Linux Security

Learn how Linux security works, how to secure servers properly, and understand the most important security practices used in real-world infrastructure.

Difficulty: Beginner → Advanced
Estimated reading time: 110 min

Introduction

The moment a Linux machine becomes accessible from the internet:

Security immediately matters.

Even a small server can receive:

• automated attacks
• SSH brute-force attempts
• vulnerability scans
• malicious traffic
• bot activity

Many beginners incorrectly assume:

"My server is too small to be attacked."

In reality:

Internet-facing systems are scanned constantly.

Linux security is not about making systems impossible to attack.

Instead, security is about:

• reducing attack surface
• limiting damage
• hardening configurations
• controlling access
• monitoring activity
• applying updates consistently

Security is deeply connected to:

• Linux administration
• DevOps
• cloud infrastructure
• backend engineering
• networking

Modern infrastructure security is built on many small layers working together.

Understanding Linux Security Philosophy

Linux Security Is Layered

Linux security is not a single feature.

It is a combination of:

• permissions
• users
• groups
• isolation
• firewalls
• authentication
• updates
• logging
• process separation

This concept is called:

Defense in depth.

If one protection layer fails:

another layer still exists.

Principle of Least Privilege

One of the Most Important Security Concepts

The principle says:

Give only the minimum permissions necessary.

Examples:

• applications should not run as root
• users should not have unnecessary sudo access
• services should access only required files

Reducing permissions reduces damage potential.

This principle appears everywhere in Linux and DevOps.

Understanding Root

What Is Root?

Root is the Linux superuser.

Root can:

• modify any file
• kill any process
• install software
• manage users
• destroy the system entirely

Because root is extremely powerful:

Root access must be controlled carefully.

Why Running Everything as Root Is Dangerous

If an application running as root becomes compromised:

Entire system may become compromised.

Modern Linux systems try to minimize root usage.

sudo and Privilege Escalation

What Is sudo?

sudo means:

superuser do

It allows trusted users to temporarily execute commands as root.

Example:

sudo apt update

Why sudo Is Better Than Direct Root Login

Benefits:

• accountability
• logging
• reduced risk
• temporary privilege escalation

This is why modern distributions prefer sudo over direct root usage.

Switching to Root

Temporary root shell:

sudo -i

or:

sudo su

Be careful with long root sessions.

Understanding File Permissions

Linux Permissions Recap

Every file has:

• owner
• group
• permission bits

Example:

ls -l

Output:

-rwxr-xr--

Permission Breakdown

Permissions apply to:

Why Permissions Matter for Security

Permissions control:

• who can access files
• who can modify applications
• who can execute scripts
• who can read secrets

Incorrect permissions are one of the most common Linux security problems.

chmod and chown

Changing Permissions

Example:

chmod 644 file.txt

Common Permission Modes

Changing Ownership

chown user:group file.txt

Very important for service security.

Securing SSH

SSH Is a Common Attack Target

Public servers constantly receive SSH attacks.

Protecting SSH is extremely important.

Disable Root Login

SSH Configuration

Edit:

sudo vim /etc/ssh/sshd_config

Find:

PermitRootLogin yes

Change to:

PermitRootLogin no

Why Disable Root Login?

Benefits:

• attackers must guess usernames first
• reduces direct root exposure
• improves auditability

Very common security practice.

Disable Password Authentication

Prefer SSH Keys

Inside:

/etc/ssh/sshd_config

Set:

PasswordAuthentication no

Now only SSH keys work.

This dramatically improves SSH security.

Restart SSH

sudo systemctl restart ssh

Always verify configuration carefully before disconnecting.

SSH Key Security

Protect Private Keys

Correct permissions:

chmod 600 ~/.ssh/id_rsa

Never share private keys.

Only share:

id_rsa.pub

Understanding Firewalls

What Is a Firewall?

A firewall controls network traffic.

It determines:

• which ports are accessible
• which services are exposed
• which connections are allowed

Firewalls are one of the most important Linux security layers.

UFW (Uncomplicated Firewall)

Why UFW Exists

Linux firewalls internally use:

iptables

or:

nftables

But beginners usually start with:

ufw

because it is simpler.

Enable Firewall

sudo ufw enable

Allow SSH

Before enabling firewall:

sudo ufw allow ssh

Otherwise:

You may lock yourself out remotely.

Very common beginner mistake.

View Firewall Rules

sudo ufw status

Allow Specific Ports

Example:

sudo ufw allow 80
sudo ufw allow 443

Used for web servers.

Deny Traffic

sudo ufw deny 23

Useful for blocking insecure services.

Understanding Open Ports

View Listening Ports

ss -tuln

Very important security command.

You should always know:

Which services are exposed publicly.

Keeping Systems Updated

Updates Are Critical

Many attacks target:

• outdated software
• known vulnerabilities
• unpatched services

Keeping systems updated is one of the most important security practices.

