Stage 3 · Build
Observability, Tracing & Security
Production Hardening
Kernel parameters, module signing, lockdown mode, and CIS benchmarks — securing Linux for production.
Hardening Kernel Parameters
Kernel parameters control security-relevant behavior. Hardening these parameters reduces the attack surface and prevents common exploitation techniques.
# /etc/sysctl.d/99-hardening.conf
# Disable IP forwarding (unless router/container host)
net.ipv4.ip_forward = 0
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable SYN cookies (SYN flood protection)
net.ipv4.tcp_syncookies = 1
# Disable IPv6 if not needed
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Restrict kernel pointer exposure
kernel.kptr_restrict = 2
# Disable SysRq key
kernel.sysrq = 0
# Restrict perf events
kernel.perf_event_paranoid = 3Apply hardening parameters with sysctl -p /etc/sysctl.d/99-hardening.conf. These prevent common network attacks and information disclosure.
Module Signing & Lockdown
# Require module signatures
cat >> /etc/sysctl.d/99-hardening.conf << 'EOF'
# Disable loading new modules
# kernel.modules_disabled = 1 # CAUTION: cannot load any modules after boot
EOF
# Enable lockdown mode (kernel 5.4+)
# Add to kernel command line:
# lockdown=confidentiality
# Check module signing status
cat /proc/sys/kernel/modules_disabled
# 0 = can load modules
# Check lockdown status
cat /sys/kernel/security/lockdown
# [none] integrity confidentialityLockdown mode restricts even root from certain kernel operations. Use confidentiality mode for maximum security in production.
File Permission Hardening
# Critical files — restricted permissions
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 700 /root
chmod 600 /etc/ssh/sshd_config
chmod 700 /etc/ssh
# Remove world-writable files
find / -xdev -type f -perm -002 -exec chmod o-w {} \;
# Find and fix SUID/SGID files
find / -xdev -type f -perm /6000 -ls
# Remove unnecessary SUID bits
chmod u-s /usr/bin/chfn
chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/newgrp
# Set proper umask
echo "umask 027" >> /etc/profileThe CIS benchmark recommends 027 umask for servers. This ensures new files are not world-readable by default.
Network Hardening
# Disable unused network protocols
cat >> /etc/modprobe.d/disable-protocols.conf << 'EOF'
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
EOF
# Disable IPv6 router advertisements
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
# Log Martian packets
net.ipv4.conf.all.log_martians = 1
# Disable ICMP timestamp responses
net.ipv4.icmp_echo_ignore_broadcasts = 1Disabling unused protocols reduces the attack surface. Log martians (packets with impossible source addresses) to detect spoofing attempts.
Service Reduction
# List running services
systemctl list-units --type=service --state=running
# Common services to disable on servers
sudo systemctl disable cups # Printing
sudo systemctl disable avahi-daemon # mDNS
sudo systemctl disable bluetooth # Bluetooth
sudo systemctl disable postfix # Mail (if not used)
# Check for open ports
ss -tlnp
# LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",...))
# Check for listening sockets
ss -ulnpEvery running service is a potential attack vector. Disable services that are not needed. Use systemd-analyze to check service dependencies.
CIS Benchmarks
CIS (Center for Internet Security) benchmarks are consensus-based hardening guides for Linux distributions. They provide detailed configuration recommendations for meeting security standards.
# Install CIS-CAT tool (requires CIS membership)
# Or use OpenSCAP for open-source compliance scanning
# Install OpenSCAP
sudo apt install libopenscap8
# Scan against a benchmark
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results results.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml
# View results
# report.html shows pass/fail for each requirementRun CIS scans regularly and remediate failures. Focus on high-impact findings first: kernel parameters, file permissions, and service reduction.
Use Ansible roles to apply and enforce hardening consistently across all servers. This ensures compliance and prevents configuration drift.
Aggressive hardening (module lockdown, restrictive seccomp) can break services. Always test in staging before production deployment.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.