Alpine Linux Security Hardening Guide: Essential Steps for Maximum Protection
I’ll show you how to turn your Alpine Linux system into a security fortress. After years of managing servers, I’ve learned that Alpine’s minimal design actually makes it easier to secure - you just need to know the right steps.
Introduction
Alpine Linux comes pretty secure out of the box, but that doesn’t mean you can skip hardening. I’ve seen too many systems get compromised because people assumed “minimal” meant “secure enough.”
The thing is, Alpine’s small attack surface is great, but you still need to lock down what’s there. I’ll walk you through the essential steps I use on every Alpine system I deploy.
Why You Need This
- Protect against common attack vectors
- Meet compliance requirements for production systems
- Prevent unauthorized access and data breaches
- Create a solid foundation for other services
Prerequisites
You’ll need these things first:
- Alpine Linux system with root access
- Basic knowledge of Linux command line
- SSH access to the system
- Backup of important data before starting
Step 1: Update and Secure Package Management
Update System Packages
Let’s start with the basics - making sure everything is up to date.
What we’re doing: Getting the latest security patches and package updates.
# Update package repository information
apk update
# Upgrade all installed packages
apk upgrade
# Clean package cache
apk cache clean
Code explanation:
apk update
: Downloads latest package repository listsapk upgrade
: Installs available security updates and patchesapk cache clean
: Removes cached package files to save space
Expected Output:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
v3.18.4-0-g2239b3be07 [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]
OK: 17 MiB in 33 packages
Configure Package Repository Security
What we’re doing: Ensuring we only use trusted package sources.
# Backup current repository configuration
cp /etc/apk/repositories /etc/apk/repositories.backup
# Edit repository configuration
vi /etc/apk/repositories
Repository configuration:
# Secure repository configuration
https://dl-cdn.alpinelinux.org/alpine/v3.18/main
https://dl-cdn.alpinelinux.org/alpine/v3.18/community
# Remove testing and edge repositories for production
Tip: I always remove testing repositories on production systems. They’re great for development but add unnecessary security risks.
Step 2: Secure SSH Configuration
Harden SSH Settings
SSH is usually the main entry point to your system, so let’s lock it down tight.
What we’re doing: Configuring SSH with security-first settings.
# Backup original SSH configuration
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
# Edit SSH configuration
vi /etc/ssh/sshd_config
SSH hardening configuration:
# Port and protocol settings
Port 2222 # Change from default port 22
Protocol 2
# Authentication settings
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 30
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Security settings
AllowUsers your_username
X11Forwarding no
PrintMotd no
ClientAliveInterval 600
ClientAliveCountMax 3
MaxStartups 2
Configuration explanation:
Port 2222
: Changes default SSH port to reduce automated attacksPermitRootLogin no
: Prevents direct root login for better securityPasswordAuthentication no
: Forces key-based authentication onlyMaxAuthTries 3
: Limits failed login attemptsAllowUsers your_username
: Restricts SSH access to specific users
Set Up Key-Based Authentication
What we’re doing: Creating secure SSH keys for passwordless authentication.
# Create SSH directory for your user
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Generate SSH key pair on client machine (not server)
ssh-keygen -t ed25519 -b 4096 -f ~/.ssh/alpine_key
# Copy public key to server
ssh-copy-id -i ~/.ssh/alpine_key.pub username@your_server
Restart SSH service:
# Restart SSH with new configuration
service sshd restart
# Enable SSH to start on boot
rc-update add sshd default
Warning: Test your SSH connection in a new terminal before closing your current session. You don’t want to lock yourself out!
Step 3: Configure Firewall Protection
Install and Configure iptables
Alpine uses iptables for firewall protection. Let’s set up a solid rule set.
What we’re doing: Creating a restrictive firewall that only allows necessary traffic.
# Install iptables
apk add iptables ip6tables
# Create firewall script
vi /etc/iptables/rules.sh
Firewall rules script:
#!/bin/sh
# Basic iptables firewall rules for Alpine Linux
# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (adjust port as needed)
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT
# Allow HTTP and HTTPS if running web server
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
# Log dropped packets (optional)
iptables -A INPUT -j LOG --log-prefix "DROPPED: "
Code explanation:
iptables -P INPUT DROP
: Blocks all incoming traffic by defaultiptables -A INPUT -i lo -j ACCEPT
: Allows local loopback trafficiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
: Allows response trafficiptables -A INPUT -p tcp --dport 2222
: Allows SSH on custom port
Make Firewall Rules Persistent
What we’re doing: Ensuring firewall rules survive system reboots.
# Make script executable
chmod +x /etc/iptables/rules.sh
# Run the firewall script
/etc/iptables/rules.sh
# Save current rules
iptables-save > /etc/iptables/rules-save
# Create init script to restore rules on boot
vi /etc/init.d/iptables-restore
Init script content:
#!/sbin/openrc-run
name="iptables-restore"
command="/sbin/iptables-restore"
command_args="< /etc/iptables/rules-save"
depend() {
need net
}
Enable firewall on boot:
# Make init script executable
chmod +x /etc/init.d/iptables-restore
# Enable iptables restore service
rc-update add iptables-restore default
Step 4: User Account Security
Create Non-Root User
What we’re doing: Setting up a regular user account with sudo privileges.
