This lab entry collects practical notes on hardening a fresh Linux installation. The goal is not to create a perfectly locked system but to reduce unnecessary attack surface.
The process begins with examining which services are running by default. Many distributions enable components that are not required for minimal server workloads.
After installation I typically review active services with:
systemctl list-units --type=serviceAnything that is not required for the intended role of the system is disabled or removed.
The next step involves reviewing kernel parameters through sysctl. Several settings influence network behavior and memory protections. Examples include:
- Enabling reverse path filtering.
- Disabling unnecessary ICMP redirects.
- Strengthening TCP stack behavior.
I also review kernel hardening features such as address space layout randomization and restrict loading of unnecessary kernel modules.
Another useful measure is reducing the number of installed packages. Every installed component potentially introduces new vulnerabilities or misconfiguration risks.
This entry does not include the full configuration playbook I use in private environments. Instead it records the reasoning behind specific settings and why they matter.
Hardening is not a single configuration step. It is an ongoing process of reducing complexity and ensuring that only necessary components remain exposed.