The operating system is the foundation. Disable what you don’t run, patch what you do, and remove the default and unused accounts attackers try first.
Why: a service you are not using is pure risk — it can be vulnerable, misconfigured, or a foothold — so disabling and removing unneeded services and closing their ports directly shrinks the attack surface. When: audit what is running and listening, then turn off everything without a clear purpose. Where: this is the first concrete hardening step and the highest-value one.
# See what's running and listening, then remove what you don't need:
systemctl list-units --type=service --state=running
ss -tlnp # listening TCP ports + owning process
systemctl disable --now cups avahi-daemon # stop + disable unneeded services
apt purge telnetd rsh-server # remove insecure/legacy software
# If it's not needed, it shouldn't be running — and ideally not installed.Why: unpatched software is the most exploited weakness there is — known CVEs are attacks adversaries already have — so timely patching closes the vulnerabilities that scanners and exploit kits target first. When: patch on a defined cadence, automate security updates where safe, and prioritize internet-facing and critical systems. Where: this is the defensive mirror of the vulnerability-identification phase in the pentest course — patching removes those findings entirely.
# Keep the system patched (Debian/Ubuntu):
apt update && apt upgrade -y
# Automate security updates so they don't wait for a human:
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
# Track WHAT you run (an inventory/SBOM) so when the next critical CVE drops,
# you know in minutes whether you're exposed. Patch internet-facing first.Why: default, unused, and shared accounts are exactly what attackers try first, and orphaned accounts outlive the people who owned them — so account hygiene removes easy footholds. When: disable default/guest accounts, remove departed users, forbid shared logins, and enforce a strong password policy. Where: every account is attack surface; fewer, well-managed accounts are easier to secure and monitor.
# Audit and tidy accounts:
awk -F: '$3>=1000 {print $1}' /etc/passwd # human accounts — recognize them all?
awk -F: '$2==""' /etc/shadow # accounts with NO password (danger)
# Lock/disable rather than leave dormant accounts enabled:
usermod -L olduser # lock
usermod -s /usr/sbin/nologin serviceacct # no interactive shell for services
# Enforce: strong password policy, no shared accounts, remove leavers promptly.