Security on Linux: Protecting Your Operating System
Linux is known by many as one of the most secure operating systems, and I can confirm this. I’ve used it for years and have had no problems with it. But this doesn’t mean it’s free from threats. Its growing popularity, especially on servers, has made it a prime target for cybercriminals. I’ll tell you and we’ll go over a series of essential practices to strengthen security on any Linux system, for both basic, home users and server administrators.
What I will mention comes from personal knowledge, as I’ve been managing Linux and servers for years. As they say, you learn by making mistakes, and I’ve learned a lot.
1. The basics: Keep your system updated.
One of the pillars of security in any OS is to keep it updated with the latest security patches. In Linux, this can be done with commands like:
sudo apt update && sudo apt upgrade -y # Debian-based distrossudo dnf update # Fedorasudo pacman -Syu # Arch LinuxUpdates not only fix bugs, they also close known vulnerabilities that could be exploited by attackers. An updated system is a more secure system.
2. Use strong passwords and multi-factor authentication (MFA)
Weak passwords remain one of the primary ways attackers gain unauthorized access. I recommend using strong passwords with at least 12 characters combining letters, numbers, and symbols. If possible, also enable two-factor authentication (2FA) for remote access or sensitive services.
Tools like pwgen or keepassxc are a great help, they can generate and store secure passwords.
3. Properly configure your firewall
A firewall is your first line of defense. This is the first thing you need to keep in mind to avoid unwanted connections. (I use UFW.) On Linux, there are powerful tools like ufw (Uncomplicated Firewall) or firewalld, depending on the distribution.
Basic example of how to use or configure UFW:
sudo ufw enablesudo ufw default deny incomingsudo ufw default allow outgoingsudo ufw allow sshThis blocks all incoming traffic except for SSH. You can expand and customize rules as needed.
4. Disable unnecessary services.
Each open service or port is a potential vulnerability. Check running services with:
sudo systemctl list-units --type=serviceDisable unused services like this:
sudo systemctl disable service-namesudo systemctl stop service-nameList open ports with:
sudo netstat -tulnp # or: sudo ss -tuln
5. Secure SSH configuration
SSH is the most common and well-known protocol for remote access to Linux systems. It’s essential to strengthen it:
- Change the default port 22 to something less common.
- Disable password login and use SSH keys.
- Enable public key authentication.
- Use fail2ban to block repeated failed login attempts.
Configuration file: /etc/ssh/sshd_config
6. Use limited privilege accounts
Never work as root unless absolutely necessary. Use normal privilege accounts and elevate with sudo only when needed.
Properly configure /etc/sudoers to control who can use root-level commands and which ones are allowed.
7. Check logs regularly.
Linux stores important system events in log files under /var/log/.
Key logs to check regularly:
/var/log/auth.log– Access and authentication/var/log/syslogor/var/log/messages– General system events/var/log/fail2ban.log– Fail2Ban activity if enabled
You can use tools like logwatch, journalctl, or integrate everything with a SIEM solution if managing multiple systems.
8. Scan your system for malware or vulnerabilities.
Although viruses on Linux are rare, they’re not impossible. You can use these useful tools:
- chkrootkit – Detects rootkits
- rkhunter – Scans for suspicious modifications
- clamav – Open-source antivirus
- lynis – Advanced security audit tool
Example installation and use of lynis:
sudo apt install lynissudo lynis audit system9. I recommend using SELinux or AppArmor
They are mandatory access control (MAC) tools that restrict what processes can do on Linux, even if run as root.
- SELinux: Used by Red Hat, Fedora, and derivatives.
- AppArmor: Common in Ubuntu and Debian.
Both offer a solid additional security layer. It’s worth learning and configuring them properly.
10. Mount partitions with security options.
You can further enhance system security by mounting system partitions with options like noexec, nosuid, or nodev.
Example in /etc/fstab:
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0This prevents binaries from being executed directly from /tmp, which is a common technique used by malware.
11. Encrypt your data
To protect sensitive information, you can use LUKS to encrypt entire drives or specific directories like /home.
You can also configure encryption during system installation or later using cryptsetup.
Encryption requires some extra knowledge. I recommend watching YouTube tutorials to avoid data loss. It’s not easy, but not hard either. Intermediate level.
12. Automate backups
Backups are crucial in case something breaks or unexpected issues occur.
I recommend using rsync, borgbackup, duplicity, or restic.
- Store copies off the main system, on USB, external servers, or cloud.
- Always encrypt backups using GPG or SSH.
(There are tools that automatically encrypt what you upload to the cloud.)
13. Perform regular port scans
Test your system regularly to check for open ports:
- nmap: port scanning
- openvas: vulnerability assessment
- nikto: web vulnerability scanner
Example usage:
nmap -sS -T4 -Pn -v your-ipThis command helps identify open ports or exposed services easily.
14. Be careful with file permissions
Don’t assign unnecessary permissions to files or directories. Use:
chmod 644 file.txt # read/write for owner, read for otherschmod 700 folder/ # only owner can read/write/executeYou can also check for suspicious files with:
find / -perm -4000 -type f 2>/dev/nullThis lists files with SUID bit enabled, often used by attackers to escalate privileges.
15. Constant vigilance
Last but not least, it’s always good to follow a forum or website that keeps you updated on new malware or unusual activity. Stay informed and pay attention to changes in your system.
Although Linux is very secure by default, we sometimes make the mistake of being too confident. Regular system checks are a good idea.
