Secure Your Linux System: A Beginner’s Security Checklist

When it comes to securing your Linux system, the journey can seem daunting, especially for beginners. However, Linux is renowned for its security features, and with a few systematic steps, even newcomers can create a robust defense against malicious attacks. This comprehensive guide will walk you through a beginner-friendly checklist to secure your Linux system, covering everything from basic configurations to more advanced practices.

1. Introduction to Linux Security

Linux is considered more secure than many other operating systems, thanks to its open-source nature and strong user permissions model. Still, out-of-the-box installations are not invulnerable. A secure Linux system is one that is properly configured, regularly updated, and closely monitored.

Security on Linux involves several key principles:

  • Least Privilege: Users and programs should operate with the least amount of privilege necessary.
  • Defense in Depth: Employ multiple layers of defense.
  • Regular Updates: Always keep your system patched.
  • Logging and Monitoring: Know what is happening on your system.

2. Initial System Setup

2.1 Choose a Secure Distribution

Some Linux distributions are more security-focused out of the box. Consider distributions like Ubuntu LTS, Debian, Fedora, or CentOS. For hardened security, you might look at Qubes OS or Kali Linux (for penetration testing).

2.2 Verify ISO Integrity

Before installing any Linux distribution, verify the ISO image using checksums (MD5, SHA256) or GPG signatures to ensure you are not installing a tampered version.

sha256sum ubuntu-22.04.iso

2.3 Partitioning Scheme

Create separate partitions for /home, /var, and /tmp. This limits the damage in case one partition is compromised.

2.4 Disable Unnecessary Services

Use tools like systemctl or chkconfig to disable services you don’t use.

systemctl disable bluetooth.service

3. User Management and Permissions

3.1 Create a Non-Root User

Avoid logging in as the root user. Use sudo to perform administrative tasks.

adduser username
usermod -aG sudo username

3.2 Enforce Strong Password Policies

Install and configure libpam-pwquality.

sudo apt install libpam-pwquality

Edit /etc/pam.d/common-password to enforce complexity.

3.3 Use File Permissions Wisely

Understand and apply the correct permissions:

chmod 700 filename
chown user:group filename

3.4 Disable Root Login

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config
PermitRootLogin no

4. Software Management and Updates

4.1 Enable Automatic Updates

Use unattended-upgrades on Debian-based systems.

sudo apt install unattended-upgrades

4.2 Use Official Repositories

Avoid third-party PPAs unless absolutely necessary. Always prefer official and verified repositories.

4.3 Remove Unused Packages

Reduce the attack surface by uninstalling unnecessary packages.

sudo apt purge package-name

5. Firewall Configuration

5.1 Use UFW (Uncomplicated Firewall)

Install and configure UFW:

sudo apt install ufw
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow only necessary ports:

sudo ufw allow ssh
sudo ufw allow 80/tcp

5.2 Advanced Firewall Rules

For more complex rules, consider using iptables or nftables.

6. Securing SSH Access

6.1 Change Default Port

Changing the default SSH port helps obscure access:

sudo nano /etc/ssh/sshd_config
Port 2222

6.2 Use Key-Based Authentication

Generate SSH keys:

ssh-keygen -t rsa -b 4096

Copy key to remote server:

ssh-copy-id user@hostname

6.3 Limit Login Attempts

Install and configure fail2ban:

sudo apt install fail2ban

7. Monitoring and Logging

7.1 Use Logwatch or Logrotate

Automatically monitor and rotate logs to manage disk space and review system activity.

sudo apt install logwatch

7.2 Monitor Login Attempts

Review login logs:

cat /var/log/auth.log

7.3 Use Auditd for System Auditing

Install audit daemon:

sudo apt install auditd

8. Disk Encryption and Data Protection

8.1 Encrypt Partitions

Use LUKS (Linux Unified Key Setup) during installation or later with cryptsetup.

8.2 Encrypt Swap Space

Encrypt swap to prevent memory dumps from being read.

8.3 Backup Regularly

Use tools like rsync, Deja Dup, or Timeshift to automate and schedule backups.

9. Using Security Tools

9.1 ClamAV

Install an antivirus scanner:

sudo apt install clamav

9.2 RKHunter (Rootkit Hunter)

Scan for rootkits:

sudo apt install rkhunter
sudo rkhunter --check

9.3 Lynis

Perform a full security audit:

sudo apt install lynis
sudo lynis audit system

10. Regular Audits and Maintenance

10.1 Patch Management

Make a routine to check and apply updates.

sudo apt update && sudo apt upgrade

10.2 Review User Accounts

Remove or disable unused accounts regularly.

10.3 File Integrity Monitoring

Use tools like AIDE (Advanced Intrusion Detection Environment).

sudo apt install aide
sudo aideinit

11. Conclusion

Securing a Linux system is not a one-time task, but an ongoing process. This checklist provides a solid foundation for beginners. As you grow more comfortable with Linux, delve deeper into advanced topics like SELinux, AppArmor, container security, and kernel hardening. The goal is to develop a proactive security mindset—anticipate vulnerabilities, understand attack vectors, and always be one step ahead.

Stay informed, stay updated, and most importantly, stay secure.

This article is part of the Beginner’s Linux Security Series. For more in-depth guides and expert tips, subscribe to our newsletter or follow our blog updates.