Linux Security Stats, Tools, and Best Practices

March 16, 2023


Linux is a widely-used and popular operating system known for its stability, flexibility, and security. However, even with its built-in security features, Linux systems can still be vulnerable to security breaches.

This article will present the latest Linux security statistics, tools, and best practices available to keep your Linux system secure.

Linux Security Stats, Tools and Best Practices

Linux Security and Vulnerabilities: Stats

Compared to other operating systems like Windows and macOS, Linux has fewer vulnerabilities. However, Linux is not immune to all types of cyberattacks. The most common vulnerabilities in Linux systems are privilege escalation, memory corruption, and information disclosure. Cyber attackers use these vulnerabilities to gain unauthorized access to a Linux system and steal data.

Reports from sources such as The National Vulnerability Database (NVD) and Crowdstrike show an increase in Linux vulnerabilities each year. For example, there were 1,958 Linux vulnerabilities reported in 2020. In 2021, there was a 35% rise in malware targeting Linux systems compared to 2020. And in 2022, the number of new Linux malwares reached nearly 1.7 million, a 650% increase from the previous year.

Significant Linux ransomwares and vulnerabilities over the years are:

  1. Shellshock (2014 - active). A vulnerability in the Bash shell that lets attackers run random code by running a specially prepared environment variable.
  2. Ghost (2015 - resolved). A vulnerability in the GNU C Library (glibc) that allowed attackers to run arbitrary code by sending a specific DNS response.
  3. Dirty COW (2016 - resolved). This vulnerability affected the Linux kernel and gave attackers root access by exploiting a race condition in the memory management system.
  4. BlueBorne (2017 - resolved). This vulnerability affected Bluetooth implementations on Windows, Linux, and Android. BlueBorne would run the code remotely, allowing the attackers to steal sensitive information.
  5. SACK Panic (2019 - resolved). A vulnerability in the TCP stack of the Linux kernel caused a denial of service by sending TCP Selective Acknowledgment (SACK) packets.
  6. Ghostcat (2020 - active). This vulnerability affects the Apache Tomcat web server and allows attackers to gain unauthorized access to sensitive information.
  7. SUDO (2021 - active). This vulnerability affected the sudo command-line utility and allowed attackers to execute commands as root without a password.
  8. Text4Shell or ACT4Shell (2022 - active). A critical remote code execution (RCE) vulnerability that abuses the Apache Commons Text interpolation functionality in string substitution.
  9. Linux Kernel Vulnerability (2023 - active). A security issue was found in the Linux kernel's NVMe functionality, specifically in the nvmet_setup_auth() function, which can result in a pre-auth denial of service (DoS) attack on a remote machine.
  10. Signal Desktop Vulnerability (2023 - active). A vulnerability in the Signal Desktop software allows attackers access to sensitive message attachments.

Linux Security Tips and Best Practices

As the use of Linux systems continues to grow, it's crucial to implement adequate security measures to protect a system from potential threats. The sections below offer a range of practical tips and best practices for enhancing the security of a Linux system.

1. Use Strong Passwords

(Basic security mechanism)

Use strong passwords and change them regularly as a basic step to securing your Linux system. Strong passwords prevent unauthorized access to the system and reduce the risk of identity theft, data loss, and other security incidents.

A strong password is at least 12 characters long and includes a mixture of upper and lowercase letters, numbers, and special characters. That makes brute-force attacks extremely more difficult.

Regularly changing passwords also improves security. The process reduces the risk of password reuse and exposure, giving a potential attacker a limited time frame to exploit the password if it becomes compromised.

2. Verify All Accounts Have Passwords

(Basic security mechanism)

Accounts with no passwords allow anyone to log into the system without any authentication, compromising the system's data security and confidentiality. Therefore, make sure to verify that no accounts have empty passwords.

Run the awk command with the following options:

sudo awk -F: '($2 == "") {print $1}' /etc/shadow 
sudo awk -f terminal output

This command searches the /etc/shadow file, which contains information about user account passwords, and prints the names of any accounts with an empty password field.

Since accounts with empty passwords are a serious security risk, consider the following actions:

  • Set a password. For instance, assign a new password to a user with the passwd command:
sudo passwd [username]
  • Disable the account. Prevent users from logging into the account by disabling it entirely. To lock a Linux user account, run the usermod command with the -L option (which prints no output):
sudo usermod -L [username]

Alternatively, use the passwd command with the -l option:

sudo passwd -l [username]
passwd -l to lock a user.

