Linux Security

Introduction to Linux Security

Linux security involves protecting systems and data through various mechanisms including access control, network security, encryption, and system monitoring.

Key Security Areas:

  • User authentication
  • File permissions
  • Network security
  • System updates
  • Encryption
  • Auditing
  • Intrusion detection
  • Backup security

Security Basics

# Check system security info
uname -a                  # Kernel version
sestatus                  # SELinux status
cat /etc/security/limits.conf  # Resource limits
cat /var/log/auth.log    # Authentication logs

# User security
passwd                    # Change password
chage -l username        # Password aging info
lastlog                  # Last login info
w                        # Current user sessions

# File security info
ls -la                   # File permissions
getfacl file            # ACL information
lsattr file             # File attributes
stat file               # Detailed file info

Access Control

User Management

# User administration
useradd -m -s /bin/bash username
usermod -aG sudo username
passwd username
userdel -r username

# Group management
groupadd groupname
groupmod -n newname oldname
gpasswd -a user group
groupdel groupname

# Permission management
chmod 750 file
chown user:group file
chattr +i file          # Make immutable
setfacl -m u:user:rwx file

# PAM configuration
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/sshd
/etc/security/access.conf

Sudo Configuration

# /etc/sudoers
# User privilege specification
root    ALL=(ALL:ALL) ALL
user    ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt

# Alias specification
Cmnd_Alias SERVICES = /bin/systemctl start, /bin/systemctl stop
User_Alias ADMINS = user1, user2
ADMINS    ALL=(ALL) SERVICES

# Defaults specification
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Network Security

Firewall Configuration

# UFW (Uncomplicated Firewall)
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw enable

# iptables
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables-save > /etc/iptables/rules.v4

# Firewalld
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload

# Network monitoring
netstat -tuln           # Open ports
ss -tuln               # Socket statistics
lsof -i                # Network connections
tcpdump -i eth0        # Packet capture

SSH Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Protocol 2
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 0

# SSH key management
ssh-keygen -t ed25519 -C "user@host"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote
chmod 600 ~/.ssh/id_ed25519
ssh-agent bash
ssh-add ~/.ssh/id_ed25519

System Hardening

SELinux/AppArmor

# SELinux
setenforce 1            # Enable enforcement
sestatus               # Check status
ls -Z                  # Show security context
chcon -t type file     # Change context
semanage port -a -t http_port_t -p tcp 8080

# AppArmor
aa-status              # Check status
aa-enforce profile     # Enable enforcement
aa-complain profile    # Set complain mode
aa-genprof program     # Generate profile
aa-logprof            # Update profile

System Auditing

# Auditd configuration
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes
ausearch -k passwd_changes
aureport --summary

# File integrity
aide --init
aide --check
tripwire --init
tripwire --check

# Process monitoring
ps auxf
top
htop
iotop
lsof

Security Monitoring

Log Management

# System logs
journalctl -xe         # System journal
tail -f /var/log/syslog
grep -i error /var/log/messages
zcat /var/log/auth.log.2.gz

# Log rotation
/etc/logrotate.conf
/etc/logrotate.d/*

# Centralized logging
rsyslog configuration:
*.* @logserver:514     # UDP
*.* @@logserver:514    # TCP

# Log monitoring
tail -f /var/log/auth.log | grep -i "failed password"
watch 'cat /var/log/auth.log | grep "session opened"'

Critical Files to Monitor:

  • /etc/passwd - User accounts
  • /etc/shadow - Password hashes
  • /etc/group - Group definitions
  • /etc/sudoers - Sudo privileges
  • /var/log/auth.log - Authentication logs
  • /var/log/secure - Security logs
  • /var/log/audit/audit.log - Audit logs
  • /etc/ssh/* - SSH configuration

Best Practices

System Security:

  • Regular security updates
  • Minimal installed packages
  • Strong password policy
  • File system encryption
  • Service hardening
  • Access control lists
  • Security auditing
  • Backup encryption

Network Security:

  • Firewall configuration
  • SSH hardening
  • Network monitoring
  • Port security
  • SSL/TLS implementation
  • VPN usage
  • Network segmentation
  • Intrusion detection

Operational Security:

  • Regular audits
  • Incident response plan
  • Documentation
  • User training
  • Change management
  • Access reviews
  • Disaster recovery
  • Compliance monitoring