Since its release in the early nineties, Linux has won the admiration of the technology community thanks to its stability, versatility, customizability, and a large community of open-source developers who work round-the-clock to provide bug fixes and improvements to the operating system. By and large, Linux is the operating system of choice for public cloud, servers, and supercomputers, and close to 75% of internet-facing production servers run on Linux.
Aside from powering the internet, Linux has found its way to the digital world and hasn’t abated since then. It powers a vast array of smart gadgets including Android smartphones, tablets, smartwatches, smart displays and so many more.
Is Linux that Secure?
Linux is renowned for its top-level security and it’s one of the reasons why it makes for a favorite choice in enterprise environments. But here’s a fact, no operating system is 100% secure. Many users believe that Linux is a foolproof operating system, which is a false assumption. In fact, any operating system with an internet connection is susceptible to potential breaches and malware attacks.
During its early years, Linux had a much smaller tech-centric demographic and the risk of suffering from malware attacks was remote. Nowadays Linux powers a huge chunk of the internet, and this has propelled the growth of the threat landscape. The threat of malware attacks is more real than ever.
A perfect example of a malware attack on Linux systems is the Erebus ransomware, a file-encrypting malware that affected close to 153 Linux servers of NAYANA, a South Korean web hosting company.
For this reason, it’s prudent to further harden the operating system to give it the much-desired security to safeguard your data.
Linux Server Hardening Tips
Securing your Linux server is not as complicated as you might think. We have compiled a list of the best security policies that you need to implement to fortify the security of your system and maintain data integrity.
1. Update Software Packages Regularly
In the initial stages of the Equifax breach, hackers leveraged a widely known vulnerability – Apache Struts – on Equifax’s customer complaint web portal.
Apache Struts is an open-source framework for creating modern and elegant Java web applications developed by the Apache Foundation. The Foundation released a patch to fix the vulnerability on March 7, 2017, and issued a statement to that effect.
Equifax were notified of the vulnerability and advised to patch their application, but sadly, the vulnerability remained unpatched until July of the same year at which point it was too late. The attackers were able to gain access to the company’s network and exfiltrate millions of confidential customer records from the databases. By the time Equifax got wind of what was happening, two months had already passed.
So, what can we learn from this?
Malicious users or hackers will always probe your server for possible software vulnerabilities which they can then leverage to breach your system. To be on the safe side, always update your software to its current versions to apply patches to any existing vulnerabilities.
If you are running Ubuntu or Debian-based systems, the first step is usually to update your package lists or repositories as shown.
$ sudo apt update
To check for all the packages with available updates, run the command:
$ sudo apt list --upgradable
The upgrade your software applications to their current versions as shown:
$ sudo apt upgrade
You can concatenate these two in one command as shown.
$ sudo apt update && sudo apt upgrade
For RHEL & CentOS upgrade your applications by running the command:
$ sudo dnf update ( CentOS 8 / RHEL 8 ) $ sudo yum update ( Earlier versions of RHEL & CentOS )
Another viable option is to enable automatic security updates for Ubuntu and also setup automatic updates for CentOS / RHEL.
2. Remove Legacy Communication Services/Protocols
Despite its support for a myriad of remote protocols, legacy services such as rlogin, telnet, TFTP and FTP can pose huge security issues for your system. These are old, outdated, and insecure protocols where data is sent in plain text. If these are existing, consider removing them as shown.
For Ubuntu / Debian-based systems, execute:
$ sudo apt purge telnetd tftpd tftpd-hpa xinetd rsh-server rsh-redone-server
For RHEL / CentOS-based systems, execute:
$ sudo yum erase xinetd tftp-server telnet-server rsh-server ypserv
3. Close Unused Ports on the Firewall
Once you have removed all the insecure services it’s important to scan your server for open ports and close any unused ports which can potentially be used an entry point by hackers.
Suppose you want to block port 7070 on the UFW firewall. The command for this will be:
$ sudo ufw deny 7070/tcp
Then reload the firewall for the changes to take effect.
$ sudo ufw reload
For Firewalld, run the command:
$ sudo firewall-cmd --remove-port=7070/tcp --permanent
And remember to reload the firewall.
$ sudo firewall-cmd --reload
Then cross-check the firewall rules as shown:
$ sudo firewall-cmd --list-all
4. Secure SSH Protocol
The SSH protocol is a remote protocol that allows you to securely connect to devices on a network. While it’s considered secure, the default settings are not enough and some extra tweaks are required to further deter malicious users from breaching your system.
We have a comprehensive guide on how to harden the SSH protocol. Here are the main highlights.
- Configure passwordless SSH login & enable private/public key authentication.
- Disable SSH remote root login.
- Disable SSH logins from users with empty passwords.
- Disable password authentication altogether and stick to SSH private/public key authentication.
- Limit access to specific SSH users.
- Configure a limit for password attempts.
