6 ways to harden your Linux workstation security
| Introduction | As I said before, safety is like driving on the highway - anyone who drives slower than you is an idiot, and anyone who drives faster than you is a lunatic. The guidelines presented in this article are just a basic set of core safety rules. They are not comprehensive and do not replace experience, caution, and common sense. You should slightly adjust these suggestions to fit the context of your organization. |
For every system administrator, here are some necessary steps that should be taken:
- 1. Always disable Firewire and Thunderbolt modules.
- 2. Check the firewall to ensure that all inbound ports have been filtered.
- 3. Make sure root mail is forwarded to the account you verified.
- 4. Set up an automatic update schedule for the operating system, or update reminder content.
Additionally, you should also consider some of these best steps to take to further harden your system:
- 1. Check to make sure the sshd service is disabled by default.
- 2. Set the screen saver to automatically lock after a period of inactivity.
- 3. Install logwatch.
- 4. Install and use rkhunter
- 5. Install an intrusion detection system
1. Add relevant modules to the blacklist
To blacklist Firewire and Thunderbolt modules, add the following lines to the file in /etc/modprobe.d/blacklist-dma.conf:
blacklist firewire-core blacklist thunderbolt
Once the system is restarted, the above modules will be blacklisted. Even if you don't have these ports, there's no harm in doing this.
2. root emailBy default, root mail is stored entirely on the system and is often never read. Make sure you set up /etc/aliases to forward root mail to the mailbox you actually read, otherwise you risk missing important system notifications and reports:
# Person who should get root’s mail root: [email protected]
After editing this, run newaliases and test it to make sure the email was actually delivered, as some email providers will reject email from domain names that don't exist or cannot be routed. If this is the case, you'll need to adjust your mail forwarding configuration until this actually works.
3. Firewall, sshd and listening daemonThe default firewall settings will depend on your distribution, but many allow inbound sshd ports. Unless you have a good and valid reason to allow inbound ssh, this should be filtered out and the sshd daemon disabled.
systemctl disable sshd.service systemctl stop sshd.service
You can always enable it temporarily if you need to use it.
Generally speaking, your system should not have any listening ports other than responding to pings. This will help you protect against zero-day vulnerabilities at the network level.
4. Automatic updates or notificationsIt is recommended to turn on automatic updates unless you have a very good reason not to do so, such as worrying that automatic updates will render your system unusable (this has happened before, so this worry is not unfounded). At the very least, you should enable automatic notification of available updates. Most distributions already have this service run automatically for you, so you most likely won't have to do anything. Check your distribution's documentation to learn more.
5. View logYou should pay close attention to all activity that occurs on your system. For this reason, logwatch should be installed and configured to send nightly activity reports indicating everything that is happening on the system. This won't protect against dedicated attackers, but it's a good safety net feature that needs to be deployed.
Please note: Many systemd distributions no longer automatically install the syslog server required by logwatch (that is due to systemd relying on its own logs), so you need to install and enable rsyslog and make sure /var/log is not available before logwatch has any use empty.
6. rkhunter and IDSUnless you actually understand how it works and have taken the necessary steps to set it up properly (such as placing the database on external media, running checks from a trusted environment, and remembering to update the hash database after performing system updates and configuration changes) , etc.), otherwise installing rkhunter and an intrusion detection system (IDS) like aide or tripwire is not very useful. If you're not willing to take these steps and adjust the way you perform tasks on your workstation, these tools will only cause trouble without any real security benefit.
We do recommend that you install rkhunter and run it at night. It's fairly easy to learn and use; while it won't catch clever attackers, it can help you catch your own mistakes.
Original title: 9 Ways to Harden Your Linux Workstation After Distro Installation, author: Konstantin Ryabitsev
The above is the detailed content of 6 ways to harden your Linux workstation security. For more information, please follow other related articles on the PHP Chinese website!
What are the main tasks of a Linux system administrator?Apr 19, 2025 am 12:23 AMThe main tasks of Linux system administrators include system monitoring and performance tuning, user management, software package management, security management and backup, troubleshooting and resolution, performance optimization and best practices. 1. Use top, htop and other tools to monitor system performance and tune it. 2. Manage user accounts and permissions through useradd commands and other commands. 3. Use apt and yum to manage software packages to ensure system updates and security. 4. Configure a firewall, monitor logs, and perform data backup to ensure system security. 5. Troubleshoot and resolve through log analysis and tool use. 6. Optimize kernel parameters and application configuration, and follow best practices to improve system performance and stability.
Is it hard to learn Linux?Apr 18, 2025 am 12:23 AMLearning Linux is not difficult. 1.Linux is an open source operating system based on Unix and is widely used in servers, embedded systems and personal computers. 2. Understanding file system and permission management is the key. The file system is hierarchical, and permissions include reading, writing and execution. 3. Package management systems such as apt and dnf make software management convenient. 4. Process management is implemented through ps and top commands. 5. Start learning from basic commands such as mkdir, cd, touch and nano, and then try advanced usage such as shell scripts and text processing. 6. Common errors such as permission problems can be solved through sudo and chmod. 7. Performance optimization suggestions include using htop to monitor resources, cleaning unnecessary files, and using sy
What is the salary of Linux administrator?Apr 17, 2025 am 12:24 AMThe average annual salary of Linux administrators is $75,000 to $95,000 in the United States and €40,000 to €60,000 in Europe. To increase salary, you can: 1. Continuously learn new technologies, such as cloud computing and container technology; 2. Accumulate project experience and establish Portfolio; 3. Establish a professional network and expand your network.
What is the main purpose of Linux?Apr 16, 2025 am 12:19 AMThe main uses of Linux include: 1. Server operating system, 2. Embedded system, 3. Desktop operating system, 4. Development and testing environment. Linux excels in these areas, providing stability, security and efficient development tools.
Does the internet run on Linux?Apr 14, 2025 am 12:03 AMThe Internet does not rely on a single operating system, but Linux plays an important role in it. Linux is widely used in servers and network devices and is popular for its stability, security and scalability.
What are Linux operations?Apr 13, 2025 am 12:20 AMThe core of the Linux operating system is its command line interface, which can perform various operations through the command line. 1. File and directory operations use ls, cd, mkdir, rm and other commands to manage files and directories. 2. User and permission management ensures system security and resource allocation through useradd, passwd, chmod and other commands. 3. Process management uses ps, kill and other commands to monitor and control system processes. 4. Network operations include ping, ifconfig, ssh and other commands to configure and manage network connections. 5. System monitoring and maintenance use commands such as top, df, du to understand the system's operating status and resource usage.
Boost Productivity with Custom Command Shortcuts Using Linux AliasesApr 12, 2025 am 11:43 AMIntroduction Linux is a powerful operating system favored by developers, system administrators, and power users due to its flexibility and efficiency. However, frequently using long and complex commands can be tedious and er
What is Linux actually good for?Apr 12, 2025 am 12:20 AMLinux is suitable for servers, development environments, and embedded systems. 1. As a server operating system, Linux is stable and efficient, and is often used to deploy high-concurrency applications. 2. As a development environment, Linux provides efficient command line tools and package management systems to improve development efficiency. 3. In embedded systems, Linux is lightweight and customizable, suitable for environments with limited resources.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
