Skip to content
CodeShare

Security

Linux Security is a critical aspect of maintaining a secure and stable server or personal environment. This page provides a comprehensive guide on key security practices to harden a Linux system, reduce vulnerabilities and protect against common threats. By following these best practices, you can ensure that your system is well-defended from unauthorized access, malware and potential exploits.

unattended-upgrades

Ensure your Linux system is automatically updated with security patches. Unattended Upgrades enables automatic installation of critical updates without manual intervention, ensuring your system stays secure against newly discovered vulnerabilities.

  1. Install

    Terminal window
    sudo apt install unattended-upgrades

  2. Open config

    Terminal window
    sudo nano /etc/apt/apt.conf.d/02periodic

  3. Modify config

    /etc/apt/apt.conf.d/02periodic
    # Update these lines
    APT::Periodic::Enable "1";
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::Unattended-Upgrade "1";
    APT::Periodic::AutocleanInterval "1";
    APT::Periodic::Verbose "2";

  4. Verify

    Terminal window
    sudo unattended-upgrades -d

Require password for sudo

Require users to authenticate with a password before using sudo privileges. This simple change adds an extra layer of protection by preventing unauthorized users or scripts from executing commands with elevated privileges.

  1. Open config

    Terminal window
    sudo nano /etc/sudoers.d/010_pi-nopasswd

  2. Modify config

    /etc/sudoers.d/010_pi-nopasswd
    # Update this line
    # pi ALL=(ALL) NOPASSWD: ALL
    pi ALL=(ALL) PASSWD: ALL

Use ssh keys for authentication

Switch from password-based authentication to SSH key-based authentication. This method is more secure because it eliminates the risk of brute-force attacks and provides stronger encryption for remote logins.

  1. Create key (client)

    Terminal window
    ssh-keygen -t rsa

  2. Copy ket to host (client)

    Terminal window
    scp ~/.ssh/id_rsa.pub {{{USERNAME_VAR}}}@{{{IP_ADDRESS_VAR}}}:~/.ssh/id_rsa.pub

  3. Add key to authorized keys (host)

    Terminal window
    cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

sshd_config

The sshd_config file is a key part of securing SSH. By adjusting its settings, you can control login methods, restrict access and enhance overall SSH security, such as disabling root login and limiting authentication methods.

  1. Open config

    Terminal window
    sudo nano /etc/ssh/sshd_config

  2. Modify config

    /etc/ssh/sshd_config
    # Disable password auth
    #PasswordAuthentication yes
    PasswordAuthentication no
    

    # Uncomment below to prevent root login
    #PermitRootLogin prohibit-password
    PermitRootLogin prohibit-password
    

    # Uncomment and change port (optional)
    #Port 22
    Port 2222

  3. Restart ssh

    Terminal window
    sudo service ssh restart

fail2ban

Install and configure Fail2Ban to protect your server from brute-force attacks. Fail2Ban monitors log files for suspicious activity and blocks IPs that repeatedly fail authentication, preventing attackers from gaining access.

  1. Install fail2ban

    Terminal window
    sudo apt install fail2ban

  2. Open config

    Terminal window
    sudo nano /etc/fail2ban/jail.conf

  3. Modify config (optional)

    Terminal window
    enabled = true
    

    # This must change if using a custom ssh port
    port = ssh
    filter = sshd
    

    # Number of seconds that a host is banned
    bantime = 600
    

    # A host is banned if it has generated maxretry during the last findtime
    findtime = 600
    

    # How many attempts until host is banned
    maxretry = 3

  4. Restart fail2ban service

    Terminal window
    sudo service fail2ban restart

ufw firewall

A firewall is your first line of defense against unauthorized access. Installing and configuring a firewall like UFW or iptables ensures that only trusted traffic is allowed to reach your system, reducing exposure to external threats.

  1. Install

    Terminal window
    sudo apt install ufw

  2. Allow ssh

    Terminal window
    sudo ufw allow ssh

  3. Deny incoming (optional)

    Terminal window
    sudo ufw default deny incoming

  4. Allow outgoing (optional)

    Terminal window
    sudo ufw default allow outgoing

  5. Add custom rule (optional)

    Terminal window
    sudo ufw allow from {{{IP_ADDRESS_VAR}}} port $PORT_NUMBER
    Terminal window
    # ALLOW IN: 22/tcp (OpenSSH) and 22/tcp (OpenSSH (v6))
    sudo ufw allow OpenSSH

  6. Enable ufw

    Terminal window
    sudo ufw enable

  7. Reload ufw

    Terminal window
    sudo ufw reload

  8. Check status

    Terminal window
    sudo ufw status verbose