Top 12 Ways to Protect Your Linux Home System


Terminal protection

In order to improve the security of the system, you can protect console access to it, limiting the root user to the use of certain terminals. You can do this by specifying the terminals that the superuser can use in the /etc/securetty .

It is recommended, although it is not necessary, to allow the superuser to log in from only one terminal, leaving the rest for other users.

Password reminder reminders

Today, a complex password is an absolutely necessary thing. However, it’s even better when passwords are changed regularly. It’s easy to forget about that, so it’s good to use some kind of system reminders about the age of the password, and about when it needs to be changed.

We offer you two ways to organize such reminders. The first is to use the change command, the second is to set the default values ​​in /etc/login.defs .

The change command looks like this:

$ chage -M 20 likegeeks

Here we use the -M to set the expiry date for the password in days.

You can use this command without keys, then she herself will propose to enter the necessary value:

$ chage likegeeks

The second way is to modify the /etc/login.defs file. Here is an example of how the values ​​of interest to us might look. You can change them to the ones you need:


Remember that if you are playing the role of administrator, you should encourage users to use complex passwords. You can do this with pam_cracklib .

After installing this program, you can go to /etc/pam.d/system-auth and enter something like this:

password required minlen=12 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1


Notifications sudo

The sudo team, on the one hand, makes life easier, and on the other, can cause problems with Linux security, which can lead to irreparable consequences. The sudo settings are stored in the /etc/sudoers file. With this file, you can prevent ordinary users from running some commands on behalf of the superuser. In addition, you can make sure that the sudo sends an email when it is used, adding the following to the above file:


You also need to set the mail_always property to on :

mail_always on


Secure SSH

If we are talking about Linux security, then we should remember about the SSH service. SSH is an important system service, it allows you to remotely connect to the system, and sometimes this is the only way to save the situation when something goes wrong, so we are not talking about disabling SSH here.

Here we use CentOS 7, so the SSH configuration file can be found at etc/ssh/sshd_config . Scanners or bots used by attackers try to connect to SSH using the default port 22.

It is common practice to change the standard SSH port to another, unused port, for example, to 5555 . The SSH port can be changed by specifying the desired port number in the configuration file. For example, this:

Port 5555

In addition, you can limit the SSH login for the root user by changing the value of the PermitRootLoginparameter to no :

PermitRootLogin no

And, of course, it is necessary to disable authentication using a password and use public and private keys instead:

PasswordAuthentication no PermitEmptyPasswords no

Now let’s talk about timeouts for SSH. The problem of time-outs can be solved by setting some parameters.For example, the following settings assume that packets that support a connection will be sent automatically after a specified number of seconds:

ServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yes

Having adjusted these parameters, you can increase the connection time:

ClientAliveInterval 30 ClientAliveCountMax 5

You can specify which users are allowed to use SSH:

AllowUsers user1 user2

Permissions can also be assigned at the group level:

AllowGroup group1 group2


Secure SSH using Google Authenticator

For even more reliable protection of SSH, you can use two-factor authentication, for example, using Google Authenticator. To do this, you first need to install the appropriate program:

$ yum install google-authenticator

Then run it to test the installation:

$ google-authenticator

It also requires that the Google Authenticator application is installed on your phone.

Edit the /etc/pam.d/sshd following:

auth required

Now all that’s left is to report all this to SSH by adding the following line to the /etc/ssh/sshd_config file:

ChallengeResponseAuthentication yes

Now restart SSH:

$ systemctl restart sshd

When you try to log in using SSH, you will be asked to enter a verification code. As a result, now SSH-access to your system is much better protected than before.

Monitoring the file system with Tripwire

Tripwire is a great tool for improving Linux security. This is an intrusion detection system (HIDS).

The task of Tripwire is to monitor actions with the file system, monitor who changes files, and when these changes occur.