The user is now unable to log in using their password.

  • Delete the account. Remove unnecessary accounts with:
sudo userdel [username]

The command shows no output if executed correctly.

3. Set Up Password Aging

(Basic security mechanism)

Password aging is the practice of requiring users to change passwords regularly. Regular password changes reduce the chance of users reusing previous passwords. The practice also prevents password cracking attacks, which often succeed because of weak passwords that are not changed frequently.

There are several ways to set up password aging for a Linux user:

  • Use the chage command. For instance, enable a password aging process that ensures the password expires in 60 days, the system warns the user 10 days before the expiration date, and the user has to change the password within 14 days. To do so, run:
sudo chage -M 60 -m 10 -W 14 [username]
  • Alternatively, use the passwd command:
sudo passwd -x 60 [username]
sudo passwd -x 60 NewUser terminal output

The command sets the password expiration date for NewUser at 60 days.

4. Restrict the Use of Previous Passwords on Linux

(Basic security mechanism)

Prevent all users from reusing old passwords. Old passwords might have been compromised and attackers might be actively trying to take advantage of that to hack into the system.

To prevent password reuse attacks:

  1. Enforce password history with PAM, a unique Linux library with the pam_unix module feature. This feature keeps track of users' passwords and disallows the reuse of any previously used ones. 
  2. Enforce rules for password complexity, including minimum length and a mix of characters, with pam_cracklib. Requiring users to create complex passwords makes it more difficult for attackers to guess or crack passwords.
  3. Regularly check system logs for any suspicious activity, such as repeated failed login attempts, to detect potential password-related security threats.
  4. Store hashed passwords using a strong cryptographic hash function such as Message-Digest Algorithm (MDA), Secure Hash Algorithm (SHA), or NTLM.
  5. Use an enterprise password manager to generate and store unique, secure passwords for each account.

5. Ensure OpenSSH Server Security

(Intermediate security mechanism)

OpenSSH is a widely used and secure implementation of SSH for Linux systems. It provides encryption for data in transit, robust authentication methods, and a secure way to administer systems and transfer files remotely. To ensure the security of OpenSSH, minimize the tool's vulnerabilities.

Secure the OpenSSH server by following these tips:

  • Use non-standard SSH ports.
  • Limit user access and disable root login.
  • Use SSH key pairs for authentication.
  • Disable root login and password-based logins on the server.
  • Keep OpenSSH updated regularly.
  • Use strong authentication methods.
  • Limit the number of authentication attempts.
  • Disable unused protocols and features.
  • Implement a firewall.
  • Monitor logs regularly.

6. Disable Root Login via SSH

(Intermediate security mechanism)

Linux machines have external root access enabled by default. That leaves an open SSH security vulnerability which hackers can exploit with brute-force attacks. Disabling server SSH root login prevents unauthorized individuals from gaining control over the system. An active root account allows attackers to obtain or guess the root password with full administrative privileges.

To disable root login in Linux, change the SSH configuration file:

1. Open the file in a text editor of your choice. To access the config file in Vim, run:

sudo vim /etc/ssh/sshd_config

2. Find the PermitRootLogin line.

locate the PermitRootLogin line i Vim

3. Change the value from yes to no.

Change PermitRootLogin to no

4. Save the changes and exit the file.

5. Restart the SSH service to apply the changes.

Note: Disabling root login can prevent legitimate users from performing administrative tasks on the system. Ensure that authorized users have the necessary permissions by creating a regular user account with administrative privileges and add the user to the sudo group.

7. Limit the Use of sudo

(Intermediate security mechanism)

Unrestricted use of sudo leads to privilege escalation and allows attackers to gain control of the system. Limiting sudo permissions reduces the number of potential attack vectors. If an attacker gains access to a user account, they will only be able to run a limited set of Linux commands, making it harder to cause damage.

However, limiting the use of sudo requires modifying the sudoers file. While it's possible to do it correctly, making mistakes could result in security vulnerabilities.

8. Ensure Only Root Has User ID Set to 0

(Basic security mechanism)

The root account controls the system, including installing and removing software, modifying system configuration files, and accessing all user data. Root is also the only account with a User ID (UID) set to 0.

A non-root account with a UID of 0 is effectively equivalent to the root account, creating a significant security risk.

