Linux Security 101: Understanding Basic Concepts and Terms

Linux is renowned for its robust security architecture, powering everything from personal laptops to enterprise servers and embedded systems. However, secure by design does not mean secure by default—proper configuration, proactive maintenance, and a solid understanding of core security principles are critical to safeguarding Linux systems. This blog serves as a foundational guide to Linux security, breaking down essential concepts, key terminology, practical tools, and best practices. Whether you’re a system administrator, developer, or Linux enthusiast, mastering these basics will help you build a security-first mindset and protect your systems from common threats.

Table of Contents

1. Core Concepts of Linux Security
2. Key Security Terms
3. Essential Security Tools & Usage Methods
4. Common Security Practices
5. Best Practices for Advanced Security
6. Conclusion
7. References

Core Concepts of Linux Security

1. Least Privilege

The principle of least privilege states that users, processes, and applications should only have the minimum access required to perform their tasks. For example:

• A regular user should not have root (administrative) access unless explicitly needed.
• A web server process (e.g., nginx) should run as a non-privileged user (e.g., www-data) instead of root.

This limits the damage an attacker can cause if a user account or process is compromised.

2. Defense in Depth

Defense in depth (or “layered security”) involves implementing multiple overlapping security controls to protect against failures in any single layer. For example:

• A firewall blocks unauthorized network traffic.
• File permissions restrict access to sensitive data.
• Intrusion detection systems (IDS) monitor for suspicious activity.
• Even if one layer fails (e.g., a firewall misconfiguration), others (e.g., file permissions) can still prevent a breach.

3. Principle of Least Astonishment

Systems should behave in ways that are predictable and intuitive to users/administrators. For example:

• A file labeled “confidential” should not be world-readable by default.
• A service like telnet (insecure) should not be enabled unless explicitly configured.

This reduces human error and makes security violations easier to detect.

4. Security by Design vs. Security by Obscurity

• Security by design: Building security into the system from the start (e.g., Linux’s permission model, built-in user separation).
• Security by obscurity: Relying on hiding vulnerabilities (e.g., using non-standard ports for SSH without hardening the service).

Linux prioritizes security by design, but obscurity alone is never sufficient—always combine it with proactive controls.

Key Security Terms

1. Permissions (ugo/rwx)

Linux uses a file permission system to control access to files and directories. Permissions are defined for three categories:

• User (u): The owner of the file.
• Group (g): Users belonging to the file’s group.
• Others (o): All other users on the system.

Each category has three permissions:

• Read (r): View the file’s content (numeric value: 4).
• Write (w): Modify or delete the file (numeric value: 2).
• Execute (x): Run the file as a program/script (numeric value: 1).

Example: A file with permissions -rw-r--r-- means:

• User: Read + Write (rw- = 6).
• Group: Read-only (r-- = 4).
• Others: Read-only (r-- = 4).

2. Users and Groups

Linux is a multi-user OS, and security starts with strict user management:

• Root: The superuser with unrestricted access to the system. Avoid using root for daily tasks.
• Regular Users: Limited-privilege accounts for day-to-day use.
• Service Users: Non-interactive accounts (e.g., www-data, mysql) for running services, with minimal permissions.
• Groups: Collections of users to simplify permission management (e.g., a developers group for shared project files).

3. Sudo vs. Su

• su (switch user): Allows switching to another user (e.g., su root). Requires the target user’s password and grants full access.
• sudo (superuser do): Executes a single command with elevated privileges (e.g., sudo apt update). Configured via /etc/sudoers, it limits root access to specific commands for specific users, reducing risk.

4. Firewalls

A firewall controls incoming/outgoing network traffic based on rules. Linux offers two primary firewall tools:

• iptables: A low-level, rule-based firewall (complex but highly customizable).
• ufw (Uncomplicated Firewall): A user-friendly frontend for iptables (ideal for beginners).

5. SSH (Secure Shell)

SSH is a protocol for secure remote access to Linux systems, replacing insecure tools like telnet or ftp. It encrypts data in transit and supports authentication via passwords or (preferred) cryptographic keys.

6. SELinux/AppArmor

• SELinux (Security-Enhanced Linux): A mandatory access control (MAC) system (used by Red Hat, CentOS) that enforces fine-grained policies beyond standard Linux permissions.
• AppArmor: A simpler MAC system (used by Ubuntu, Debian) that restricts programs to predefined resources (e.g., limiting nginx to read-only access to /var/www).

7. Vulnerabilities and Exploits

• Vulnerability: A weakness in software/hardware (e.g., an unpatched bug in OpenSSL).
• Exploit: A tool or code that takes advantage of a vulnerability to gain unauthorized access (e.g., a script that leverages a buffer overflow).

8. Patches and Updates

Patches are fixes for vulnerabilities. Regularly updating software (e.g., with apt upgrade or dnf update) is critical to closing security gaps.

Essential Security Tools & Usage Methods

1. Managing Users and Groups

Proper user/group management is the first line of defense.

Common Commands:

# Create a new user (with home directory and bash shell)
sudo useradd -m -s /bin/bash johndoe  

# Set a password for the user
sudo passwd johndoe  

# Add user to a group (e.g., "sudo" for admin privileges)
sudo usermod -aG sudo johndoe  

# Create a group
sudo groupadd developers  

# Delete a user (and their home directory)
sudo userdel -r johndoe  

2. File Permissions

Use chmod, chown, and chgrp to manage access to files/directories.