In order to install Tripwire, you need access to the EPEL repository. This task is not difficult, you can solve it by the following commands:

wget $ rpm -ivh epel-release-7-9.noarch.rpm

After installing the EPEL repository, you can also install Tripwire:

$ sudo yum install tripwire

Now create a key file:

$ tripwire-setup-keyfiles

You will be asked to enter a complicated password for the key file. After that, you can configure Tripwire, making changes to the file /etc/tripwire/twpol.txt . It is not difficult to work with this file, because each line is equipped with a meaningful comment.

When the program setup is complete, initialize it:

$ tripwire --init

The initialization, during which the system is scanned, will take some time, depending on the size of your files.

Any modification of the protected files is regarded as an intrusion, the administrator will be notified about this and he will need to restore the system using files in the origin of which he does not doubt.

For this reason, the necessary changes to the system must be confirmed with Tripwire. To do this, use the following command:

$ tripwire --check

And here’s another recommendation regarding Tripwire. Protect the files twpol.txt and twcfg.txt . This will increase the security of the system.

Tripwire has many parameters and settings. To see the help on it it is possible so:

man tripwire


Using Firewalld

Firewalld is a replacement for iptables , this program improves Linux network security. Firewalld allows you to make changes to settings without stopping current connections. The firewall works as a service that allows you to add and change rules without restarting and uses network zones.

In order to find out if firewalld is currently running, enter the following command:

$ firewall-cmd --state


You can view predefined network zones as follows:

$ firewall-cmd --get-zones


Each of these zones has a certain level of trust.

You can update this value as follows:

$ firewall-cmd --set-default-zone=<new-name>

You can get detailed information about a specific zone as follows:

$ firewall-cmd --zone=<zone-name> --list-all

To see a list of all supported services, use the following command:

$ firewall-cmd --get-services


Then you can add new services to the zone or remove existing ones:

$ firewall-cmd --zone=<zone-name> --add-service=<service-name> $ firewall-cmd --zone=<zone-name> --remove-service=<service-name>

You can display information about all open ports in any zone:

$ firewall-cmd --zone=<zone-name> --list-ports

Add ports to the zone and remove them from it like this:

$ firewall-cmd --zone=<zone-name> --add-port=<port-number/protocol> $ firewall-cmd --zone=<zone-name> --remove-port=<port-number/protocol>

You can configure and redirect ports:

$ firewall-cmd --zone=<zone-name> --add-forward-port=<port-number> $ firewall-cmd --zone=<zone-name> --remove-forward-port=<port-number>

Firewalld is a very advanced tool. The most remarkable thing about it is that it can work normally, for example, when making changes to settings, without restarts or service stops. This distinguishes it from the iptablestool, which requires you to restart the service in similar situations.

Switching from firewalld to iptables

Some prefer the firewall iptables firewalld . If you use firewalld , but want to go back to iptables , it’s pretty simple.

First, disable firewalld :

$ systemctl disable firewalld $ systemctl stop firewalld

Then install iptables :

$ yum install iptables-services $ touch /etc/sysconfig/iptables $ touch /etc/sysconfig/ip6tables

Now you can start the iptables service:

$ systemctl start iptables $ systemctl start ip6tables $ systemctl enable iptables $ systemctl enable ip6tables

After all this, restart the computer.

Restriction of compilers

The attacker can compile an exploit on his computer and upload it to the server of interest. Naturally, with this approach, the presence of compilers on the server does not play a role. However, it is better to limit compilers if you do not use them for work, as is the case with most modern server management systems.

First, list all the binary compiler files from the packages, and then set the permissions for them:

$ rpm -q --filesbypkg gcc | grep 'bin'


Create a new group:

$ groupadd compilerGroup

Then change the group of binary compiler files:

$ chown root:compilerGroup /usr/bin/gcc

And one more important thing. You need to change the permissions of these binary files:

$ chmod 0750 /usr/bin/gcc

Now any user who tries to use gcc will receive an error message.