To ensure that no non-root accounts have a UID of 0, run:

sudo awk -F: '($3 == "0") {print}
sudo awk -F terminal output

The command prints root as the only user with a UID of 0. If the output shows any non-root accounts with a UID of 0, delete them or change the UID to a non-zero value with usermod

9. Lock User Accounts After Login Failures

(Intermediate security mechanism)

Locking user accounts after several login failures makes it harder for an attacker to guess or brute-force a password.

The system works by setting the maximum number of login attempts per user. Once that number is reached, the account locks for a specified period. Another option is to install a system for unlocking the account, either automatically after a set time has elapsed or manually by an administrator.

To achieve this, use different Identity Access Management (IAM) systems. These tools block incoming traffic from IP addresses with failed login attempts, helping mitigate brute-force attacks or monitor log files and ban IP addresses with repeated failed login attempts.

Writing custom scripts to parse log files, keep track of failed login attempts, and lock user accounts is also an option.

10. Enable Two-Factor Authentication

(Intermediate security mechanism)

Two-factor authentication (2FA) is a security measure that adds an extra layer of protection. By requiring a secondary verification method, such as a one-time code sent to the user's mobile device, 2FA makes it much more difficult for unauthorized users to access sensitive information or systems.

There are various ways to enable 2FA on Linux systems. Common methods include using TOTP (Time-based One-Time Password) apps like Google Authenticator or a hardware token like a Yubikey. Certain Linux systems have built-in 2FA capabilities, such as PAM (Pluggable Authentication Modules), that work with various authentication methods.

11. Keep Linux Up to Date

(Basic security mechanism)

Hackers exploit outdated software. To maintain Linux server security, keep the Linux kernel and software up to date. Different Linux distributions offer various package managers to update packages manually, with yum and apt being the most popular.

Another method includes automatic updates. Automatic updates are installed in the background without requiring any action from the user, making updating software easier and more convenient. However, these types of updates are also risky.

Important: Automatic updates cause compatibility issues with other packages or result in unexpected changes to the system. In general, it is not recommended to run automatic updates on production servers.

12. Use Linux Security Extensions

(Intermediate security mechanism)

Linux security extensions are tools and features that provide additional security measures to a Linux operating system. These extensions help protect against misconfigured or compromised programs, defend against potential attacks, and enforce limitations on networks and programs.

Popular Linux security extensions are:

  • SELinux (Security-Enhanced Linux) is a security feature integrated into the Linux kernel that uses Mandatory Access Control (MAC) system. It allows administrators to control access to system resources by only allowing authorized users and processes. This ensures that only trusted parties access and modify important system information. SELinux is more common in RHEL and CentOS systems.
  • AppArmor is a mandatory access control system that allows administrators to specify the permissions required by applications to access system resources. It's been a default feature of Ubuntu since version 7.10. 
  • TCP Wrappers are a security tool that provides basic access control for network services by checking the client's IP address against a list of allowed or denied addresses. The request is granted if the client's IP address is found in the allow list, and if it is found in the deny list, the request is rejected.
  • PAM (Pluggable Authentication Modules) provides a flexible and centralized system for managing authentication on a Linux system. PAM allows administrators to configure the authentication system and choose the best methods for their security needs. Moreover, PAM makes it easier to enforce strong authentication policies and ensures that all applications and services use the same authentication system.

13. Configure Linux Firewall 

(Basic security mechanism)

firewall on a Linux system acts as the first line of defense against malicious network traffic. The firewall defines rules that govern what traffic is allowed and what is blocked. Sysadmins apply those rules to control incoming and outgoing network traffic, blocking unauthorized access and only allowing necessary services.

The default Linux firewall is iptables, a popular tool that provides packet filtering and manipulation capabilities for IPv4 and IPv6 network traffic. It filters network traffic, forwards traffic between network interfaces, and implements network address translation (NAT).

14. Reduce Network Service Vulnerabilities by Isolation

(Intermediate security mechanism)

To enhance the security of network services, run each service on a separate server or virtual instance. The process limits the number of vulnerable services, making managing security patches, updates, and configurations easier.

There are several ways to implement this method:

  • Use virtualization tools like VirtualBox to create individual virtual machines (VMs) for each network service. Or, create isolated containers with Docker or Kubernetes for each network service.
  • Use firewall rules to control incoming and outgoing network traffic, only allowing the necessary services.
  • Segment the network into separate subnets to isolate different services and minimize the risk of attacks.
  • Regularly monitor network traffic and logs for suspicious activity and take appropriate action.

