Skip to content

Linux Security Configuration

Jump to bottom
Mattscreative edited this page Dec 5, 2025 · 2 revisions

Linux Security Configuration Guide

Complete beginner-friendly guide to securing your Linux system, covering Arch Linux, CachyOS, and other distributions including firewall setup, user management, file permissions, encryption, SSH security, and best practices.

Table of Contents

  1. Understanding Linux Security
  2. Firewall Configuration
  3. User Management
  4. File Permissions
  5. Disk Encryption
  6. SSH Security
  7. System Updates
  8. Security Best Practices

Understanding Linux Security

Security Principles

Linux security is based on several principles:

  1. Least privilege: Users have minimum necessary access
  2. Defense in depth: Multiple security layers
  3. Regular updates: Keep system updated
  4. Strong passwords: Use secure passwords
  5. Access control: Control who can access what

Security Layers

Multiple layers:

  • Firewall: Network security
  • User permissions: File access control
  • Encryption: Data protection
  • Updates: Security patches
  • Monitoring: Detect issues

Firewall Configuration

UFW (Uncomplicated Firewall)

Install UFW:

# Arch/CachyOS
sudo pacman -S ufw

# Debian/Ubuntu
sudo apt install ufw

# Fedora
sudo dnf install ufw

Enable firewall:

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

Common rules:

# Allow SSH
sudo ufw allow ssh

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Deny port
sudo ufw deny 8080/tcp

firewalld

Install firewalld:

# Arch/CachyOS
sudo pacman -S firewalld

# Debian/Ubuntu
sudo apt install firewalld

# Fedora (usually pre-installed)
sudo dnf install firewalld

Enable service:

sudo systemctl enable --now firewalld

Configure zones:

# List zones
sudo firewall-cmd --get-zones

# Set default zone
sudo firewall-cmd --set-default-zone public

# Allow service
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

iptables

Advanced firewall:

# Install iptables
sudo pacman -S iptables

# Basic rules
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP

# Save rules
sudo iptables-save > /etc/iptables/iptables.rules

User Management

Create User

Add user:

# Create user
sudo useradd -m -G wheel username

# Set password
sudo passwd username

Sudo Configuration

Configure sudo:

# Edit sudoers
sudo visudo

# Ensure wheel group has sudo
%wheel ALL=(ALL) ALL

Disable Root Login

Secure root:

# Lock root account
sudo passwd -l root

# Or disable root login in SSH
# Edit /etc/ssh/sshd_config
# Set: PermitRootLogin no

File Permissions

Understanding Permissions

File permissions:

# View permissions
ls -l file

# Output example:
# -rw-r--r-- 1 user group 1024 Jan 15 10:00 file

Permission bits:

  • Owner: Read, Write, Execute
  • Group: Read, Write, Execute
  • Others: Read, Write, Execute

Set Permissions

Change permissions:

# Set permissions
chmod 755 file
chmod u+x file
chmod g-w file

# Recursive
chmod -R 755 directory

Change Ownership

Change owner:

# Change owner
sudo chown user:group file

# Recursive
sudo chown -R user:group directory

Disk Encryption

LUKS Encryption

Encrypt partition:

# Encrypt partition
sudo cryptsetup luksFormat /dev/sda2

# Open encrypted partition
sudo cryptsetup open /dev/sda2 cryptroot

# Format
sudo mkfs.ext4 /dev/mapper/cryptroot

See Disk Encryption for detailed guide.

SSH Security

Harden SSH

Edit SSH config:

# Edit config
sudo vim /etc/ssh/sshd_config

Security settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3

Restart SSH:

sudo systemctl restart sshd

See SSH Configuration for detailed guide.

System Updates

Regular Updates

Update system:

# Arch/CachyOS
sudo pacman -Syu

# Debian/Ubuntu
sudo apt update && sudo apt upgrade

# Fedora
sudo dnf update

Why updates matter:

  • Security patches: Fix vulnerabilities
  • Bug fixes: Improve stability
  • New features: Get latest features

Security Best Practices

General Practices

Security checklist:

  1. Keep system updated: Regular updates
  2. Use firewall: Block unnecessary ports
  3. Strong passwords: Use secure passwords
  4. Disable root login: Use sudo instead
  5. Encrypt sensitive data: Protect important files
  6. Regular backups: Backup important data
  7. Monitor logs: Check for suspicious activity

fail2ban

Install fail2ban:

# Arch/CachyOS
sudo pacman -S fail2ban

# Debian/Ubuntu
sudo apt install fail2ban

# Fedora
sudo dnf install fail2ban

Enable:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Summary

This guide covered security configuration for Arch Linux, CachyOS, and other distributions, including firewall, user management, file permissions, encryption, SSH, and best practices.

Next Steps

This guide covers Arch Linux, CachyOS, and other Linux distributions. For distribution-specific details, refer to your distribution's documentation.

Clone this wiki locally