How to Build a Complete Linux Enterprise Security Framework—from Intrusion Detection to Incident Response

Incident Recap

At 03:00 a production web server showed 95% CPU usage and a traffic spike; investigation revealed a DDoS attack combined with SSH brute‑force attempts, demonstrating the need for layered security.

Step 1 – Layered Defense Architecture

Network Boundary Protection

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j ACCEPT
iptables -A INPUT -j DROP

Tip: Place frequently matched rules early and use -m recent for connection tracking.

Host Hardening

#!/bin/bash
echo "=== Linux Security Hardening Check ==="
awk -F: '($3 == 0) {print $1}' /etc/passwd
echo "Checking password policy..."
grep ^PASS /etc/login.defs
echo "Checking SSH config..."
grep -E "^(PermitRootLogin|PasswordAuthentication|PermitEmptyPasswords)" /etc/ssh/sshd_config
echo "Checking suspicious cron jobs..."
crontab -l 2>/dev/null | grep -v "^#"

Step 2 – Intrusion Detection System (IDS)

HIDS with OSSEC

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <smtp_server>smtp.company.com</smtp_server>
    <email_from>[email protected]</email_from>
    <email_to>[email protected]</email_to>
  </global>
  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>
  <syscheck>
    <frequency>79200</frequency>
    <directories>/etc,/usr/bin,/usr/sbin,/bin,/sbin,/var/www</directories>
    <ignore>/etc/mtab</ignore>
  </syscheck>
  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  </rootcheck>
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>10.0.0.0/8</allowed-ips>
  </remote>
  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
</ossec_config>

Network Traffic Analysis with Suricata

# suricata.yaml
vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"

default-rule-path: /etc/suricata/rules
rule-files:
  - suricata.rules
  - /etc/suricata/rules/local.rules

af-packet:
  - interface: eth0
    threads: 4
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

Performance tips:

Bind worker threads to specific CPU cores.

Increase ring‑buffer size for memory optimization.

Regularly update rule sets and disable unnecessary rules.

Step 3 – Security Monitoring Center

ELK Stack Log Mapping

{
  "mappings": {
    "properties": {
      "@timestamp": {"type": "date"},
      "host": {"type": "keyword"},
      "source_ip": {"type": "ip"},
      "dest_ip": {"type": "ip"},
      "alert_level": {"type": "integer"},
      "rule_id": {"type": "keyword"},
      "description": {"type": "text"},
      "user": {"type": "keyword"},
      "command": {"type": "text"}
    }
  }
}

Key Security Indicators (KSI)

Detection

Mean Time to Detect (MTTD) < 15 min

False‑positive rate < 5 %

Coverage > 95 %

Response

Mean Time to Respond (MTTR) < 30 min

Success rate > 98 %

Automation ratio > 80 %

Recovery

Mean Time to Recover < 2 h

Business continuity > 99.9 %

Step 4 – Incident Response Workflow

Automated Response Script

#!/bin/bash
INCIDENT_TYPE=$1
SOURCE_IP=$2
LOG_FILE="/var/log/security_incident.log"
log_incident() {
  echo "$(date): [$INCIDENT_TYPE] $1" >> $LOG_FILE
}
case $INCIDENT_TYPE in
  "brute_force")
    log_incident "Brute‑force attack from $SOURCE_IP"
    iptables -I INPUT -s $SOURCE_IP -j DROP
    echo "Brute‑force alert - IP: $SOURCE_IP" | mail -s "Security Alert" [email protected]
    ;;
  "malware")
    log_incident "Malware activity detected"
    systemctl stop network
    dd if=/dev/mem of=/tmp/memory_dump.img
    ;;
  "data_exfiltration")
    log_incident "Data exfiltration risk detected"
    iptables -P OUTPUT DROP
    netstat -tulnp > /tmp/network_connections.txt
    ;;
esac

Playbook Steps

Rapid Assessment

Identify incident type and scope.

Evaluate business impact.

Decide whether to trigger response.

Evidence Collection

mkdir -p /tmp/incident_$(date +%Y%m%d_%H%M%S)
cd /tmp/incident_$(date +%Y%m%d_%H%M%S)
uname -a > system_info.txt
ps aux > process_list.txt
netstat -tulnp > network_connections.txt
cp /var/log/messages .
cp /var/log/secure .
cp /var/log/auth.log .
find /etc -type f -exec md5sum {} \; > etc_md5.txt

Threat Elimination

Isolate affected systems.

Remove malicious code.

Patch vulnerabilities.

System Recovery

Validate system integrity.

Restore services.

Strengthen post‑incident monitoring.

Step 5 – Continuous Improvement & Optimization

Security Baseline Check (Python)

#!/usr/bin/env python3
import subprocess, json

def check_security_baseline():
    results = {}
    # SSH configuration
    ssh_cfg = {}
    with open('/etc/ssh/sshd_config') as f:
        for line in f:
            if line.strip() and not line.startswith('#'):
                key, value = line.split(None, 1)
                ssh_cfg[key] = value.strip()
    results['ssh_root_login'] = ssh_cfg.get('PermitRootLogin', 'yes') == 'no'
    results['ssh_password_auth'] = ssh_cfg.get('PasswordAuthentication', 'yes') == 'no'
    # Firewall status
    fw = subprocess.run(['systemctl', 'is-active', 'iptables'], capture_output=True, text=True)
    results['firewall_active'] = fw.stdout.strip() == 'active'
    # Update check (yum)
    upd = subprocess.run(['yum', 'check-update'], capture_output=True, text=True)
    results['system_updated'] = upd.returncode == 0
    return results

if __name__ == '__main__':
    print(json.dumps(check_security_baseline(), indent=2))

Threat Intelligence Integration

# Update malicious IP blacklist
wget -q https://reputation.alienvault.com/reputation.data -O /tmp/reputation.data
grep "Malicious Host" /tmp/reputation.data | cut -d'#' -f1 > /etc/security/malicious_ips.txt
# Update malicious domain list
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts |
  grep "0.0.0.0" | awk '{print $2}' > /etc/security/malicious_domains.txt
# Apply to firewall
while read ip; do
  iptables -I INPUT -s $ip -j DROP
done < /etc/security/malicious_ips.txt

Key Success Factors

Automation First : Manual steps are error‑prone.

Layered Defense : Single‑point controls inevitably fail.

Continuous Monitoring : Security is a dynamic process.

Fast Response : Delays translate to loss.

Regular Drills : Theory must be validated by practice.

Future Trends

AI‑Driven Security Analytics : Machine‑learning models for anomaly detection.

Zero‑Trust Architecture : Never trust any network traffic by default.

Cloud‑Native Security : Protect containers and micro‑services.

Security Left‑Shift : Embed security early in the development lifecycle.

Repository Links

GitHub: https://github.com/raymond999999

Gitee: https://gitee.com/raymond9