Security Hardening Checklist

Advanced15 minTrending

Audit and harden a Linux server by checking SSH configuration, open ports, running services, and filesystem permissions.

Prerequisites

-Linux shell access
-Root or sudo access

Steps

Audit SSH configuration

Check for insecure SSH settings.

$ sudo sshd -T 2>/dev/null | grep -E 'permitrootlogin|passwordauthentication|pubkeyauthentication|port '

Best practice: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes.

Check for open ports

See all ports listening for incoming connections.

$ ss -tlnp

Close any ports you do not recognize or need. Each open port is a potential attack vector.

Find world-writable files

Locate files that any user can modify, which can be a security risk.

$ sudo find / -xdev -type f -perm -o+w -not -path '/proc/*' -not -path '/sys/*' 2>/dev/null | head -20

Check for users with empty passwords

Find accounts that have no password set.

$ sudo awk -F: '($2 == "") {print $1}' /etc/shadow

Accounts with empty passwords are a critical security risk. Set a password or lock these accounts immediately.

Check for pending security updates

See if there are security patches available.

$ apt list --upgradable 2>/dev/null | grep -i security || yum check-update --security 2>/dev/null || echo 'Check your package manager'

Full Script

full-script.sh

#!/bin/bash
# Security Hardening Checklist
set -euo pipefail

echo "========================================="
echo "  Security Hardening Audit"
echo "========================================="

echo ""
echo "--- SSH Configuration ---"
sudo sshd -T 2>/dev/null | grep -E 'permitrootlogin|passwordauthentication|pubkeyauthentication|maxauthtries' || echo "sshd not found"

echo ""
echo "--- Open Ports ---"
ss -tlnp

echo ""
echo "--- Users with UID 0 (root equivalent) ---"
awk -F: '($3 == 0) {print $1}' /etc/passwd

echo ""
echo "--- Users with Empty Passwords ---"
sudo awk -F: '($2 == "") {print $1}' /etc/shadow 2>/dev/null || echo "Cannot read shadow file"

echo ""
echo "--- SUID Binaries ---"
sudo find / -xdev -type f -perm -4000 2>/dev/null | head -15

echo ""
echo "--- Failed Login Attempts ---"
sudo lastb 2>/dev/null | head -10 || journalctl -u sshd --since '24 hours ago' 2>/dev/null | grep -i 'failed' | tail -10

echo ""
echo "--- Firewall Status ---"
sudo ufw status 2>/dev/null || sudo iptables -L -n 2>/dev/null | head -10 || sudo nft list ruleset 2>/dev/null | head -10 || echo "No firewall detected"

echo ""
echo "========================================="

FAQ

Discussion

Loading comments...

#!/bin/bash # Security Hardening Checklist set -euo pipefail echo "=========================================" echo " Security Hardening Audit" echo "=========================================" echo "" echo "--- SSH Configuration ---" sudo sshd -T 2>/dev/null | grep -E 'permitrootlogin|passwordauthentication|pubkeyauthentication|maxauthtries' || echo "sshd not found" echo "" echo "--- Open Ports ---" ss -tlnp echo "" echo "--- Users with UID 0 (root equivalent) ---" awk -F: '($3 == 0) {print $1}' /etc/passwd echo "" echo "--- Users with Empty Passwords ---" sudo awk -F: '($2 == "") {print $1}' /etc/shadow 2>/dev/null || echo "Cannot read shadow file" echo "" echo "--- SUID Binaries ---" sudo find / -xdev -type f -perm -4000 2>/dev/null | head -15 echo "" echo "--- Failed Login Attempts ---" sudo lastb 2>/dev/null | head -10 || journalctl -u sshd --since '24 hours ago' 2>/dev/null | grep -i 'failed' | tail -10 echo "" echo "--- Firewall Status ---" sudo ufw status 2>/dev/null || sudo iptables -L -n 2>/dev/null | head -10 || sudo nft list ruleset 2>/dev/null | head -10 || echo "No firewall detected" echo "" echo "========================================="