The Host Attack Surface
Every running service, listening port, installed package, scheduled job, and user account on a host is attack surface, and a default OS install ships with far more of all of them than any single role needs. Hardening is the disciplined reduction of that surface plus the addition of controls that make the remainder harder to abuse.
This topic frames the chapter by inventorying what is actually exposed on a Meridian host and applying the minimize-then-protect discipline — because you cannot harden what you have not first enumerated.
What's Running and Listening
Services, open ports, and daemons are the first surface. ss -tulpn and the process list show what an attacker on the host, or on the network, can reach — and most of it can simply be turned off. A default install runs printing daemons, mail transfer agents, and RPC services a production web host never needs, each one an unnecessary door.
Accounts, Privileges, and Access
Every user, every SSH key, every sudo grant is a path. Default accounts, shared logins, and broad sudo are surface that hardening trims to least privilege, so any foothold inherits the minimum rather than a pile of standing access it can abuse. The account list is as much attack surface as the port list.
Software and Configuration Surface
Installed packages are each a potential CVE; SUID binaries and world-writable files are each a potential escalation; permissive defaults are each a potential opening. A smaller install is a smaller surface, which is why minimal and immutable base images matter (Chapter 13) — the fewer the components, the fewer the things that can be vulnerable or misconfigured.
The Baseline Idea
Hardening is repeatable, not artisanal. A documented baseline — the CIS Benchmarks are the canonical example — says exactly what to disable, set, and enforce, so every host starts from the same reduced surface rather than one administrator's memory. Hand-hardening drifts; a baseline applied by configuration management stays consistent and can be re-applied when a host drifts back toward openness.
# what is listening, and which process owns it ss -tulpn # every SUID binary — each runs as its owner, often root (escalation surface) find / -perm -4000 -type f 2>/dev/null # who can run what as root sudo -l # audit the whole host against a hardening baseline lynis audit system
These commands are the attacker's first look and the defender's inventory at once: what is listening, which SUID binaries could escalate, who has sudo, and how the host scores against a baseline. Running them on a production host almost always turns up a service nobody remembers enabling and a SUID binary nobody needs — exactly the surface the rest of the chapter removes.
- Running a default OS install in production with every bundled service and package left on, maximizing surface for no benefit.
- Leaving default accounts, shared logins, and broad
sudoin place, so any foothold inherits far more privilege than needed. - Hardening by hand and memory instead of a documented baseline, so hosts drift and no one can say what "secure" means here.
- Ignoring the host because "the network firewall protects it" — a foothold is already inside, and host hardening is what limits it.
- Never re-inventorying, so surface creeps back as packages and services accumulate.
- Minimize first: disable unneeded services, close unused ports, and strip packages to what the role requires.
- Apply a documented baseline (a CIS Benchmark) so every host starts hardened and consistently, not artisanally.
- Enforce least privilege on accounts, SSH keys, and
sudo, and remove defaults and shared logins. - Re-inventory and re-baseline continuously, since installs and configs drift back toward openness over time.
- Harden the host regardless of the network firewall, because a foothold is already past the perimeter.
Knowledge Check
Why is a default OS install a poor starting point for a production host?
- It runs services the role never needs, all pure attack surface
- Default installs are unable to run any real server software
- Default installs come with no user or service accounts at all
- A default install leaves the host's networking disabled entirely
Why is a documented baseline better than hardening each host by hand?
- It makes hardening repeatable, so "secure" has a defined meaning
- Hardening a host by hand is simply impossible on Linux
- A baseline automatically encrypts the host's entire disk
- A documented baseline entirely removes the need to patch software later
Why does host hardening still matter behind a network firewall?
- A foothold is already inside; hardening limits its reach
- A network firewall is unable to filter any traffic at all
- Host hardening fully replaces the need for any firewall
- A firewall makes the host immune to any local attacks
You got correct