Table of Contents
Why Linux Security Still Matters
Linux has a well-earned reputation for being more secure than many other operating systems. Its open-source nature means vulnerabilities are publicly reviewed and patched quickly, its permission model is robust, and its smaller desktop market share makes it a less attractive target for mass-market malware. However, this reputation sometimes breeds complacency.
Linux systems are not immune to attacks. They face threats from misconfigured services, unpatched vulnerabilities, weak passwords, privilege escalation exploits, and targeted attacks. Linux servers power much of the internet, making them high-value targets for attackers seeking to compromise web servers, databases, and cloud infrastructure. Desktop Linux users who assume they are inherently safe may neglect basic security practices that would prevent compromise.
Whether you run Linux on your desktop, manage a home server, or administer production systems, applying security hardening practices significantly reduces your attack surface and strengthens your defenses.
User Management and Authentication
Principle of Least Privilege
Never use the root account for daily tasks. Create a standard user account for regular use and use sudo for administrative tasks that require elevated privileges. This ensures that malware or mistakes during normal operations cannot modify system files or install software without explicit authorization.
Review existing user accounts periodically and remove any that are no longer needed. Each unnecessary account is a potential entry point for an attacker. Check the /etc/passwd and /etc/shadow files for accounts you do not recognize.
Strong Authentication
Set strong passwords for all user accounts using a reliable password generator. Configure password aging policies to require periodic password changes. Consider disabling password authentication entirely for remote access in favor of SSH key authentication, which is far more resistant to brute-force attacks.
Implement failed login attempt lockouts using tools like fail2ban, which monitors log files and automatically blocks IP addresses that show signs of brute-force attacks. This simple measure stops the vast majority of automated password-guessing attacks.
Firewall Configuration
UFW for Simplicity
Uncomplicated Firewall, or UFW, provides a user-friendly interface for managing Linux firewall rules on Debian and Ubuntu-based systems. Start by setting the default policy to deny all incoming connections and allow all outgoing connections. Then selectively open only the ports you need.
Basic UFW setup involves running sudo ufw default deny incoming, followed by sudo ufw default allow outgoing, then opening specific ports like sudo ufw allow ssh for remote access. Enable the firewall with sudo ufw enable and verify your rules with sudo ufw status verbose.
Iptables for Advanced Control
For more granular control, iptables allows you to define precise rules for packet filtering, NAT, and traffic management. While the learning curve is steeper, iptables provides the flexibility needed for complex network configurations. Modern systems may use nftables, the successor to iptables, which offers improved syntax and performance.
Regardless of which firewall tool you use, the principle remains the same: deny everything by default and explicitly allow only the traffic your system requires.
SSH Hardening
SSH is the primary remote access method for Linux systems and therefore a high-priority hardening target. Apply these configurations in your /etc/ssh/sshd_config file to substantially improve SSH security.
Disable root login over SSH by setting PermitRootLogin no. Change the default SSH port from 22 to a non-standard port to reduce automated scanning noise. Disable password authentication and require SSH key pairs instead by setting PasswordAuthentication no. Limit SSH access to specific users with the AllowUsers directive.
Use strong SSH key pairs with at least 4096-bit RSA keys or Ed25519 keys, which provide excellent security with better performance. Protect your private key with a passphrase, and never share it or store it in an unsecured location.
System Updates and Patching
Automatic Security Updates
Configure automatic security updates to ensure critical patches are applied promptly. On Ubuntu and Debian systems, install and configure unattended-upgrades to automatically install security updates. On Fedora and Red Hat systems, use dnf-automatic for the same purpose.
While automatic full-system upgrades can occasionally cause compatibility issues, automatic security updates rarely do, and the security benefit far outweighs the minimal risk of disruption.
Kernel Updates
Keep your Linux kernel updated, as kernel vulnerabilities can allow privilege escalation from a standard user account to root access. On systems where reboots are disruptive, consider using live patching services like Canonical's Livepatch or Red Hat's kpatch, which apply kernel security fixes without requiring a restart.
Filesystem Security and Encryption
Filesystem Permissions
Review file and directory permissions regularly. Ensure that sensitive configuration files are readable only by their owners and the root user. Use the find command to identify files with overly permissive settings, such as world-writable files or files with SUID bits set unnecessarily.
Disk Encryption with LUKS
Encrypt your hard drives using LUKS to protect data at rest. If your laptop is stolen or your server's drives are physically accessed, full-disk encryption ensures the data remains unreadable without the correct passphrase. Most Linux distributions offer LUKS encryption as a straightforward option during installation.
Mandatory Access Control
AppArmor and SELinux
Beyond standard filesystem permissions, mandatory access control systems like AppArmor and SELinux provide an additional layer of security by restricting what each program is allowed to do, regardless of the user running it. AppArmor, used by default on Ubuntu and SUSE, defines per-application profiles that limit file access, network capabilities, and other operations. SELinux, used by default on Fedora and Red Hat, provides fine-grained policy-based access controls.
Do not disable these systems even if they occasionally cause compatibility issues. Instead, learn to create and modify profiles that allow your applications to function while maintaining security boundaries. The protection they provide against zero-day exploits and compromised applications is invaluable.
Hardening Linux security is an iterative process. Start with the fundamentals outlined here, and continuously review and improve your security posture as your knowledge grows and threats evolve.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