15. Secure Web Servers

(Intermediate security mechanism)

Web servers like Apache and Nginx are prime cyberattack targets as they often deal with sensitive data. Securing these servers is critical to prevent unauthorized access and data breaches.

Top tips for securing Apache and Nginx web servers are:

  • Regularly update the software to apply the latest security patches and fixes.
  • Configure access control to limit access to sensitive information and prevent unauthorized access.
  • Disable unneeded modules and features to reduce the attack surface and minimize security vulnerabilities.
  • Use strong passwords to secure the administration interface and prevent unauthorized access.
  • Use SSL certificates to encrypt data transmitted over the network and secure sensitive information such as passwords and financial data.
  • Regularly monitor logs for suspicious activity or unauthorized access attempts.
  • Run web servers as a non-root user with limited privileges to prevent unauthorized access and data breaches.

16. Detect Listening Network Ports

(Intermediate security mechanism)

In a Linux system, ports are used when a program, such as a server or a network service, opens a network socket to receive incoming client connections. Open ports listen for those incoming connections.

However, listening ports are a weakness attackers exploit. A vulnerable listening port provides access to the system or sensitive information.

By detecting all listening ports, sysadmins identify and secure them by applying updates, limiting access, or disabling unnecessary ones. Furthermore, identifying listening ports helps detect rogue or unauthorized applications that pose a security risk.

Identify listening ports in a Linux system with netstat, ss, or lsof.

17. Disable Unwanted Linux Services

(Basic security mechanism)

Unneeded services in Linux are a security vulnerability and consume resources like memory and CPU. To improve security and performance on a Linux operating system server, keep a minimal installation with only the necessary packages.

To manage system services, Linux uses systemd with the systemctl command.

1. To check if a service is active, run:

sudo systemctl status [service_name]

For instance, check the status for snap with:

sudo systemctl status snapd
sudo systemctl status snapd terminal output

2. To stop an active service, run:

sudo systemctl stop [service_name]

To stop snap, execute:

sudo systemctl stop snapd
sudo systemctl stop snapd terminal output

3. To prevent the service from starting at boot, use:

sudo systemctl disable [service_name]

For instance, apply this command on snap:

sudo systemctl disable snapd
sudo systemctl disable snapd terminal output

When working with older systems that use System V or Upstart, run the chkconfig command to manage services.

It is also important to check dependencies before installing software and inspect auto-started dependencies to ensure they are needed.

18. Use Centralized Authentication Service

(Intermediate security mechanism)

A Centralized Authentication Service (CAS) is a single sign-on protocol that allows web applications that may not be trusted to authenticate users through a centralized, trusted server. The CAS server handles all authentication, so the user's credentials are not revealed to the applications.

A centralized authentication service is crucial for Linux security as it allows sysadmins to enforce password policies and manage user accounts in a secure and scalable way. It makes monitoring and auditing authentication easier, reduces the risk of lost login credentials, and ensures consistent user data.

Common Linux Central Authentication Services are Kerberos, Samba, and Winbind.

19. Set Up an Intrusion Detection System

(Advanced security mechanism)

An intrusion detection system (IDS) monitors processes running on the server. It detects potential threats such as denial-of service attacks, port scans, or attempts to crack into computers by monitoring network traffic.

Popular IDS options include:

  • Sophos. A cloud-based management platform that integrates multiple security products and uses machine learning to trigger automatic threat responses. It also uses advanced techniques like sandboxing and SSL inspection to identify and isolate compromised systems.
  • SolarWinds - NetFlow Traffic Analyzer. A network monitoring utility that inspects network traffic using intrusion detection. It is configured with over 700 event correlation rules, allowing it to automatically detect suspicious activities and implement remediation actions.
  • Fail2Ban. A lightweight host-based intrusion detection software system designed to protect against brute force attacks. It monitors server logs and detects any suspicious activity, providing an extra layer of security for the server.

20. Manage Linux File Permissions

(Basic security mechanism)

Managing file permissions in Linux protects sensitive files and directories from unauthorized access. Limiting access to files and directories reduces the risk of data breaches, theft of sensitive information, and unauthorized modifications to the system.