Update Packages

Ubuntu / Debian:

sudo apt update
sudo apt upgrade

Fedora:

sudo dnf upgrade

Arch Linux:

sudo pacman -Syu

Automatic Security Updates

unattended-upgrades

Ubuntu can automatically install security updates.

Install:

sudo apt install unattended-upgrades

Very common on servers.

Fail2Ban

What Is Fail2Ban?

Fail2Ban monitors logs and blocks attackers automatically.

Very common for SSH protection.

Install Fail2Ban

sudo apt install fail2ban

Start service:

sudo systemctl enable --now fail2ban

How Fail2Ban Works

Flow:

Repeated failed logins
    ↓
IP temporarily banned

Very useful against brute-force attacks.

Checking Failed Login Attempts

Authentication Logs

Ubuntu / Debian:

sudo cat /var/log/auth.log

Search SSH failures:

grep "Failed password" /var/log/auth.log

This often surprises beginners because internet attacks are constant.

File Integrity and Secrets

Protect Sensitive Files

Examples:

• SSH keys
• API keys
• database credentials
• certificates

Permissions should be restrictive.

Example:

chmod 600 secret.txt

Never Store Secrets Publicly

Avoid:

• public Git repositories
• world-readable configs
• shared folders

Modern infrastructure increasingly uses:

• secret managers
• environment variables
• vault systems

Running Services Safely

Avoid Running Applications as Root

Instead:

Create dedicated service users

Example:

sudo useradd appuser

Then inside service file:

User=appuser

Very important security practice.

Understanding Process Isolation

Linux Separates Processes

Processes run with:

• different users
• different permissions
• isolated memory spaces

This limits attack impact.

Containers heavily rely on Linux isolation mechanisms.

SELinux and AppArmor

Additional Security Layers

Linux may include:

These systems provide:

Mandatory access control.

Applications receive additional restrictions beyond normal permissions.

Why SELinux Feels Confusing

SELinux is powerful but complex.

Beginners often disable it entirely.

But in enterprise environments:

SELinux is extremely important.

Understanding Logs and Monitoring

Security Requires Visibility

Always monitor:

• authentication logs
• failed login attempts
• unusual processes
• suspicious traffic

Linux exposes huge amounts of information for investigation.

Useful Commands

Processes:

ps aux

Connections:

ss -tulnp

Logs:

journalctl

Disk usage:

df -h

Common Linux Security Mistakes

Running Everything as Root

Very dangerous.

Weak Passwords

Avoid:

admin123
password
123456

Use strong passwords or SSH keys.

Exposing Unnecessary Ports

Always minimize exposed services.

Ignoring Updates

Outdated systems are extremely vulnerable.

Incorrect File Permissions

Sensitive files should never be world-readable.

Copy-Pasting Random Commands

Very dangerous.

Especially commands involving:

curl | bash

Always understand commands before executing them.

Real-World Linux Hardening Example

Typical Secure Server Setup

Step 1 — Create Non-Root User

adduser john

Step 2 — Grant sudo Access

usermod -aG sudo john

Step 3 — Configure SSH Keys

ssh-copy-id john@server

Step 4 — Disable Root Login

Edit:

/etc/ssh/sshd_config

Set:

PermitRootLogin no

Step 5 — Disable Password Authentication

PasswordAuthentication no

Step 6 — Enable Firewall

ufw allow ssh
ufw allow 80
ufw allow 443
ufw enable

Step 7 — Install Fail2Ban

apt install fail2ban

This resembles real-world Linux server hardening.

Containers and Security

Docker Security

Containers improve isolation but are not magic security solutions.

Examples:

• avoid privileged containers
• avoid running as root
• minimize container permissions

Understanding Linux security fundamentals makes container security much easier.

Cloud Security

Linux Security in the Cloud

Cloud servers still rely heavily on Linux security concepts:

• SSH keys
• firewalls
• permissions
• updates
• logging
• isolation

Cloud infrastructure simply adds more layers around Linux.

Linux Philosophy and Security

Linux security reflects Unix philosophy:

• separation of responsibilities
• explicit permissions
• modularity
• transparency
• process isolation

Security emerges from many small mechanisms working together.

The Bigger Picture

Once you understand Linux security, you stop seeing servers as simple machines.

You begin understanding:

• attack surfaces
• infrastructure hardening
• secure deployments
• authentication systems
• layered defenses

Security is not a single tool.

It is:

A continuous process of reducing risk.

This mindset is fundamental in professional infrastructure engineering.

What Comes Next

In the next chapter, we will explore:

• Linux in DevOps environments
• infrastructure automation
• server workflows
• CI/CD concepts
• containers and Linux
• cloud-native tooling
• practical DevOps workflows

This is where Linux becomes the foundation of modern infrastructure engineering.