Skip to content
CodeShare

Security

Linux Security is a critical aspect of maintaining a secure and stable server or personal environment. This page provides a comprehensive guide on key security practices to harden a Linux system, reduce vulnerabilities and protect against common threats. By following these best practices, you can ensure that your system is well-defended from unauthorized access, malware and potential exploits.

unattended-upgrades

Ensure your Linux system is automatically updated with security patches. Unattended Upgrades enables automatic installation of critical updates without manual intervention, ensuring your system stays secure against newly discovered vulnerabilities.

  1. Install

    Terminal window
    sudo apt install unattended-upgrades

  2. Open config

    Terminal window
    sudo nano /etc/apt/apt.conf.d/02periodic

  3. Modify config

    /etc/apt/apt.conf.d/02periodic
    # Update below:
    APT::Periodic::Enable "1";
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::Unattended-Upgrade "1";
    APT::Periodic::AutocleanInterval "1";
    APT::Periodic::Verbose "2";

  4. Verify

    Terminal window
    sudo unattended-upgrades -d

Require password for sudo

Require users to authenticate with a password before using sudo privileges. This simple change adds an extra layer of protection by preventing unauthorized users or scripts from executing commands with elevated privileges.

  1. Open config

    Terminal window
    sudo nano /etc/sudoers.d/010_user

  2. Modify config

    /etc/sudoers.d/010_user
    # Optionally allow sudo without password (less secure)
    {USERNAME_VAR} ALL=(ALL) NOPASSWD: ALL
    

    # Require password for sudo (recommended)
    {USERNAME_VAR} ALL=(ALL) PASSWD: ALL

Use ssh keys for authentication

Switch from password-based authentication to SSH key-based authentication. This method is more secure because it eliminates the risk of brute-force attacks and provides stronger encryption for remote logins.

  1. Client

    Create key

    Terminal window
    ssh-keygen -t ed25519

    Copy key to host

    Terminal window
    scp ~/.ssh/id_ed25519.pub {{USERNAME_VAR}}@{{SERVER_IP_VAR}}:~/.ssh/id_ed25519.pub

  2. Host

    Add key to authorized keys

    Terminal window
    cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys

    Secure authorized_keys

    Terminal window
    chmod 600 ~/.ssh/authorized_keys

sshd_config

The sshd_config file is a key part of securing SSH. By adjusting its settings, you can control login methods, restrict access and enhance overall SSH security, such as disabling root login and limiting authentication methods.

  1. Open config

    Terminal window
    sudo nano /etc/ssh/sshd_config

  2. Modify config

    /etc/ssh/sshd_config
    # Disable password auth
    # PasswordAuthentication yes
    PasswordAuthentication no
    

    # Uncomment below to allow only key-based login for root
    # PermitRootLogin prohibit-password
    # Or prevent root login entirely (recommended)
    PermitRootLogin no
    

    # Uncomment and change port (optional)
    # Port 22
    Port 2222
    

    # Only allow these users to log in via SSH (optional)
    AllowUsers username1 username2

  3. Restart ssh

    Terminal window
    sudo service ssh restart

fail2ban

Install and configure Fail2Ban to protect your server from brute-force attacks. Fail2Ban monitors log files for suspicious activity and blocks IPs that repeatedly fail authentication, preventing attackers from gaining access.

  1. Install fail2ban

    Terminal window
    sudo apt install fail2ban

  2. Open config

    Terminal window
    sudo nano /etc/fail2ban/jail.conf

  3. Modify config (optional)

    /etc/fail2ban/jail.conf
    enabled = true
    

    # This must change if using a custom ssh port
    port = ssh
    filter = sshd
    

    # Number of seconds that a host is banned
    bantime = 3600
    

    # A host is banned if it has generated maxretry during the last findtime
    findtime = 600
    

    # How many attempts until host is banned
    maxretry = 3
    

    # Whitelist multiple IPs or subnets separated by spaces.
    ignoreip = 127.0.0.1/8 ::1 203.0.113.42 192.168.1.0/24
    Get IPs
    # Find external IP
    curl ifconfig.me
    

    # Network’s internal subnet (for LAN)
    ip addr show

  4. Restart fail2ban service

    Terminal window
    sudo service fail2ban restart

ufw firewall

A firewall is your first line of defense against unauthorized access. Installing and configuring a firewall like UFW or iptables ensures that only trusted traffic is allowed to reach your system, reducing exposure to external threats.

  1. Install

    Terminal window
    sudo apt install ufw

  2. Allow ssh

    Terminal window
    sudo ufw allow ssh

  3. Deny incoming (optional)

    Terminal window
    sudo ufw default deny incoming

  4. Allow outgoing (optional)

    Terminal window
    sudo ufw default allow outgoing

  5. Add custom rule (optional)

    Terminal window
    sudo ufw allow from {{SERVER_IP_VAR}} port $PORT_NUMBER
    Terminal window
    # ALLOW IN: 22/tcp (OpenSSH)
    sudo ufw allow OpenSSH

  6. Enable ufw

    Terminal window
    sudo ufw enable

  7. Reload ufw

    Terminal window
    sudo ufw reload

  8. Check status

    Terminal window
    sudo ufw status verbose