Linux Bastion Host Checklist

Use the following checklist when hardening your Linux bastion host.These steps are not specific to any particular role (such as a web server or SMTP relay). All these steps are critical; missing any single one could leave you vulnerable to hackers and result in a compromised system.

1. Research your needs for a Linux bastion host (support, media, functionality), and select a distribution accordingly.

1. Plan the partition layout, and give some forethought to providing space for the operating system, swap partition, system logs, and system data.

2. Install the OS, and remove and disable any optional software and services.

3. Apply patches and updates to the system kernel and software as needed.

4. Remove/minimize processes using the SUID or SGID bit.

5. If mandatory access control is desired, implement SELinux.

6. Harden the TCP/IP stack.

7. Configure TCP Wrappers.

8. Configure the Netfilter firewall via the GUI or IPTables tool.

9. Apply any needed encryption for sensitive data.

10. Enable and configure auditing as required.

11. Apply scheduled maintenance to keep the system secure.