6 Good security practices every Linux admin must follow

last updated in Categories RedHat/Fedora Linux, Security, Suse Linux, Sys admin, Tips, Ubuntu Linux

Here is my own good security practices list to make Linux system safe.


(1) All the time keep a system up to date. Apply all patches especially security update. Use up2date or yum or apt-get update commands to apply security updates.

(2) Default firewall policy should be – close all door open required windows. Run iptables or ipf to block unwanted traffic, IPs, unused ports.

(3) Never ever login as root, always use sudo. Disable root access for ssh and ftp session (default).

(4) Do not run any perl or other executable code on production system as root. Always test downloaded stuff locally and use md5 checksum for verification purpose.

(5) Take advantage of SELinux (Security-enhanced Linux) which enables mandatory access control mechanism. It is also recommended that you install anti-virus/anti-spam program on all mail server such as clamav (or you can purchase 3rd party AV/Anti Spam solution).

(6) Finally run all important services in chrooted jail environment.

Update (see comment below) – Other user suggestions

(7) Remove or disable unnecessary services you don’t use.

(8) Conduct some (penetration) tests to ensure you didn’t misconfig your setup.

(9) Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker’s job easier?

Remember you can make attackers life hard but you cannot make anything 100% secure. Continues monitoring and tight security policy will keep running the service for long time without any sort of intrusion 🙂


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

13 comment

  1. Good tips. One note btw – atp-get update command on debian based systems simply fetches list of currently available packages in the repositories. Upgrading the system is a two step process:

    First fetch new package list:

    apt-get update

    Then run an update:

    apt-get upgrade or apt-get dist-upgrade

  2. Some others…

    (7) Remove or disable unnecessary services you don’t use.

    (8) Conduct some (penetration) tests to ensure you didn’t misconfig your setup.

    Misconfiguration is often a cause of system compromise!…Its right up there with not staying up to date with patches!

  3. Exactly… WHY is SSH stuff included in a desktop-oriented distribution?? Even so, don’t enable it by default, please! It doesn’t matter if you can’t login as root remotely. How many desktop users SSH into their own machines? I’ll admit I do it on occasion, but only to pull music, and very rarely. If I need it, I’ll start it before I go.

  4. Just a quick note this post is targeted towards Linux servers and not Linux desktop system. However I do agree with you – ssh server is rarely needed on desktop system.

    Appreciate your post.

  5. You missed a really important one…

    7.) Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker’s job easier?

  6. Jeff,

    Good point!

    If you are running web server other services in chrooted jail you can safely run gcc and other compilers. I know one admin, once his server is up he will backup and removes gcc, rpm and up2date commands… I don’t like his solution at all. It is better to remove gcc, IMPO

    Appreciate your post.

  7. Thanx for the points I’d like to add:

    (9) if running a web hosting server, use the mod_sec module for appache.

    (10) If running a Server in production environment run a IDS like snort.

    (11) First level of security always starts from the phisical security.

    (12) Always keep your KERENL up2date, if you are a good Kernel Hacker than patch it yourself.

    Thanx nixcraft

  8. Rule #3 is nonsense, IMO. Why should disabling root logins make the machine more secure? Just set “PermitRootLogin without-passwort”, make sure it works and be happy. I often use scp to copy data between servers, and I’d become rather unhappy if I couldn’t do this because I use non-privileged accounts that may do su or sudo, but not access the required files directly.

    Disabling root logins but enabling password auth is much unsafer. An attacker could bruteforce-crack your password and then would just put a su alias into your bashrc, and the next moment you’re using it you’ll be mailing him the root passwort without even noticing.

  9. Oh, I forgot… @Jeff Schroeder:

    Why remove GCC and nmap? [btw: I wouldn’t dare removing gcc on my gentoo server :>]
    If the attacker is on your server, maybe even as root, then nmap won’t really make it worse. If he’s root and needs it, he will simply install it; if he’s a non-privileged user, he could try e.g. wget/GET to download a suitable executable. And things that you can do in C/C++ (->gcc) are much easier to do in script languages like shell script, Perl, PHP, Python. As especially Perl will be installed on many servers, removing GCC seems rather pointless to me.

    Better chroot as much server software as possible and give each chroot really only the tools needed. If an attacker gains control of one of the server softwares, he will be locked into the chroot (unless the server software is running as root) and there he will most probably not even find simple tools like mail, cp or mv.

    Have a question? Post it on our forum!