You’ve probably heard any number of Linux fans proclaim that the open source operating system is the most secure on the planet — and maybe the universe and throughout the whole of time (past, present, and future).
I’ll say this: Although Linux is the most secure major operating system on the market, that doesn’t mean it’s an impenetrable fortress.
I like to look at it this way: if a computer is connected to a network, it’s vulnerable. There’s really no way around that because as long as there are hackers, they will find ways to get around things. And with quantum computing on the horizon, there’s no telling if any OS will ever be able to claim the crown of security.
Fortunately, there are some things you can do with any Linux distribution to make it more secure. And although this list might seem a bit basic to some, when you put it all together as a whole, it works and works well.
With that said, let’s get to the steps.
Step 1: Update, Update, Update
I cannot state the importance of this enough. You must update regularly. I check for updates daily and am generally surprised that there’s something available almost every time. I go one step further and create a bash alias for the upgrade process, so I can run a single command that updates apt, checks for updates, applies updates, and then cleans up after itself.
The reason why I’m such a stickler about updating is that updates almost always include bug fixes and security patches. Because of that, I always want to ensure my Linux deployments are as up to date as possible.
Remember that alias I mentioned? I add it to my ~/.bash_aliases file and it looks like this:
| 1 | aliasupdate=“sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get autoremove -y” |
With that in place, all I have to do is type update at the bash prompt and hit Enter on my keyboard.
Don’t slouch on updates.
Above you see how to update Debian-based distributions. If you use a Fedora-based distribution, the command is:
| 1 | sudodnfupdate |
If you use an Arch-based distribution, the command is:
| 1 | sudopacman –Syu |
Step 2: Enable and Configure a Firewall
You might be surprised to find your distribution’s firewall is disabled by default. That means any traffic can enter and leave your machine. You probably don’t want that (especially if you’re on a busy work LAN). You not only want to enable the firewall, but you also want to configure it so specific traffic (such as SSH) can enter safely.
You should not run your system with the firewall disabled.
To enable the firewall on Ubuntu, the command is:
| 1 | sudoufwenable |
You can then enable SSH traffic through the firewall with the command:
| 1 | sudoufwallowssh |
If you use a nonstandard port for SSH, you can allow it through like this:
| 1 | sudoufwallow 2222/tcp |
If you’re on a Fedora-based distribution, enable the firewall using sudo with:
| 1 | sudosystemctlenable —nowfirewalld |
To allow SSH traffic through that firewall, the command would be:
| 1 | sudofirewall–cmd —permanent —add–service=ssh |
You can allow whatever traffic you need through the firewall, just keep it to a bare minimum to remain safe.
Step 3: Secure SSH Access
Speaking of SSH, although it enjoys a decent level of security out of the box, there are things you can do to improve it. For example, you can edit the /etc/ssh/sshd_config file and make the following changes:
- Change the default port (e.g., from 22 to 2222)
- Set “PermitRootLogin no”
- Ensure “PasswordAuthentication no” is set
Make sure to restart the SSH service after making changes with the following commands:
- Debian-based distributions:
sudo systemctl restart ssh - Fedora-based distributions:
sudo systemctl restart sshd
You should also make sure to implement SSH key authentication. If you want to go further with that, you can add 2FA for SSH access and even add fail2ban to block unwanted SSH connections.
Step 4: Implement Strong Password Policies
This one almost always slips by the wayside. If you’re the only one who ever logs into a system, you don’t really have to bother with this (other than always using strong passwords). If you have multiple users who log in, you’ll want to not only enforce strong passwords, but also regular password changes.
For example, you can force a regular password change with the chagecommand like so:
| 1 | sudochage –E 30 leigh |
The above command would expire the password every 30 days for user leigh.
You can also enforce password policies (which is a bit more challenging). To do that, first install the libpam-pwquality tool. If it’s not already installed on your system, you can install it from the standard repository like so:
| 1 | sudoapt–getinstalllibpam–pwqualitylibpwquality1 –y |
or
| 1 | sudodnfinstalllibpwquality –y |
Once installed, open the necessary configuration file for editing with the command:
- On Ubuntu-based distributions:
sudo nano /etc/pam.d/common-password</code) - On Fedora-based distributions:
sudo nano /etc/pam.d/system-auth
Locate the line:
| 1 | password requisite pam_pwquality.soretry=3 |
Let’s create a policy with the following requirements:
- minimum length = 8
- maxrepeat = 3
- ucredit = at least one uppercase letter
- lcredit = at least one lowercase letter
- dcredit = at least one numeric character
- ocredit = at least one special character
- difok = at least 4 changes between old and new password
- reject_username enabled
- enforce_for_root enabled
For that, replace the password requisite pam_pwquality.so retry=3 line with the following:
| 1 | password requisite pam_pwquality.soretry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_usernameenforce_for_root |
If you attempt either to create a new user or change a user’s password, the new policy will be enforced.
Step 5: Enable Automatic Security Updates
You can (and should) also enable automatic security updates. By doing this, you can be certain that all updates that pertain to security will automatically be installed in the background and on a regular basis.
On Ubuntu-based distributions, automatic updates can be enabled in the Software & Updates app in the Updates tab. Select Daily from the “Automatically check for updates” drop-down and then select “Download and Install automatically” from the “When there are security updates” drop-down (Figure 1).
Figure 1: Enabling automatic updates on Pop!_OS Linux (which is based on Ubuntu).
With Fedora, you have to take a few extra steps. First, you must install an app with:
| 1 | sudodnfinstalldnf–automatic –y |
Open the configuration file with:
| 1 | sudonano /etc/dnf/automatic.conf |
In that file, look for the following line:
| 1 | apply_updates = no |
Change that to:
| 1 | apply_updates = yes |
Next, look for the line:
| 1 | upgrade_type = default |
Set that to the following:
| 1 | upgrade_type = security |
Finally, you can set the system to notify you that an upgrade has been applied by configuring the [email] section. You’ll need an email address and a host to use for the server. I’ve set this up using Google’s Gmail SMTP servers, and it works fine. If you go the Google route, you’ll need to create an app password for this to work.
Save and close the file, and your system is set.
One thing to keep in mind (and this is important) is that you should not use automatic updates on server deployments. Instead, either run those updates manually (and regularly) or use an automated tool like Ansible. Your servers must be as secure as possible, and automatic upgrades might not be the best route for your systems.
Also note that with Fedora, automatic upgrades sometimes cannot be completed until a reboot happens (because that’s how Fedora handles certain upgrades).
There you go: five easy steps to securing just about any Linux system. There are more complicated methods and steps you can take, but these five will get you started on the right foot.