# Add a new user
adduser -s /bin/sh your_username
# Install sudo
apk add sudo
# Add user to wheel group
addgroup your_username wheel
# Configure sudo access
vi /etc/sudoers
Sudo configuration:
# Allow wheel group to use sudo
%wheel ALL=(ALL) ALL
# Require password for sudo commands
Defaults timestamp_timeout=5
Set Password Policies
What we’re doing: Enforcing strong password requirements.
# Install password quality checking
apk add libpwquality
# Configure password requirements
vi /etc/security/pwquality.conf
Password policy configuration:
# Minimum password length
minlen = 12
# Require mixed case
ucredit = -1
lcredit = -1
# Require numbers and symbols
dcredit = -1
ocredit = -1
# Prevent password reuse
remember = 5
Step 5: System Hardening
Disable Unnecessary Services
What we’re doing: Removing attack vectors by disabling unused services.
# List all running services
rc-status
# Disable unnecessary services (adjust based on your needs)
rc-update del chronyd default # If not using NTP
rc-update del networking default # If using static configuration
# Remove unnecessary packages
apk del --purge wget curl # If not needed
Configure System Limits
What we’re doing: Setting resource limits to prevent abuse.
# Edit system limits
vi /etc/security/limits.conf
Limits configuration:
# Prevent fork bombs
* hard nproc 1024
* soft nproc 512
# Limit memory usage
* hard memlock 64
* soft memlock 64
# File descriptor limits
* hard nofile 4096
* soft nofile 1024
Secure Kernel Parameters
What we’re doing: Hardening kernel settings for better security.
# Edit sysctl configuration
vi /etc/sysctl.conf
Kernel hardening parameters:
# Network security
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ping requests
net.ipv4.icmp_echo_ignore_all = 1
# Apply settings
sysctl -p
Practical Examples
Example 1: Complete Security Script
What we’re doing: Creating an automated hardening script for consistent deployment.
#!/bin/sh
# Alpine Linux security hardening script
echo "Starting Alpine Linux security hardening..."
# Update system
apk update && apk upgrade
# Install security tools
apk add fail2ban iptables sudo
# Configure fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i 's/bantime = 10m/bantime = 1h/' /etc/fail2ban/jail.local
# Start fail2ban
service fail2ban start
rc-update add fail2ban default
echo "Basic hardening complete!"
Code explanation:
apk update && apk upgrade
: Updates system packagesapk add fail2ban iptables sudo
: Installs essential security toolssed -i 's/bantime = 10m/bantime = 1h/'
: Increases ban duration for attackersrc-update add fail2ban default
: Enables fail2ban on boot
Example 2: Security Monitoring Setup
What we’re doing: Setting up basic monitoring for security events.
# Install monitoring tools
apk add logrotate rsyslog
# Configure log rotation
vi /etc/logrotate.d/security
Log rotation configuration:
/var/log/security.log {
daily
missingok
rotate 30
compress
create 600 root root
}
Troubleshooting
SSH Connection Issues
Problem: Can’t connect after changing SSH configuration Solution: Check SSH service status and configuration
# Check SSH service status
service sshd status
# Test SSH configuration
sshd -t
# Check SSH logs
tail -f /var/log/messages | grep sshd
Firewall Blocking Services
Problem: Legitimate services being blocked by firewall Solution: Review and adjust firewall rules
# Check current iptables rules
iptables -L -n
# Temporarily allow specific port
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# Make permanent by updating rules script
Best Practices
-
Regular Updates: Update packages weekly
# Create update script echo "apk update && apk upgrade" > /etc/periodic/weekly/update-system chmod +x /etc/periodic/weekly/update-system
-
Monitor Logs: Check system logs regularly
- Review
/var/log/messages
for system events - Monitor
/var/log/auth.log
for authentication attempts - Set up log alerting for suspicious activity
- Review
-
Security Considerations:
- Use strong passwords and key-based authentication
- Regularly review user accounts and permissions
- Keep minimal software installation
- Monitor system resource usage
Verification
To verify your security hardening is working:
# Test SSH configuration
ssh -o PreferredAuthentications=password username@your_server
# Check firewall status
iptables -L -n
# Verify fail2ban is working
fail2ban-client status
Wrapping Up
You just hardened your Alpine Linux system with:
- Updated packages and secure repositories
- Hardened SSH configuration with key authentication
- Configured restrictive firewall rules
- Set up proper user accounts and sudo access
- Applied kernel security parameters
Your Alpine system is now much more secure. These settings will protect against common attacks and give you a solid foundation for running services safely. I use this exact setup on all my Alpine servers and it’s never let me down.