Essential Linux Security: Common Vulnerabilities and Practical Defense Strategies

Linux Common Security Vulnerabilities and Protection Measures: Operations Security Guide

In the wave of digital transformation, Linux is the core of enterprise infrastructure, and its security directly impacts business stability. Drawing on years of ops experience, this article shares the most common Linux security flaws and proven mitigation techniques.

Introduction: Why Linux Security Matters?

Over a decade of operations work has shown that more than 70% of network attacks target Linux servers, and 90% of incidents could have been avoided with proper configuration and timely patching.

1. Privilege‑Escalation Vulnerabilities

1.1 Improper sudo configuration

Misconfigured sudo can let ordinary users execute any command without a password.

# Dangerous sudo example
user1 ALL=(ALL) NOPASSWD: ALL
%developers ALL=(ALL) NOPASSWD: /bin/bash, /bin/sh

Security measures:

Apply the principle of least privilege

# Secure sudo configuration
user1 ALL=(www-data) NOPASSWD: /usr/bin/systemctl restart apache2
user1 ALL=(root) PASSWD: /usr/bin/apt update, /usr/bin/apt upgrade

Regularly audit sudo settings

# Verify sudo syntax
visudo -c
# List user sudo rights
sudo -l -U username

Enable sudo logging

# Log sudo actions
local2.* /var/log/sudo.log

1.2 SUID/SGID program risks

SUID and SGID binaries are frequent targets for privilege‑escalation attacks.

Identify risky programs:

# Find all SUID files
find / -perm -4000 -type f 2>/dev/null
# Find all SGID files
find / -perm -2000 -type f 2>/dev/null

Protection strategies:

Periodically audit SUID/SGID inventories.

Remove unnecessary special‑permission binaries.

Replace SUID with Linux capabilities where possible.

Implement file‑integrity monitoring.

2. Network Service Vulnerabilities

2.1 SSH hardening

SSH is the primary remote‑management channel and a frequent attack vector.

# /etc/ssh/sshd_config key settings
Port 2222
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
AllowUsers user1 user2

Advanced measures:

Enable two‑factor authentication

# Install Google Authenticator
apt install libpam-google-authenticator
# Configure PAM
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd

Deploy fail2ban to block brute‑force attempts

# /etc/fail2ban/jail.local for SSH
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

2.2 Web server security

Web servers face the internet directly; proper hardening is essential.

# Nginx hardening example
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 10M;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

3. Kernel Vulnerabilities

3.1 Kernel privilege‑escalation flaws

Kernel bugs can grant attackers full system control.

Kernel security management:

Keep the kernel up‑to‑date

# Check current kernel version
uname -r
# List available updates
apt list --upgradable | grep linux-image
# Apply safe kernel upgrade
apt update && apt upgrade linux-image-generic

Enable kernel hardening features

# /etc/sysctl.conf security settings
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.yama.ptrace_scope = 1
net.ipv4.conf.all.log_martians = 1

3.2 Container escape protection

With widespread container adoption, escape attacks become a new threat.

# Secure Docker run parameters
docker run --read-only --tmpfs /tmp \
  --security-opt=no-new-privileges \
  --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
  --user 1000:1000 myapp

4. Filesystem Permission Vulnerabilities

4.1 Sensitive file permission management

Incorrect file permissions are a common security gap.

# Check critical system files
ls -la /etc/passwd /etc/shadow /etc/sudoers
# Fix permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 440 /etc/sudoers

Automated permission audit script:

#!/bin/bash
CRITICAL_FILES="/etc/passwd /etc/shadow /etc/sudoers /etc/ssh/sshd_config"
for file in $CRITICAL_FILES; do
  if [ -f "$file" ]; then
    echo "Check $file permissions: $(stat -c '%a' $file)"
  fi
done

4.2 Home‑directory security

Home directory permissions directly affect user data safety.

Set home directory mode to 750 or stricter.

SSH private keys must be 600.

Regularly clean temporary files and sensitive data.

5. Log Management and Monitoring

5.1 Comprehensive logging strategy

Robust logging is a cornerstone of security defense.

# rsyslog configuration example
auth,authpriv.*    /var/log/auth.log
*.*;auth,authpriv.none  -/var/log/syslog
kern.*             -/var/log/kern.log
mail.*             -/var/log/mail.log

Log rotation configuration:

# /etc/logrotate.d/security
/var/log/auth.log /var/log/sudo.log {
    weekly
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    postrotate
        systemctl reload rsyslog
    endscript
}

5.2 Real‑time security monitoring

Establish a real‑time monitoring system to detect threats promptly.

Abnormal login activity.

Privilege‑change operations.

Unusual resource consumption.

Network connection anomalies.

# Simple failed‑login monitor
#!/bin/bash
tail -f /var/log/auth.log | while read line; do
  if echo "$line" | grep -q "Failed password"; then
    echo "Login failure detected: $line"
    # Add alert logic here
  fi
done

6. Network Security Protection

6.1 Firewall configuration strategy

A well‑configured firewall is the first line of network defense.

# Basic iptables rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT   # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT     # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT    # HTTPS
iptables -P INPUT DROP

UFW simplified configuration:

ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

6.2 Intrusion detection system

Deploy IDS to improve threat detection capability.

# Initialize AIDE database
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Periodic integrity check
aide --check

7. Incident Response and Recovery

7.1 Security incident response process

Incident confirmation and classification.

Impact scope assessment.

Emergency isolation measures.

Evidence preservation.

System recovery.

Post‑mortem analysis and improvement.

7.2 Data backup and recovery

Backup strategies form the final line of defense.

Implement a 3‑2‑1 backup scheme.

Regularly test restoration procedures.

Encrypt backup data.

Store critical backups off‑site.

8. Compliance and Security Standards

8.1 Security compliance requirements

ISO 27001 Information Security Management.

PCI DSS for payment card data.

SOX compliance.

GDPR data protection.

8.2 Security audit practice

Regular audits continuously improve security posture.

User permission reviews.

Configuration baseline checks.

Vulnerability scanning.

Log analysis audits.

9. Automated Security Operations

9.1 Security configuration management

Use automation tools to enforce security settings.

- name: System security hardening
  hosts: all
  tasks:
    - name: Update system packages
      apt:
        update_cache: yes
        upgrade: safe
    - name: Configure SSH securely
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
      notify: restart sshd

9.2 Continuous security monitoring

Behavior‑based anomaly detection.

Machine‑learning threat analysis.

Automated response mechanisms.

Real‑time alert notifications.

Conclusion

Linux security is a systematic engineering effort that must be addressed from multiple dimensions. The measures presented here can significantly raise a system’s security level, but the work never ends—continuous monitoring, regular updates, and ongoing education are essential to keep defenses effective.