Cyber threats are common these days. The risk is so high that the most powerful operating system, Linux, is not immune to it anymore. If you are using Linux for either running a personal server, deploying apps in the cloud, or managing infrastructure, then this guide is for you.
Not sure how? There’s good news for you. You have this simple checklist for minimize the risk.
Let me walk you through 7 practical steps you can take right now to secure your Linux systems, without becoming a security expert.
1. Regularly Update Your System
Do you know that old/discontinued software is most vulnerable to cyber-attacks?
Don’t invite hackers to take over your system by not patching your systems. apt, dnf, or yum are some goof package managers to keep your system up to date.
If possible, auto-updates are a good way to save time.
Tip: You can set a weekly cron job to remind yourself to run security updates.
2. Code Signing Certificates
If you’re distributing software or scripts (even internally), you should sign your code. You can use a trusted code signing certificate to make sure that your code stays tamper-proof and let the users know that it’s coming from you.
You can even go one step further by using an Extended Validation (EV) Code Signing. It follows a stricter verification process but it’s worth it as you get to enjoy many perks such as kernel mode changes. This is helpful when distributing Linux binaries, drivers, or shell scripts.
Note: Unlike Windows, Code signing is not mandatory for the Linux environment; however, signing your code and safeguarding your users is worth it, right?
Learn how to verify the digital signature of a File in Linux.
3. SSH Authentication
Are you still logging in using passwords? Well, now you need to change that. There is a thing called SSH key pairs. Secure and much harder to brute-force.
Also, disable root login over SSH. Let users log in as themselves.
Use sudo when needed.
4. Minimalism
Every single package or service you install adds up risk. This doesn’t mean you should not try new apps. The point is to keep track of what is useful and what is just filling up space. You can disable or remove programs like Apache, PostgreSQL, or FTP. This will not only reduce your attack surface but also frees up system resources.
5. Firewall
Firewalls aren’t just for enterprise networks. Even test server should use it. ufw (Uncomplicated Firewall) and firewalld are some good tools. It will make access to essential services easier and block spam.
You can start with a default deny rule, then gradually allow other things, like SSH, HTTP, or HTTPS.
6. Monitor File Changes
Hackers can sneak malicious scripts into your system when you are not looking. Tools like AIDE (Advanced Intrusion Detection Environment) or Tripwire are specially made to tackle this threat by keeping track of unauthorized file modifications. This will minimize the damage in the case of sudden unexpected changes.
7. Enable AppArmor or SELinux
Systems like AppArmor and SELinux are Mandatory Access Control (MAC). It is used for managing what applications can do (even when they’re compromised). This adds an extra layer of protection to your system. Initial set-up is little tricky, but the security benefits are worth the effort.
8. Use Full Disk Encryption (FDE)
In the event of data breach, disk encryption can be a life savior. This is like, hackers have the data, but they can’t use it.
You can use tools like LUKS or dm-crypt for FDE.
Bonus Tip
Never allow full access of your system to every user or script. e.g. Your web server doesn’t need write access to system folders, and your deployment tool, root. The simple practice of assigning permissions carefully will reduce the risk of system hijacking.
Tip: Using groups, roles, and ACLs (Access Control Lists) is good practice.
Last Notes
Linux is known as the most secure open-source operating system out there, but that doesn’t make it un-hackable. A small vulnerability is enough for attackers to hijack your system.
Remember, outdated systems are the most vulnerable ones, so keep up with the latest developments. Take this message as your starting point to ensure a safe dev environment for yourself.
