Alpine Linux Security Hardening Guide: Essential Steps for Maximum Protection

I’ll show you how to turn your Alpine Linux system into a security fortress. After years of managing servers, I’ve learned that Alpine’s minimal design actually makes it easier to secure - you just need to know the right steps.

Introduction

Alpine Linux comes pretty secure out of the box, but that doesn’t mean you can skip hardening. I’ve seen too many systems get compromised because people assumed “minimal” meant “secure enough.”

The thing is, Alpine’s small attack surface is great, but you still need to lock down what’s there. I’ll walk you through the essential steps I use on every Alpine system I deploy.

Why You Need This

• Protect against common attack vectors
• Meet compliance requirements for production systems
• Prevent unauthorized access and data breaches
• Create a solid foundation for other services

Prerequisites

You’ll need these things first:

• Alpine Linux system with root access
• Basic knowledge of Linux command line
• SSH access to the system
• Backup of important data before starting

Step 1: Update and Secure Package Management

Update System Packages

Let’s start with the basics - making sure everything is up to date.

What we’re doing: Getting the latest security patches and package updates.

# Update package repository information
apk update

# Upgrade all installed packages
apk upgrade

# Clean package cache
apk cache clean

Code explanation:

• apk update: Downloads latest package repository lists
• apk upgrade: Installs available security updates and patches
• apk cache clean: Removes cached package files to save space

Expected Output:

fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
v3.18.4-0-g2239b3be07 [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]
OK: 17 MiB in 33 packages

Configure Package Repository Security

What we’re doing: Ensuring we only use trusted package sources.

# Backup current repository configuration
cp /etc/apk/repositories /etc/apk/repositories.backup

# Edit repository configuration
vi /etc/apk/repositories

Repository configuration:

# Secure repository configuration
https://dl-cdn.alpinelinux.org/alpine/v3.18/main
https://dl-cdn.alpinelinux.org/alpine/v3.18/community
# Remove testing and edge repositories for production

Tip: I always remove testing repositories on production systems. They’re great for development but add unnecessary security risks.

Step 2: Secure SSH Configuration

Harden SSH Settings

SSH is usually the main entry point to your system, so let’s lock it down tight.

What we’re doing: Configuring SSH with security-first settings.

# Backup original SSH configuration
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Edit SSH configuration
vi /etc/ssh/sshd_config

SSH hardening configuration:

# Port and protocol settings
Port 2222  # Change from default port 22
Protocol 2

# Authentication settings
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 30
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Security settings
AllowUsers your_username
X11Forwarding no
PrintMotd no
ClientAliveInterval 600
ClientAliveCountMax 3
MaxStartups 2

Configuration explanation:

• Port 2222: Changes default SSH port to reduce automated attacks
• PermitRootLogin no: Prevents direct root login for better security
• PasswordAuthentication no: Forces key-based authentication only
• MaxAuthTries 3: Limits failed login attempts
• AllowUsers your_username: Restricts SSH access to specific users

Set Up Key-Based Authentication

What we’re doing: Creating secure SSH keys for passwordless authentication.

# Create SSH directory for your user
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Generate SSH key pair on client machine (not server)
ssh-keygen -t ed25519 -b 4096 -f ~/.ssh/alpine_key

# Copy public key to server
ssh-copy-id -i ~/.ssh/alpine_key.pub username@your_server

Restart SSH service:

# Restart SSH with new configuration
service sshd restart

# Enable SSH to start on boot
rc-update add sshd default

Warning: Test your SSH connection in a new terminal before closing your current session. You don’t want to lock yourself out!

Step 3: Configure Firewall Protection

Install and Configure iptables

Alpine uses iptables for firewall protection. Let’s set up a solid rule set.

What we’re doing: Creating a restrictive firewall that only allows necessary traffic.

# Install iptables
apk add iptables ip6tables

# Create firewall script
vi /etc/iptables/rules.sh

Firewall rules script:

#!/bin/sh
# Basic iptables firewall rules for Alpine Linux

# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (adjust port as needed)
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT

# Allow HTTP and HTTPS if running web server
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP

# Log dropped packets (optional)
iptables -A INPUT -j LOG --log-prefix "DROPPED: "

Code explanation:

• iptables -P INPUT DROP: Blocks all incoming traffic by default
• iptables -A INPUT -i lo -j ACCEPT: Allows local loopback traffic
• iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT: Allows response traffic
• iptables -A INPUT -p tcp --dport 2222: Allows SSH on custom port

Make Firewall Rules Persistent

What we’re doing: Ensuring firewall rules survive system reboots.

# Make script executable
chmod +x /etc/iptables/rules.sh

# Run the firewall script
/etc/iptables/rules.sh

# Save current rules
iptables-save > /etc/iptables/rules-save

# Create init script to restore rules on boot
vi /etc/init.d/iptables-restore

Init script content:

#!/sbin/openrc-run
name="iptables-restore"
command="/sbin/iptables-restore"
command_args="< /etc/iptables/rules-save"

depend() {
    need net
}

Enable firewall on boot:

# Make init script executable
chmod +x /etc/init.d/iptables-restore

# Enable iptables restore service
rc-update add iptables-restore default

Step 4: User Account Security

Create Non-Root User

What we’re doing: Setting up a regular user account with sudo privileges.

