Boost Your Linux Security: Essential Commands and Best Practices

In this article we discuss how to harden a Linux system using various security commands.

Console security

Limit root login to specific terminals by editing the secure console file under /etc, allowing only one terminal for root and requiring other users to use non‑root accounts or su.

Password lifecycle

Set password expiration with chage or globally via /etc/login.defs (e.g., PASS_MAX_DAYS 20, PASS_MIN_DAYS 0, PASS_WARN_AGE 5).

Sudo notifications

Configure /etc/sudoers to send email alerts by adding mailto [email protected] and enable mail always with mail_always on.

SSH hardening

Modify /etc/ssh/sshd_config to change the default port, disable root login, disable password authentication, enable UseDNS, disable GSSAPI, adjust keep‑alive settings, restrict allowed users or groups, and optionally enable two‑factor authentication with Google Authenticator.

Tripwire intrusion detection

Install Tripwire from EPEL, initialize keys with tripwire‑setup‑keyfiles, customize the policy file /etc/tripwire/twpol.txt, update the policy, initialize the database, and run checks with tripwire --check.

Firewalld

Use firewall‑cmd to view state, list zones, set the default zone, list services, add or remove services, list open ports, and manage port forwarding without restarting the firewall.

iptables fallback

If preferring iptables, disable firewalld, install iptables‑services, start and enable the iptables services, and reboot to apply new kernel rules.

Restrict compilers

Limit access to compiler binaries (e.g., /usr/bin/gcc) by creating a dedicated group, changing ownership to root:compilerGroup, and setting permissions to 0750.

Immutable files

Protect critical files with chattr +i and remove the attribute with chattr -i; directories such as /sbin and /usr/lib can also be made immutable.

SELinux auditing with aureport

Generate SELinux audit reports using aureport --avc, list executable files with aureport -x, and produce authentication summaries with aureport -au -i and related options.

Sealert tool

Install setools and run sealert -a /var/log/audit/audit.log to obtain human‑readable SELinux warnings and suggested fixes.

These techniques provide a practical checklist for improving Linux system security.