Several tools manage file permissions in Linux, including the chmod command, which allows sysadmins to change file permission recursively and configure multiple files and subdirectories using a single command.

The ls command lists file permissions, and the chown command changes file ownership.

21. Use Access Control Lists (ACLs)

(Intermediate security mechanism)

Compared to traditional file permissions systems, ACLs are a more advanced way of controlling access to files and directories in Linux systems. The traditional system only allows three basic permissions (read, write, and execute) to be assigned to three permission classes (file owner, group owner, and others). However, ACLs allow for more fine-grained control.

Sysadmins use ACLs to define different permissions for specific users and groups on a per-file or per-directory basis. This allows for implementing more complex access control policies, like granting certain users read-only access to sensitive files or allowing certain groups write access to specific directories.

22. Monitor Suspicious Server Logs 

(Intermediate security mechanism)

To improve Linux system security and prevent brute force attacks, analyze server logs with log management applications such as Logwatch or logcheck. 

Both tools allow sysadmins to regularly monitor the logs for unusual activity and provide a summarized report.

Logwatch parses log files from services and applications running on the system and generates a daily report of error messages, security alerts, and system warnings. The command has numerous options and settings. For instance, to see a detailed report in the terminal, run:

sudo logwatch --detail high
sudo logwatch --detail high terminal output

Logcheck focuses on log files related to system security, such as authentication logs and firewall logs. Logcheck summarizes the events in these logs and sends a daily report via email to the sysadmin.

The logcheck command also has a lot of options. To output everything, run:

sudo -u logcheck logcheck -o -t
sudo -u logcheck logcheck -o -t terminal output

Note: Neither Logwatch nor logcheck come preinstalled in Linux. Use the apt command to install them.

23. Restrict World-Writable Files

(Intermediate security mechanism)

World-writable files, directories, and devices on a Linux server pose a significant security risk. Any user is able to modify these files, potentially leading to unauthorized changes, data tampering, or malicious actions.

Locate and remove these files following these steps:

1. Identify world-writable files or directories with the find command:

sudo find /. -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Identify world-writable files or directories with the find command

2. In this case, the output prints one directory. If there are more, Investigate each one.

3. Use chmod to update the permissions or remove unnecessary files or directories. For instance, set file permissions to 600 to ensure the owner has full read and write access to the directory, while no other user has access.

sudo chmod 600 [directory]

The command has no output.

24. Configure Logging and Auditing Processes

(Intermediate security mechanism)

Logging and auditing provide valuable information about the system and network events, aiding administrators in detecting and addressing malicious threats. To increase security:

  1. Centralize log data from different sources to a single repository making it easier to search, analyze, and store logs.
  2. Rotate logs regularly to keep only a limited number of logs and reduce the storage space.
  3. Enforce a retention policy to save space and prevent log data from becoming too large to handle.
  4. Use SELinux or another auditing framework to track and record specific events, such as access to sensitive files, user logins, and system changes.
  5. Implement real-time syslog server monitoring tools, such as log analyzers or security information and event management (SIEM) systems, to get alerts for potential security incidents.
  6. Restrict privileges to log files, allowing access to only necessary users to prevent unauthorized modification or tampering of log data.
  7. Encrypt log data before any network transmission s to maintain data confidentiality. 

25. Disable Unwanted SUID and SGID Binaries

(Intermediate security mechanism)

SUID and SGID are file permissions allowing a file to be executed with owner or group privileges. Still, they pose security risks if not adequately secured. The main risk is a privilege escalation attack. Privilege escalation attacks occur when an attacker gains access to a system with limited privileges and then uses a vulnerability to elevate their privileges to the binary owner or group level.

To disable these files:

1. Identify SUID and SGID files with the find command.

sudo find / -perm +u+s -type f
sudo find / -perm +u+s -type f terminal output

2. To locate all SGID files, execute:

sudo find / -perm +g+s -type f
sudo find / -perm +g+s -type f terminal output

Note: An alternative way to locate all SUID and SGID files is the find / -perm +6000 -type f command. However, the command prints an error on some systems that do not support the +6000 option, in which case the command returns an error message.