# Add a new user
adduser -s /bin/sh your_username

# Install sudo
apk add sudo

# Add user to wheel group
addgroup your_username wheel

# Configure sudo access
vi /etc/sudoers

Sudo configuration:

# Allow wheel group to use sudo
%wheel ALL=(ALL) ALL

# Require password for sudo commands
Defaults timestamp_timeout=5

Set Password Policies

What we’re doing: Enforcing strong password requirements.

# Install password quality checking
apk add libpwquality

# Configure password requirements
vi /etc/security/pwquality.conf

Password policy configuration:

# Minimum password length
minlen = 12

# Require mixed case
ucredit = -1
lcredit = -1

# Require numbers and symbols
dcredit = -1
ocredit = -1

# Prevent password reuse
remember = 5

Step 5: System Hardening

Disable Unnecessary Services

What we’re doing: Removing attack vectors by disabling unused services.

# List all running services
rc-status

# Disable unnecessary services (adjust based on your needs)
rc-update del chronyd default  # If not using NTP
rc-update del networking default  # If using static configuration

# Remove unnecessary packages
apk del --purge wget curl  # If not needed

Configure System Limits

What we’re doing: Setting resource limits to prevent abuse.

# Edit system limits
vi /etc/security/limits.conf

Limits configuration:

# Prevent fork bombs
* hard nproc 1024
* soft nproc 512

# Limit memory usage
* hard memlock 64
* soft memlock 64

# File descriptor limits
* hard nofile 4096
* soft nofile 1024

Secure Kernel Parameters

What we’re doing: Hardening kernel settings for better security.

# Edit sysctl configuration
vi /etc/sysctl.conf

Kernel hardening parameters:

# Network security
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ping requests
net.ipv4.icmp_echo_ignore_all = 1

# Apply settings
sysctl -p

Practical Examples

Example 1: Complete Security Script

What we’re doing: Creating an automated hardening script for consistent deployment.

#!/bin/sh
# Alpine Linux security hardening script

echo "Starting Alpine Linux security hardening..."

# Update system
apk update && apk upgrade

# Install security tools
apk add fail2ban iptables sudo

# Configure fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i 's/bantime = 10m/bantime = 1h/' /etc/fail2ban/jail.local

# Start fail2ban
service fail2ban start
rc-update add fail2ban default

echo "Basic hardening complete!"

Code explanation:

• apk update && apk upgrade: Updates system packages
• apk add fail2ban iptables sudo: Installs essential security tools
• sed -i 's/bantime = 10m/bantime = 1h/': Increases ban duration for attackers
• rc-update add fail2ban default: Enables fail2ban on boot

Example 2: Security Monitoring Setup

What we’re doing: Setting up basic monitoring for security events.

# Install monitoring tools
apk add logrotate rsyslog

# Configure log rotation
vi /etc/logrotate.d/security

Log rotation configuration:

/var/log/security.log {
    daily
    missingok
    rotate 30
    compress
    create 600 root root
}

Troubleshooting

SSH Connection Issues

Problem: Can’t connect after changing SSH configuration Solution: Check SSH service status and configuration

# Check SSH service status
service sshd status

# Test SSH configuration
sshd -t

# Check SSH logs
tail -f /var/log/messages | grep sshd

Firewall Blocking Services

Problem: Legitimate services being blocked by firewall Solution: Review and adjust firewall rules

# Check current iptables rules
iptables -L -n

# Temporarily allow specific port
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

# Make permanent by updating rules script

Best Practices

1. Regular Updates: Update packages weekly

   # Create update script
   echo "apk update && apk upgrade" > /etc/periodic/weekly/update-system
   chmod +x /etc/periodic/weekly/update-system

2. Monitor Logs: Check system logs regularly

   • Review /var/log/messages for system events
   • Monitor /var/log/auth.log for authentication attempts
   • Set up log alerting for suspicious activity

3. Security Considerations:

   • Use strong passwords and key-based authentication
   • Regularly review user accounts and permissions
   • Keep minimal software installation
   • Monitor system resource usage

Verification

To verify your security hardening is working:

# Test SSH configuration
ssh -o PreferredAuthentications=password username@your_server

# Check firewall status
iptables -L -n

# Verify fail2ban is working
fail2ban-client status

Wrapping Up

You just hardened your Alpine Linux system with:

• Updated packages and secure repositories
• Hardened SSH configuration with key authentication
• Configured restrictive firewall rules
• Set up proper user accounts and sudo access
• Applied kernel security parameters

Your Alpine system is now much more secure. These settings will protect against common attacks and give you a solid foundation for running services safely. I use this exact setup on all my Alpine servers and it’s never let me down.