📜 Part of Pranav Kulkarni's technical portfolio Visit pranavkulkarni.org →
📜 Jungle Scripts
Lesson 4 · Security

System Hardening

Apply hardening techniques to minimize attack surface.

Hardening is the process of reducing your system’s attack surface and making it resilient against common attacks. You don’t need “perfect security” — you need a strong baseline that’s repeatable across servers.

Hardening Steps

  • 1.Remove unnecessary packages and services
  • 2.Configure automatic security updates
  • 3.Set up fail2ban for brute-force protection
  • 4.Configure SELinux or AppArmor
  • 5.Enable audit logging

1) Reduce running services

Every running service is a potential vulnerability. Disable anything you don’t use.

$ systemctl --type=service --state=running | head
$ systemctl list-unit-files --type=service --state=enabled | head

# Disable a service immediately and at boot
$ sudo systemctl disable --now cups

2) Patch management

Most real-world compromises happen through known vulnerabilities that weren’t patched. Security updates matter more than “exotic” defenses.

# Ubuntu/Debian
$ sudo apt update && sudo apt upgrade

# Enable unattended security updates (Ubuntu)
$ sudo apt install unattended-upgrades
$ sudo dpkg-reconfigure unattended-upgrades

fail2ban Configuration

fail2ban watches logs (like SSH auth logs) and bans IPs that show brute-force patterns. It’s a strong baseline for internet-exposed SSH.

$ sudo apt install fail2ban
$ sudo systemctl enable fail2ban

# Check banned IPs
$ sudo fail2ban-client status sshd

3) AppArmor / SELinux

Mandatory Access Control (MAC) systems restrict what processes can do even if they’re compromised. AppArmor is common on Ubuntu; SELinux is common on RHEL/Fedora.

# AppArmor (Ubuntu)
$ sudo aa-status | head

# SELinux (RHEL/Fedora)
$ sestatus 2>/dev/null || echo "SELinux tools not installed"

4) Kernel & network hardening (sysctl)

sysctl tunes kernel behavior. Apply carefully and test — defaults vary by distro and environment.

$ sysctl -a 2>/dev/null | head

# Example: basic network hardening (review before applying)
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

5) Auditing and visibility

If you can’t see what’s happening, you can’t defend it. Logs + audit are how you detect intrusion and support incident response.

$ sudo journalctl -p warning..emerg -n 50 --no-pager
$ sudo journalctl -u ssh -n 50 --no-pager

✅ Practice (30 minutes)

  • List enabled services and disable at least one you don’t need.
  • Enable unattended upgrades on a test VM and confirm it’s configured.
  • Install fail2ban and check the status of the sshd jail.
← Previous: SSH Configuration