BestHub
Sign in
Information Security 23 min read

Essential Linux Security Practices Every Ops Engineer Should Know

This article outlines comprehensive Linux security measures—including account hardening, remote access protection, file system safeguards, rootkit detection tools, and step‑by‑step post‑attack response—to help system administrators strengthen server defenses and quickly recover from compromises.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Essential Linux Security Practices Every Ops Engineer Should Know

Account and Login Security

Account security is the first line of defense; remove unnecessary system accounts and groups, disable unused services, enforce strong password policies or preferably use SSH key authentication, and limit the use of su in favor of sudo with proper /etc/sudoers configuration.

Remote Access and Authentication Security

Replace telnet with SSH, protect shell history files, enable tcp_wrappers and configure iptables firewalls, and apply layered network protection.

File System Security

Lock critical files with chattr, avoid immutable attributes on essential directories such as /, /dev, /tmp, and /var, enforce proper file permissions, and secure temporary directories ( /tmp, /var/tmp, /dev/shm) using mount options nosuid,noexec,nodev or loopback filesystems.

Linux Backdoor Detection Tools

Rootkits can be file‑level or kernel‑level. Use integrity checkers like Tripwire or AIDE, and detection tools such as chkrootkit and RKHunter. Example commands:

find / -type f -perm -2 -o -perm -20 | xargs ls -al
find / -type d -perm -2 -o -perm -20 | xargs ls -ld
find / -type f -perm -4000 -o -perm -2000 -print | xargs ls -al
find / -user root -perm -2000 -print -exec md5sum {} ;
find / -user root -perm -4000 -print -exec md5sum {} ;
find / -nouser -o -nogroup
[root@server chkrootkit]# /usr/local/chkrootkit/chkrootkit
Checking `ifconfig'... INFECTED
Checking `ls'... INFECTED
Checking `login'... INFECTED
Checking `netstat'... INFECTED
Checking `ps'... INFECTED
Checking `top'... INFECTED
Checking `sshd'... not infected

Post‑Attack Handling Process

When a server is compromised, isolate the network, identify the attacker, analyze the intrusion vector, back up data, reinstall the operating system, patch vulnerabilities, restore data, and re‑enable services. Additionally, lock suspicious users, examine system logs (e.g., /var/log/messages, /var/log/secure, .bash_history), verify running processes, and confirm file‑system integrity using tools like rpm -Va or lsattr.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

OperationsLinuxSecurityHardeningRootkit
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment