Boost Your Linux Security: Practical Commands Every Admin Should Know
This article walks you through essential Linux security techniques—console protection, password policies, sudo alerts, SSH hardening, Tripwire intrusion detection, firewalld and iptables firewall management, compiler restrictions, immutable files, and SELinux auditing tools—providing concrete commands and configurations to harden your system against evolving threats.
In this article we discuss how to harden a Linux system using a series of practical security commands.
First, we ask whether Linux is already secure enough. The answer is no; attackers constantly discover new vulnerabilities that can be exploited within hours, so security must be an ongoing concern.
The main topics covered are:
Console security
Password lifecycle
Sudo notifications
SSH tuning
Using Tripwire for intrusion detection
Firewalld
Falling back to iptables
Restricting compilers
Immutable files
Managing SELinux with aureport
Using sealert
1. Console Security
Limit which terminals root can log in from by editing the security file under /etc/ that lists allowed devices. It is recommended to allow root access only on a single console and require all other users to log in as non‑root, using su when root privileges are needed.
2. Password Lifecycle
Set an expiration period for passwords so they must be changed regularly, reducing the risk of stolen or cracked credentials.
Method 1 – command line: chage -M 20 likegeeks Method 2 – edit /etc/login.defs:
PASS_MAX_DAYS 20 PASS_MIN_DAYS 0 PASS_WARN_AGE 53. Sudo Notifications
Configure /etc/sudoers to restrict which commands can be run with sudo and to send email alerts when sudo is used.
mailto [email protected]mail_always on4. SSH Tuning
SSH is a critical service; harden it by changing the default port, disabling root login, disabling password authentication, and enabling additional security options.
Port 5555PermitRootLogin noPasswordAuthentication no PermitEmptyPasswords noUseDNS yesGSSAPIAuthentication noServerAliveInterval 15 ServerAliveCountMax 3 TCPKeepAlive yesClientAliveInterval 30 ClientAliveCountMax 5AllowUsers user1 user2AllowGroup group1 group2yum install google-authenticatorgoogle-authenticatorauth required pam_google_authenticator.soChallengeResponseAuthentication yessystemctl restart sshdAfter these changes SSH will prompt for a verification code, protecting against brute‑force attacks.
5. Using Tripwire for Intrusion Detection
Tripwire is a host‑based intrusion detection system that monitors file attributes and alerts on changes.
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpmrpm -ivh epel-release-7-9.noarch.rpmsudo yum install tripwiretripwire-setup-keyfiles/etc/tripwire/twpol.txttripwire --update-policy --secure-mode low /etc/tripwire/twpol.txttripwire --inittripwire --checkSecure the policy files twpol.txt and twcfg.txt after setup.
6. Using Firewalld
Firewalld replaces iptables and allows rule changes without stopping connections.
firewall-cmd --statefirewall-cmd --get-zonesfirewall-cmd --set-default-zone=firewall-cmd --zone=ZONE --list-allfirewall-cmd --get-servicesfirewall-cmd --zone=ZONE --add-service=SERVICEfirewall-cmd --zone=ZONE --remove-service=SERVICEfirewall-cmd --zone=ZONE --list-portsfirewall-cmd --zone=ZONE --add-port=PORT/PROTOCOLfirewall-cmd --zone=ZONE --remove-port=PORT/PROTOCOLfirewall-cmd --zone=ZONE --add-forward-port=port=PORT:proto=PROTOCOL:toport=DEST_PORT:toaddr=DEST_IPfirewall-cmd --zone=ZONE --remove-forward-port=...7. Falling Back to iptables
If you prefer iptables, first disable firewalld:
systemctl disable firewalldsystemctl stop firewalldInstall and start iptables services:
yum install iptables-servicestouch /etc/sysconfig/iptablestouch /etc/sysconfig/ip6tablessystemctl start iptablessystemctl start ip6tablessystemctl enable iptablessystemctl enable ip6tablesReboot the system for the kernel to apply the new configuration.
8. Restricting Compilers
Prevent attackers from compiling malicious code by limiting access to compiler binaries.
rpm -q --filesbypkg gcc | grep 'bin'groupadd compilerGroupchown root:compilerGroup /usr/bin/gccchmod 0750 /usr/bin/gcc9. Immutable Files
Make critical files immutable so even root cannot modify, delete, rename, or create hard links.
chattr +i /myscriptchattr -i /myscriptDirectories such as /sbin and /usr/lib can also be made immutable to protect binaries and libraries.
10. Managing SELinux with aureport
Use aureport to generate audit reports for SELinux events.
aureport --avcaureport -xaureport -au -iaureport -au --summary -i --failedaureport -au --summary -i --success11. Using Sealert
Install and run sealert to get human‑readable explanations of SELinux alerts.
yum install setoolssealert -a /var/log/audit/audit.logThe article concludes that many more Linux security techniques exist, and readers are encouraged to explore further.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.