5. Install and Enable Fail2ban
Fail2ban is an open-source intrusion prevention system that safeguards your server from bruteforce attacks. It protects your Linux system by banning IPs that indicate malicious activity such as too many login attempts. Out of the box, it ships with filters for popular services such as Apache webserver, vsftpd and SSH.
We have a guide on how to configure Fail2ban to further fortify the SSH protocol.
6. Enforce Password Strength using PAM Module
Reusing passwords or using weak and simple passwords greatly undermines the security of your system. You enforce a password policy, use the pam_cracklib to set or configure the password strength requirements.
Using the PAM module, you can define the password strength by editing the /etc/pam.d/system-auth file. For example, you can set password complexity and prevent the reuse of passwords.
7. Install an SSL/TLS Certificate
If you are running a website, always ensure to secure your domain using an SSL/ TLS certificate to encrypt data exchanged between the users’ browser and the webserver.
8. Disable Weak Encryption Protocols & Cipher Keys
Once you encrypt your site, consider also disabling weak encryption protocols. At the time of writing this guide, the latest protocol is TLS 1.3, which is the most common and widely used protocol. Earlier versions such as TLS 1.0, TLS 1.2, and SSLv1 to SSLv3 have been associated with known vulnerabilities.
[ You might also like: How to Enable TLS 1.3 in Apache and Nginx ]
Wrapping Up
That was a summary of some of the steps you can take to ensure data security and privacy for your Linux system.
The above is the detailed content of LFCA – Useful Tips for Securing Data and Linux – Part 18. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
5 Best Open Source Mathematical Equation Editors for Linux
Jun 18, 2025 am 09:28 AM
Are you looking for good software to write mathematical equations? If so, this article provides the top 5 equation editors that you can easily install on your favorite Linux distribution.In addition to being compatible with different types of mathema
SCP Linux Command – Securely Transfer Files in Linux
Jun 20, 2025 am 09:16 AM
Linux administrators should be familiar with the command-line environment. Since GUI (Graphical User Interface) mode in Linux servers is not commonly installed.SSH may be the most popular protocol to enable Linux administrators to manage the servers
Gogo - Create Shortcuts to Directory Paths in Linux
Jun 19, 2025 am 10:41 AM
Gogo is a remarkable tool to bookmark directories inside your Linux shell. It helps you create shortcuts for long and complex paths in Linux. This way, you no longer need to type or memorize lengthy paths on Linux.For example, if there's a directory
What is a PPA and how do I add one to Ubuntu?
Jun 18, 2025 am 12:21 AM
PPA is an important tool for Ubuntu users to expand their software sources. 1. When searching for PPA, you should visit Launchpad.net, confirm the official PPA in the project official website or document, and read the description and user comments to ensure its security and maintenance status; 2. Add PPA to use the terminal command sudoadd-apt-repositoryppa:/, and then run sudoaptupdate to update the package list; 3. Manage PPAs to view the added list through the grep command, use the --remove parameter to remove or manually delete the .list file to avoid problems caused by incompatibility or stopping updates; 4. Use PPA to weigh the necessity and prioritize the situations that the official does not provide or require a new version of the software.
Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux
Jul 05, 2025 am 09:25 AM
LXD is described as the next-generation container and virtual machine manager that offers an immersive for Linux systems running inside containers or as virtual machines. It provides images for an inordinate number of Linux distributions with support
How to create a file of a specific size for testing?
Jun 17, 2025 am 09:23 AM
How to quickly generate test files of a specified size? It can be achieved using command line tools or graphical software. On Windows, you can use fsutilfilecreatenew file name size to generate a file with a specified byte; macOS/Linux can use ddif=/dev/zeroof=filebs=1Mcount=100 to generate real data files, or use truncate-s100M files to quickly create sparse files. If you are not familiar with the command line, you can choose FSUtilGUI, DummyFileGenerator and other tool software. Notes include: pay attention to file system limitations (such as FAT32 file size upper limit), avoid overwriting existing files, and some programs may
NVM - Install and Manage Multiple Node.js Versions in Linux
Jun 19, 2025 am 09:09 AM
Node Version Manager (NVM) is a simple bash script that helps manage multiple Node.js versions on your Linux system. It enables you to install various Node.js versions, view available versions for installation, and check already installed versions.NV
How to install Linux alongside Windows (dual boot)?
Jun 18, 2025 am 12:19 AM
The key to installing dual systems in Linux and Windows is partitioning and boot settings. 1. Preparation includes backing up data and compressing existing partitions to make space; 2. Use Ventoy or Rufus to make Linux boot USB disk, recommend Ubuntu; 3. Select "Coexist with other systems" or manually partition during installation (/at least 20GB, /home remaining space, swap optional); 4. Check the installation of third-party drivers to avoid hardware problems; 5. If you do not enter the Grub boot menu after installation, you can use boot-repair to repair the boot or adjust the BIOS startup sequence. As long as the steps are clear and the operation is done properly, the whole process is not complicated.
