Security

Linux Security is a critical aspect of maintaining a secure and stable server or personal environment. This page provides a comprehensive guide on key security practices to harden a Linux system, reduce vulnerabilities and protect against common threats. By following these best practices, you can ensure that your system is well-defended from unauthorized access, malware and potential exploits.

---

unattended-upgrades

Ensure your Linux system is automatically updated with security patches. Unattended Upgrades enables automatic installation of critical updates without manual intervention, ensuring your system stays secure against newly discovered vulnerabilities.

1. Install

   sudo apt install unattended-upgrades -y

2. Open config

   sudo nano /etc/apt/apt.conf.d/20auto-upgrades

3. Modify config

   /etc/apt/apt.conf.d/20auto-upgrades

   # Update below:
   APT::Periodic::Enable "1";
   APT::Periodic::Update-Package-Lists "1";
   APT::Periodic::Download-Upgradeable-Packages "1";
   APT::Periodic::Unattended-Upgrade "1";
   APT::Periodic::AutocleanInterval "1";
   APT::Periodic::Verbose "2";

4. Verify

   sudo unattended-upgrades -d

---

Require password for sudo

Require users to authenticate with a password before using sudo privileges. This simple change adds an extra layer of protection by preventing unauthorized users or scripts from executing commands with elevated privileges.

1. Open config

   sudo visudo -f /etc/sudoers.d/010_{{USERNAME_VAR}}-nopasswd

2. Modify config

   /etc/sudoers.d/010_{{USERNAME_VAR}}-nopasswd

   # Comment out line below to require password for sudo (recommended)
   {USERNAME_VAR} ALL=(ALL) NOPASSWD: ALL

---

fail2ban

Install and configure Fail2Ban to protect your server from brute-force attacks. Fail2Ban monitors log files for suspicious activity and blocks IPs that repeatedly fail authentication, preventing attackers from gaining access.

1. Install fail2ban

   sudo apt install fail2ban -y

2. Open config

   sudo nano /etc/fail2ban/jail.local

3. Modify config (optional)

   /etc/fail2ban/jail.local

   [DEFAULT]
   bantime.increment = true
   bantime.factor = 1
   bantime.maxtime = 5w
   
   [sshd]
   enabled = true
   port = ssh
   filter = sshd
   backend = systemd
   maxretry = 3
   findtime = 600
   bantime = 3600
   ignoreip = 127.0.0.1/8 ::1 192.168.100.0/24

4. Restart service

   sudo systemctl restart fail2ban

5. Check status

   sudo fail2ban-client status sshd

---

ufw firewall

A firewall is your first line of defense against unauthorized access. Installing and configuring a firewall like UFW or iptables ensures that only trusted traffic is allowed to reach your system, reducing exposure to external threats.

1. Install

   sudo apt install ufw -y

2. Deny incoming

   sudo ufw default deny incoming

3. Allow outgoing

   sudo ufw default allow outgoing

4. Allow SSH

   Replace port number if your SSH port is different.

   sudo ufw allow 22/tcp

5. Tailscale (optional)

   
   

   1. Allow routed traffic

      Required for exit node/subnet routing.

      sudo ufw default allow routed

   2. Allow Tailscale network

      Allow everything coming in from your Tailscale network.

      sudo ufw allow in on tailscale0

   3. Tailscale performance (optional)

      Helps Tailscale make direct “peer-to-peer” connections.

      sudo ufw allow 41641/udp

   4. Enable packet forwarding

      Tell the kernel to allow packets to be routed through the server. Open the UFW sysctl configuration:

      sudo nano /etc/ufw/sysctl.conf

      Uncomment the following line:

      /etc/ufw/sysctl.conf

      net/ipv4/ip_forward=1

   5. Add NAT masquerading

      This allows Tailscale devices to “hide” behind the server’s public IP. Open the before.rules file:

      sudo nano /etc/ufw/before.rules

      Add this block at the very top of the file, above the *filter line (replace eth0 with your internet interface name):

      /etc/ufw/before.rules

      # NAT table rules
      *nat
      :POSTROUTING ACCEPT [0:0]
      # Forward traffic from Tailscale through the public interface
      -A POSTROUTING -s 100.64.0.0/10 -o eth0 -j MASQUERADE
      COMMIT

6. Allow web access (optional)

   Required for web server (e.g., Nginx Proxy Manager, Caddy)

   sudo ufw allow 80,443/tcp

7. Add custom rule (optional)

   sudo ufw allow from {{SERVER_IP_VAR}} port $PORT_NUMBER

8. Enable ufw

   sudo ufw enable

9. Reload ufw

   sudo ufw reload

10. Check status

    sudo ufw status verbose