Cycle Logo

Linux Security Basics

Linux is renowned for its robust security features, making it a preferred choice for servers and critical systems. However, like any operating system, it requires careful configuration and ongoing management to maintain its security posture. This guide introduces fundamental concepts and practices for securing a Linux system, providing a foundation for more advanced security strategies.

Understanding Linux Security

The Linux Security Model

Linux's security model is built on the principle of least privilege, where users and processes are granted only the minimum level of access necessary to perform their tasks. This model is enforced through a combination of user permissions, discretionary access controls (DAC), and mandatory access controls (MAC).

Key Security Features in Linux

  • User and Group Permissions: Linux manages access to files and directories using a system of user and group permissions.
  • Access Control Lists (ACLs): ACLs offer fine-grained control over file permissions beyond the traditional user/group/others model.
  • Mandatory Access Control (MAC): Tools like SELinux and AppArmor enforce MAC, restricting how processes can interact with each other and system resources.
  • Firewalls: Linux provides powerful firewall tools like iptables and nftables to control network traffic.
  • Security-Enhanced Linux (SELinux): SELinux is a kernel security module that enforces MAC policies, further restricting application interactions with the system.

Basic Security Practices

Keep the System Updated

Regularly updating your system is one of the simplest and most effective ways to secure a Linux environment. Applying updates and patches promptly ensures that known vulnerabilities are addressed.

Example: Updating a Debian/Ubuntu System

sudo apt update
sudo apt upgrade

Example: Updating a CentOS/RHEL System

sudo yum update

User and Group Management

Proper user and group management is critical for maintaining system security. Each user should have only the permissions necessary for their role, and the use of the root account should be minimized.

Creating and Managing Users

To create a new user:

sudo useradd -m -s /bin/bash username
sudo passwd username

To add a user to a group:

sudo usermod -aG groupname username

File and Directory Permissions

Linux's permission system controls access to files and directories. Understanding and correctly setting permissions is essential for protecting sensitive data.

Viewing and Setting Permissions

To view the permissions of a file or directory:

ls -l /path/to/file

To change the permissions:

chmod 750 /path/to/file

This command sets the file permissions to read, write, and execute for the owner, read and execute for the group, and no permissions for others.

Securing SSH Access

SSH is a common method for remotely accessing Linux servers, but it is also a frequent target for attackers. Securing SSH access is a key aspect of Linux security.

Best Practices for Securing SSH

  • Disable Root Login: Prevent direct root login over SSH by setting PermitRootLogin no in /etc/ssh/sshd_config.
  • Use SSH Keys: SSH keys provide stronger authentication than passwords. Generate a key pair with ssh-keygen and place the public key in ~/.ssh/authorized_keys on the server.
  • Change the Default Port: Changing the default SSH port from 22 to another port can reduce the risk of automated attacks. Update the Port directive in /etc/ssh/sshd_config.
sudo nano /etc/ssh/sshd_config
# Change or add the line:
Port 2222

Using Firewalls

A firewall controls incoming and outgoing network traffic based on security rules. Linux provides powerful firewall tools like iptables, nftables, and ufw (Uncomplicated Firewall) to manage network security.

Example: Configuring a Simple Firewall with UFW

sudo ufw allow ssh
sudo ufw allow http
sudo ufw enable

This setup allows SSH and HTTP traffic while blocking other incoming connections.

Implementing SELinux or AppArmor

SELinux and AppArmor provide additional layers of security by enforcing MAC policies. They restrict what processes can do, even if those processes are run by a superuser.

Enabling SELinux

On systems where SELinux is available, it is typically installed and enabled by default. You can check its status with:

sestatus

To change the SELinux mode, edit /etc/selinux/config and set SELINUX=enforcing to enforce policies or SELINUX=permissive to allow but log violations.

Monitoring and Logging

Regular monitoring and logging are essential for detecting and responding to security incidents. Linux provides several tools for monitoring system activity and logging events.

Using journalctl for Logs

Systemd's journalctl command allows you to view and filter logs:

sudo journalctl -xe

This command shows the most recent log entries along with any errors or warnings.

Setting Up Log Rotation

Log files can grow large over time, making them difficult to manage. Use logrotate to automatically rotate, compress, and manage log files:

sudo nano /etc/logrotate.conf

Configure log rotation settings to suit your needs, ensuring logs are archived and old logs are removed after a certain period.

Advanced Security Practices

Using Fail2ban

Fail2ban protects your system from brute-force attacks by monitoring logs and blocking suspicious IP addresses.

Installing and Configuring Fail2ban

sudo apt install fail2ban

After installation, configure Fail2ban by editing the configuration files in /etc/fail2ban/. To protect SSH:

sudo nano /etc/fail2ban/jail.local

Update the SSH section:

[sshd]
enabled = true
port    = 2222
filter  = sshd
logpath = /var/log/auth.log
maxretry = 5

Setting Up Intrusion Detection Systems (IDS)

Tools like AIDE (Advanced Intrusion Detection Environment) help detect changes to the filesystem that might indicate a breach.

Installing AIDE

sudo apt install aide

After installation, initialize the database and create a baseline:

sudo aideinit

Run regular checks to compare the current state of the filesystem against the baseline:

sudo aide --check