Essential Linux Hardening: Firewall, Permissions, Auditing, and IDS Guide
Learn how to secure a Linux server by configuring firewalls with iptables and firewalld, managing user permissions, setting up auditd, applying automatic updates, and deploying intrusion detection tools like OSSEC and AIDE, plus a step‑by‑step response workflow for real‑world attack scenarios.
1. Basic Security Configuration
Firewalls are the first line of defense. The article provides example rules for iptables and firewalld to allow loopback traffic, established connections, SSH (port 22), HTTP (port 80), and to drop all other traffic. It also shows how to save the iptables rules with service iptables save and how to enable firewalld, add permanent ports, and reload the configuration.
iptables example
# Allow loopback interface
iptables -A INPUT -i lo -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROP
# Save rules
service iptables savefirewalld example
# Check firewalld status
firewall-cmd --state
# Open SSH permanently
firewall-cmd --zone=public --add-port=22/tcp --permanent
# Open HTTP permanently
firewall-cmd --zone=public --add-port=80/tcp --permanent
# Reload to apply changes
firewall-cmd --reload2. User Permission Management and Auditing
File and directory permissions are set with chmod and ownership with chown. Examples include making a file read‑only ( chmod 444 /path/to/file) and changing its owner ( chown user:user /path/to/file).
For auditing, the article recommends installing auditd, starting the service, and adding a rule to monitor changes to /etc/passwd:
# Install auditd
apt-get install auditd
# Start service
systemctl start auditd
# Add audit rule
echo "-w /etc/passwd -p wa -k passwd_changes" >> /etc/audit/rules.d/audit.rules
# Reload rules
auditctl -R /etc/audit/rules.d/audit.rules3. System Patching and Update Management
Regular patching prevents vulnerability exploitation. The guide shows how to install unattended-upgrades and enable automatic security updates:
# Install unattended-upgrades
apt-get install unattended-upgrades
# Enable automatic updates
dpkg-reconfigure --priority=low unattended-upgradesIt also mentions using vulnerability scanners such as OpenVAS or Nessus for periodic scans.
4. Intrusion Detection and Response
Two common IDS tools are covered:
OSSEC
# Download OSSEC
wget https://github.com/ossec/ossec-hids/archive/3.8.0.tar.gz
# Extract and install
tar -zxvf 3.8.0.tar.gz
cd ossec-hids-3.8.0
./install.shAIDE
# Install AIDE
apt-get install aide
# Initialize database
aideinit
# Run integrity check
aide --checkThe article outlines a four‑step incident response process: Detect (use IDS and log analysis), Respond (isolate affected systems), Recover (restore normal operation and apply patches), and Report (document the event and improve defenses).
5. Practical Scenario
When an unauthorized SSH login attempt is observed, the guide suggests:
Check logs : grep 'sshd' /var/log/auth.log to identify suspicious entries.
Block the offending IP : iptables -A INPUT -s 192.168.1.100 -j DROP.
Audit and remediate : Review user permissions and configuration files, then fix any discovered weaknesses.
This hands‑on example demonstrates how to apply the earlier hardening techniques in a real‑world attack mitigation workflow.
Full-Stack DevOps & Kubernetes
Focused on sharing DevOps, Kubernetes, Linux, Docker, Istio, microservices, Spring Cloud, Python, Go, databases, Nginx, Tomcat, cloud computing, and related technologies.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.