Preventing modification of files

Immutable files can not be overwritten by any user, even having root-rights. The user can not modify or delete such a file until the immunity flag is set, which can only be removed by the root user.

It’s easy to see that this feature protects you, as a superuser, from errors that can disrupt the system. Using this approach, you can protect configuration files or any other files you want.

In order to make any file immune, use the chattr command:

$ chattr +i /myscript


The attribute of immunity can be deleted by such a command:

$ chattr -i /myscript


So you can protect any files, but remember that if you processed binary system files in this way, you will not be able to update them until you remove the immunity flag.

Managing SELinux with aureport

Often the system of forced access control SELinux turns out, by default, to be disabled. This does not affect the performance of the system, and it’s quite difficult to work with SELinux. However, for the sake of security, SELinux can be enabled, and it is possible to simplify the management of this mechanism using aureport .

The aureport utility allows you to create reports based on audit log files .

$ aureport --avc


The list of executable files can be displayed with the following command:

$ aureport -x


You can use aureport to create a full authentication report:

$ aureport -au -i


You can also display information about unsuccessful authentication attempts:

$ aureport -au --summary -i --failed


Or, perhaps, a summary of successful authentication attempts:

$ aureport -au --summary -i --success


The aureport utility greatly simplifies the work with SELinux.

Using a sealert

In addition to aureport you can use a good Linux security tool called sealert . You can install it like this:

$ yum install setools

Now we have a tool that will issue alerts from the file /var/log/audit/audit.log and give us more information about the problems detected by SELinux.

You can use it like this:

$ sealert -a /var/log/audit/audit.log


The most interesting thing here is that in alerts you can find tips on how to solve the relevant problems.


We hope that the tips given here help you make your Linux installation safer. However, if it is a question of information protection, it is impossible, using some measures, to consider that now nothing threatens you. Any security software should always be vigilant and careful.

Dear readers! Do you know any simple but not obvious ways to improve Linux security?

The Spring.NET Framework Reference Manual

Developing software applications is hard enough even with good tools and technologies. Spring provides a light-weight solution for building enterprise-ready applications. Spring provides a consistent and transparent means to configure your application and integrate AOP into your software. Highlights of Spring’s functionality are providing declarative transaction management for your middle tier as well as a full-featured ASP.NET framework.
Continue reading The Spring.NET Framework Reference Manual

Free eBook: How The Internet Works

Download this High-quality free book “How The Internet Works” from This guide, by Taty Sena, explores the hardware, software and organizations that power the modern Internet. You’ll learn about everything from the history of the Internet to the organizations that make it possible today.
Continue reading Free eBook: How The Internet Works

FakeItEasy Succinctly

With just some knowledge of IoC, DI, and Unit Testing, begin using FakeItEasy to mock dependencies while unit testing. Author Mike McCarthy will guide readers—from novices to experts—to getting the most out of mocking frameworks with FakeItEasy Succinctly.
Continue reading FakeItEasy Succinctly

The Data Journalism Handbook

The Data Journalism Handbook, published by O’Reilly Media and which is available free online, is an initiative of the European Journalism Centre and the Open Knowledge Foundation..
Continue reading The Data Journalism Handbook

Image Processing in C: Analyzing and Enhancing Digital Images

This book is a tutorial on image processing. Each chapter explains basic concepts with words and figures, shows image processing results with photographs, and implements the operations in C. Explains the basic concepts of analyzing and enhancing digital images. Author has distilled image processing down to its essentials and clearly explains how to do it.
Continue reading Image Processing in C: Analyzing and Enhancing Digital Images

Brewing Java: A Tutorial

This online free Java book is divided into 4 parts. Part 1 is a brief introduction to what Java is, why it’s cool and what you need to use it. Part 2 is a tutorial introduction to Java. Part 3 covers the basics of writing applets in Java. Part 4 introduces you to objects and classes.
Continue reading Brewing Java: A Tutorial