Back to blog

From diagnosis to defense: Linux server hardening with Lynis

2/23/2026 · 2 min · Infrastructure

Share

During a routine production audit, I ran Lynis to measure actual security posture, not only service uptime. The system was stable for workload, but the report returned one warning and multiple hardening suggestions.

I handled the findings with an operations-first workflow: baseline, remediation, validation, and re-audit.

1) Baseline and findings

lynis audit system --verbose

Priority findings included:

  1. pending reboot after kernel updates (KRNL-5830)
  2. permissive SSH defaults
  3. weak identity and password policy defaults
  4. unused network protocol exposure
  5. auditd enabled without effective coverage rules

2) Kernel warning remediation

I scheduled maintenance, rebooted the host, and validated loaded kernel and boot health.

uname -r
reboot
uname -r
journalctl -b -p err --no-pager

3) SSH hardening

I updated /etc/ssh/sshd_config with restrictive controls:

Then validated and reloaded safely:

sshd -t
systemctl reload sshd

4) Identity and password policy

I enforced password aging and stricter default file permissions in /etc/login.defs, plus stronger PAM password quality controls.

Key values applied:

5) Kernel and network hardening

I disabled core dumps, blocked unused protocols (dccp, sctp, rds, tipc), and applied defensive sysctl parameters.

sysctl --system

6) Audit trail and malware checks

I configured auditd rules for identity and privilege-sensitive files, then validated event collection with ausearch. I also deployed rkhunter for host-level malware and integrity checks.

7) Re-audit and acceptance criteria

I reran Lynis and confirmed:

Hardening is not a one-time task. Lynis provides direction, but security gains come from disciplined execution: fix, verify, measure, and document.

CC BY-NC

This post is licensed under CC BY-NC.

Comments

Join the discussion below.