Linux System Security: An Introduction to Basic Protection Strategies

In the Linux system, many people believe that “open-source systems are inherently secure” or “my server has no sensitive data, so I don’t need to worry too much.” However, while Linux systems have a high security coefficient, ignoring basic security configurations can still expose them to attack risks. For example, weak passwords, open unnecessary ports, and unpatched system vulnerabilities can all turn a server into a “zombie” (botnet machine). This article will discuss basic Linux security protection strategies from a beginner’s perspective to help you quickly establish security awareness.

1. Account Security: Building the “Entrance” Defense from the Source¶

The server’s “front door” is the user account. Once an account is compromised, all system data may be at risk. This is the most basic security point and also the most easily overlooked by beginners.

(1) Use Strong Passwords + Avoid Shared Accounts¶

Password Complexity: Avoid simple passwords like “123456” or “password”. Use a combination of uppercase/lowercase letters, numbers, and special symbols (e.g., Passw0rd!). You can use the pwgen tool to generate random passwords (if not available, manually set a strong password).
No Shared Accounts: Each administrator or user must have a unique account. Do not use the same account to log in to different servers. For example, use dev_user for developers and ops_user for operations staff. Avoid sharing the root account (as it has excessive permissions; a breach would result in total system control).

(2) Limit Permissions: The Principle of Least Privilege¶

Do Not Use root Directly: Use regular users for daily tasks and sudo for privilege escalation (e.g., sudo yum install software). The root account should not be used for direct login (unless necessary) and should only be used for emergency repairs.
Delete Default/Test Accounts: Systems may come with default users (e.g., nobody) or test accounts (e.g., test). Remove or rename them promptly:

  userdel test  # Delete the user; add `-r` to delete the home directory

Why? Password login is vulnerable to brute-force attacks (e.g., hackers using dictionary tools), while key-based login is more secure.
Steps:
1. Generate a key pair locally (e.g., use PuTTYgen on Windows, or ssh-keygen on Linux/Mac).
2. Copy the public key (id_rsa.pub) to the server’s ~/.ssh/authorized_keys and set permissions:

     chmod 600 ~/.ssh/authorized_keys

Disable password login on the server: Edit /etc/ssh/sshd_config, change PasswordAuthentication yes to no, and restart the sshd service.

2. File Permissions: Protect Data from Unauthorized Modification or Access¶

Linux controls who can read, write, or execute files/directories through “permissions.” Misconfigured permissions can lead to data tampering or theft even if accounts are secure.

(1) Understand Permission Representation: What is `rwxr-xr-x`?¶

Permissions are represented by three groups: Owner (rwx), Group (r-x), and Others (r-x).
r (Read): 4, w (Write): 2, x (Execute): 1.
Example: rwxr-xr-x means the owner can read/write/execute, while the group and others can only read/execute.

(2) Least Privilege Principle: Only Grant Necessary Permissions¶

Critical Files/Directories: System core files (/bin, /etc) should have permissions drwxr-xr-x (directories use d; x grants access to the directory).
User Home Directories: Permissions for regular user home directories (/home/user) should be 700 (only the owner can read/write/execute), never 777 (dangerous, allowing any user to modify).
Permission Commands:
Change owner: chown user:group filename (e.g., chown root:root /etc/passwd).
Change permissions: chmod 755 filename (owner: read/write/execute, group/others: read/execute).

3. Firewall: Only Open “Necessary Doors” and Close “Unwanted Windows”¶

Linux firewalls intercept unauthorized access, only opening ports required by the server (e.g., 80/443 for web services, 22 for SSH).

(1) Basic Firewall Tools¶

iptables (CentOS/RHEL):

  iptables -L  # View current rules
  # Allow SSH (22) and web ports (80/443)
  iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  iptables -P INPUT DROP  # Block all other ports by default

firewalld (Simpler Alternative):

  firewall-cmd --add-service ssh --permanent  # Open SSH
  firewall-cmd --list-services  # View open services
  firewall-cmd --reload  # Apply changes

(2) Dangerously Open Ports to Avoid¶

Avoid default ports like Telnet (23), FTP (21), MySQL (3306) (unless necessary). Use SFTP (22/2222) instead of FTP and HTTPS instead of Telnet.

4. System Updates: Close Backdoors with Known Vulnerabilities¶

Many attacks exploit known system vulnerabilities (e.g., Apache Log4j). Timely updates patch these vulnerabilities.

(1) Regular System Updates¶

CentOS/RHEL:

  sudo yum update   # Update packages
  sudo yum upgrade  # Update the kernel

Ubuntu/Debian:

  sudo apt update && sudo apt upgrade

Important: Restart the server after updates: sudo reboot to avoid kernel version mismatches.

(2) Disable Unsecure Services¶

Disable outdated services like FTP and Telnet:

  systemctl disable telnet-server  # Disable permanently
  systemctl stop telnet-server     # Stop currently running

5. Log Monitoring: Track “Abnormal Invasion” Traces¶

Logs are the “eyes” to detect server anomalies, recording login activities and file operations. Regular log checks identify breaches or misconfigurations.

(1) Key Log Tools¶

System Logs: journalctl -xe (view recent logs with explanations via -x).
Login Logs: last (view recent logins; last reboot checks reboot times).
SSH Attempts: grep "Failed password" /var/log/auth.log (detect brute-force attempts).

(2) Common Signs of Abnormal Logs¶

Multiple failed password attempts in a short period.
Unauthorized file modifications (e.g., /etc/passwd changed).
Unexpected user IDs/groups in /etc/group.

Summary: The “Golden Rules” for Basic Protection¶

Linux security is not “set-and-forget.” Master these core strategies to counter 90% of basic threats:
1. Account Security: Strong passwords, least privilege, SSH keys.
2. File Permissions: 700 (home dirs), 644 (regular files), 600 (system files).
3. Firewall: Only open necessary ports, block others by default.
4. System Updates: Regular patches, disable obsolete services.
5. Log Monitoring: Check daily logs for login/operation anomalies.

Security is an ongoing process, not a one-time setup. Start by auditing your server: Are weak passwords still in use? Are unnecessary ports open? Take action now to build a solid Linux security foundation!