Addressing a Compromised Linux System

If you already know how to deal with a non-Linux system that has been compromised, then you roughly know how to do the same with a compromised Linux system. If you feel a little lost, however, the following steps provide the basis for dealing with any incident you might need to handle.

Recommended Read: Granting SUDO access to a local user account in RHEL/CentOS

Also Read: Ultimate guide to securing SSH sessions


#1. Recognizing a Security Breach

The first step in handling a system compromise is identifying the issue. Breaches are not always directly visible and the issues you’re facing could be the result of an attack initiated in the past that has just now become active. 

Sure signs of attack to look for include the replacement of webpages or data with text indicating that you’ve been hacked, missing or seg-faulting binaries, users created without your authorization, or evidence of pirated or malicious data being hosted on your servers.

When investigating, it’s important to remember that not all system issues are related to criminal activity or infiltration. You may simply be seeing problems caused by full-disk partitions, incompatible software installations or troubled processes consuming your CPU resources.


#2. Incident Response Plan (IRP)

Regardless of whether your issue is caused by an attack or a non-malicious occurrence, you will want to engage your incident response plan as soon as possible upon discovery. This plan will help guide your responses to the issue, depending on the importance of affected systems and the role they might play in your provision of services. Your IRP should dictate who is involved in the response, including security team members, customer support, communications, and lawyers and authorities as appropriate. 

Comprehensive documentation is key while enacting your plan, as it will help you verify that all protocols in the plan are kept, review the incident after it has been handled and comply with auditing and regulatory standards after the fact. 

Even if your plan doesn’t specify taking proactive action, it might be a good idea to have replacement VMs or other systems on standby in case you are unable to repair your system in production. 


#3. Rebuilding Your System

When you get to the remediation step of your IRP, don’t just reboot your system, as this can cause data loss, interrupt services and erase valuable forensic evidence. A better strategy, if possible, is to disconnect your affected machines as is and put replacement machines into production. If this is not possible, you should do a fresh Linux install that is fully updated and patched before being brought into production. 

Whichever method you choose, use a minimal installation and only include the required software to reduce the number of possible vulnerabilities. Only restore lost data after verifying that it is trustworthy to ensure that you do not reinfect your system or reinstall backdoors that you do not want. 

After your replacements or new installations are up and running, make sure to monitor them closely and perform periodic auditing, including after each new software installation. 

Best Linux Distros for Privacy and Security

Choosing a secure Linux distribution from the start can help prevent issues and reduce your risk. There are numerous Linux distributions to choose from, so you should do extensive research and test several before choosing one to use, and keep in mind that open-source distros will never be perfect. 

A few to start researching are:

  • Qubes OS—uses Xen Hypervisor to run VMs that compartmentalize your system and reduce the amount of damage that can be done. This distro is extremely secure but it can be tricky to set up and manage so it is recommended for advanced users. 
  • Tails—runs from a DVD or an encrypted USB stick in Live mode, operating the OS from system RAM to eliminate traces of use. This distro routes connections through the Tor network so it’s great for privacy but vulnerabilities are discovered frequently. 
  • Subgraph OS—uses a hardened kernel, virtual sandboxes for risky applications, and includes a specialized firewall that routes all outgoing connections through Tor. This distro does include an exploit of its Nautilus file manager but it is still in the alpha stage and this exploit should be fixed in beta. 
  • Trusted End Node Security (TENS)—designed by the US Air Force and NSA approved. This distro runs in Live mode, includes a customizable firewall, and supports logging in via Smart Card but can be tricky to download. 

Useful Tips to Secure Linux Server

Securing your Linux systems requires precise knowledge of your configurations as well as your specific needs, which is outside the scope of this brief guide. Despite that, there are some basic tips useful for most systems. 

Start by acquainting yourself with sites like LinuxSecurity, a good aggregation source for current Linux relevant concerns and fixes and verify that your installations are fully and consistently updated. As mentioned before, keeping your software and add-ons to a minimum will help reduce the number of dependencies as well as limit the number of unpatched vulnerabilities you need to be concerned with. 

Use Security-Enhanced Linux (SELinux), included with the kernel, on your systems in either enforcing or permissive mode. Enforcing mode is preferred as it will take action to ensure that the security policies you define block compromising actions but if you cannot use it, you can at least benefit from the alerts and logging that occur in permissive mode. 

You should disable booting from external devices after BIOS setup and set BIOS and grub boot loader passwords to protect your settings. This will help ensure that any security measures you take and policies you set remain active and cannot be simply avoided with less secure boot-ups. 

Disabling Secure Shell (SSH) access as a root user can limit the damage attackers can do. To do this, you should provide sudo powers to another user so that you are still able to perform administrative tasks. Doing this will allow you to switch to root after you are logged in, if needed, and will obscure access rights to attackers. 

Check which ports you have open and disable any you aren’t actively using to limit entry options to attackers. You can consider changing your default SSH port as well to make it harder for attackers to log in even if they have obtained working credentials. 

Using Secure File Transfer Protocol (SFTD) to encrypt all data, credentials and files being sent will help you ensure that data isn’t stolen or modified in transit. 



There are many more steps you can take towards securing your Compromised Linux System, both before and after they have been compromised, but it is up to you to decide which actions will best suit your needs. Considering the implementation of the distributions and tips covered here is a good place to start. Even if you aren’t yet ready to make changes to your system, knowing your options before an incident occurs can help speed your response and aid you in limiting the amount of damage done.


If you think we have helped you or just want to support us, please consider these:-

Connect to us: Facebook | Twitter

Donate us some of your hard-earned money: [paypal-donation]

Linux TechLab is thankful for your continued support.