Examples:

# Grant read/write/execute to user, read/execute to group, read-only to others (754)
chmod 754 script.sh  

# Make a file read-only for everyone (644)
chmod 644 document.txt  

# Change owner to "johndoe" and group to "developers"
chown johndoe:developers project.pdf  

# Restrict SSH private key (critical for security!)
chmod 600 ~/.ssh/id_rsa  

3. Firewall Configuration with UFW

ufw simplifies firewall management:

# Enable UFW
sudo ufw enable  

# Deny all incoming traffic by default
sudo ufw default deny incoming  

# Allow outgoing traffic by default
sudo ufw default allow outgoing  

# Allow SSH (port 22) and HTTP (port 80)
sudo ufw allow 22/tcp  
sudo ufw allow 80/tcp  

# Check status
sudo ufw status verbose  

4. SSH Hardening

Secure SSH to prevent brute-force attacks and unauthorized access:

Step 1: Disable password authentication (use SSH keys instead)

Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config  

Set:

PasswordAuthentication no  
PubkeyAuthentication yes  
PermitRootLogin no  # Disable direct root login  
MaxAuthTries 3      # Limit login attempts  

Step 2: Restart SSH service

sudo systemctl restart sshd  

Step 3: Generate SSH keys (client-side)

ssh-keygen -t ed25519  # Use Ed25519 (more secure than RSA)  
ssh-copy-id johndoe@remote-server  # Copy public key to server  

5. Log Monitoring

Logs track system activity (e.g., login attempts, service failures). Key logs:

• /var/log/auth.log: Authentication events (e.g., SSH logins).
• /var/log/syslog: General system messages.
• Use journalctl for systemd-based systems (e.g., journalctl -u sshd to view SSH logs).

Example: Monitor real-time SSH login attempts:

tail -f /var/log/auth.log | grep "sshd"  

Common Security Practices

1. Regular Updates

Outdated software is a top attack vector. Automate updates with cron jobs or tools like unattended-upgrades (Debian/Ubuntu):

# Install unattended-upgrades
sudo apt install unattended-upgrades  

# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades  

2. Strong Password Policies

Enforce complex passwords using pam_pwquality (PAM module). Edit /etc/security/pwquality.conf:

minlen = 12          # Minimum password length  
dcredit = -1         # Require at least 1 digit  
ucredit = -1         # Require at least 1 uppercase letter  
lcredit = -1         # Require at least 1 lowercase letter  
ocredit = -1         # Require at least 1 special character  

3. Disable Unused Services

Every running service is a potential target. Stop and disable unnecessary services:

# List running services
sudo systemctl list-unit-files --type=service --state=running  

# Disable a service (e.g., telnet)
sudo systemctl stop telnet  
sudo systemctl disable telnet  

4. Limit Sudo Access

Restrict sudo privileges to trusted users only. Edit /etc/sudoers with visudo (safer than direct editing):

sudo visudo  

Add:

# Allow "johndoe" to run only apt and systemctl commands  
johndoe ALL=(ALL) /usr/bin/apt, /usr/bin/systemctl  

5. Backup Data

Regular backups ensure recovery from ransomware, hardware failure, or human error. Use tools like rsync or borgbackup:

# Backup /home to an external drive
rsync -av /home /mnt/backup-drive  

Best Practices for Advanced Security

1. Enable SELinux/AppArmor

• SELinux: Set to enforcing mode (Red Hat/CentOS):

  sudo setenforce 1  
  sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config  

• AppArmor: Enable profiles for critical services (Ubuntu/Debian):

  sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx  

2. Two-Factor Authentication (2FA)

Add an extra layer of security to SSH with 2FA using google-authenticator:

# Install the PAM module
sudo apt install libpam-google-authenticator  

# Configure for a user
google-authenticator  

Edit /etc/pam.d/sshd to require 2FA:

auth required pam_google_authenticator.so  

3. File Integrity Monitoring (FIM)

Tools like AIDE (Advanced Intrusion Detection Environment) monitor system files for unauthorized changes:

# Initialize AIDE database
sudo aideinit  

# Check for changes
sudo aide --check  

4. Network Segmentation

Isolate critical systems (e.g., databases) from public-facing servers (e.g., web servers) using firewalls or VLANs. For example, restrict database access to the web server’s IP only:

sudo ufw allow from 192.168.1.100 to any port 3306  # Allow MySQL from web server  

Conclusion

Linux security is an ongoing journey, not a one-time task. By mastering core concepts like least privilege and defense in depth, familiarizing yourself with tools like ufw and ssh-keygen, and adopting practices like regular updates and 2FA, you can significantly reduce your attack surface.

Start with the basics, then layer in advanced controls like SELinux or FIM as your expertise grows. Remember: the goal is not perfection, but resilience—building systems that can withstand and recover from threats.

References

• Linux Man Pages
• Ubuntu Security Guide
• Red Hat Enterprise Linux Security Guide
• NIST Cybersecurity Framework
• OpenSSH Hardening Guide