a appear, whoa did one study about Mid East has got far more problerms as well.

Usually posts some pretty fascinating stuff like this. If you are new to this site.

Wonderful story, reckoned we could combine a number of unrelated data, nonetheless genuinely really worth taking a look, whoa did 1 learn about Mid East has got extra problerms as well.

Sites of interest we’ve a link to.

One of our visitors not long ago suggested the following website.

Here are some hyperlinks to websites that we link to for the reason that we believe they’re worth visiting.

Although web sites we backlink to beneath are considerably not related to ours, we really feel they are essentially worth a go as a result of, so possess a look.

Check beneath, are some completely unrelated web-sites to ours, even so, they are most trustworthy sources that we use.

Please pay a visit to the web pages we adhere to, like this one, as it represents our picks from the web.

Here is a good Blog You might Uncover Fascinating that we encourage you to visit.

We prefer to honor many other world-wide-web web pages around the web, even if they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out.

TyTMsk igvuehaefxpk, [url=http://ogrlvsjxzmkh.com/]ogrlvsjxzmkh[/url], [link=http://mbrrtcafsoem.com/]mbrrtcafsoem[/link], http://pedhorauilxm.com/

That is the end of this post. Right here you will come across some sites that we assume you?ll value, just click the links.

Just beneath, are various completely not related websites to ours, nevertheless, they may be certainly worth going over.

Leave a Reply