3. Evaluate the output and decide what to keep or discard.

4. Use the chmod command to change the permissions or remove unnecessary files.

5. Regularly monitor the SUID and SGID files to ensure the permissions have not changed.

26. Encrypt Data Communication

(Intermediate security mechanism)

Linux provides various methods for encrypting data communication:

  1. Secure File Transfer Protocol (SFTP) transfers files between systems securely. With SFTP, users choose the level of authentication for transferring files. To use SFTP, users must install an SFTP server on one system and an SFTP client on the other. However, SFTP only protects files during transfer, and the data is no longer encrypted after reaching the server.
  2. Secure Socket Layer (SSL) guards information passed between two systems via the internet and is used in server-client and server-server communication. SSL encrypts the transmitted data, making it difficult for an attacker to intercept or alter the information. To use SSL, users must obtain an SSL certificate and install it on both the client and the server systems.
  3. Apache SSL (Secure Server Layer) is a component for Apache web server that provides secure communication between a client and a server. It implements the SSL (Secure Socket Layer) or TLS (Transport Layer Security) protocols, which provide encryption and authentication for secure communication.
  4. SSL/TLS: SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are widely used protocols for encrypting data communication over the internet. TLS (Transport Layer Security) is more secure and provides better encryption. 

27. Use Encryption Tools to Protect Sensitive Data

(Intermediate security mechanism)

Encryption allows users to protect confidential information from unauthorized access, even during a data breach. Encrypting files before transmitting them with SFTP, for instance, ensures additional protection. The following tools allow users to encrypt files before transmitting:

  1. LUKS (Linux Unified Key Setup). The most widely used method for encrypting partitions on Linux systems. LUKS allows users to encrypt the entire partition file system, protecting all the data.
  2. Node.js. An open-source JavaScript (JS) runtime environment that works as an encryption tool. Node.js has an extensive cryptography library, such as crypto, node-forge, or sodium-native, which provide functions for encrypting and decrypting data, generating encryption keys, and managing cryptographic operations.
  3. CryFS. A cryptographic file system that encrypts users' files and stores the encrypted data on cloud storage services like Dropbox or Google Drive. CryFS works by transparently encrypting a user's files before they are uploaded to the cloud and then decrypting them when accessed. The files remain encrypted and protected from unauthorized access, even when stored in the cloud.
  4. SecureDoc for Linux. A security solution for Linux endpoints, providing enterprise-class full disk encryption. It separates encryption into two components, encryption, and key management. SecureDoc for Linux adopts a Zero Trust approach to security but allows live disk conversion during encryption.

28. Use a VPN

(Basic security mechanism)

Virtual Private Networks (VPNs) are crucial in ensuring communication security over public networks on Linux systems. A VPN uses encryption and authentication to protect sensitive information from interception or tampering during transmission.

Unlike open networks, private and virtual private networks limit access to only authorized users. Private networks use a unique IP address to set up isolated communication channels between servers within the same IP range, allowing data exchange without exposure to a public space.

With a VPN, data is encrypted at the source, transmitted over a public network, and decrypted at the destination. This helps to secure communication between the two points, even over an insecure network. VPNs are useful when connecting to a remote server as if directly connected to a private network.

In Linux, a popular VPN is OpenVPN. This open-source VPN solution provides robust security and high performance. It supports various encryption protocols, including SSL/TLS and PPTP. OpenVPN is known for its ease of use, flexible configuration options, and compatibility with most Linux distributions.

29. Harden the Linux Kernel

(Intermediate security mechanism)

The Linux kernel plays a crucial role in the overall security of a system. The /etc/sysctl.conf file configures kernel parameters at runtime and hardens the Linux kernel. Hardening the Linux kernel prevents attacks and limits the damage from potential attacks.

To harden the Linux kernel, configure settings in the /etc/sysctl.conf file:

  • Disable IP forwarding to reduce the risk of the system being used as a pivot point in an attack.
  • Enable source address verification to prevent IP spoofing attacks by verifying that incoming packets have a valid source IP address.
  • Disable ICMP redirect acceptance to stop attackers from altering the system's routing tables through ICMP redirect messages.
  • Disable IP source routing to prevent IP packet routing manipulation.
  • Increase the connection tracking table size to limit the memory used by the connection tracking system, reducing the risk of a denial-of-service attack.

30. Separate Disk Partitions for Improved Linux Security

(Intermediate security mechanism)

Separating disk partitions in a Linux system improves its security by isolating sensitive data and system files from each other. This allows for implementing different security measures for each partition, making it more difficult for an attacker to compromise the entire system.

Critical filesystems to be mounted on separate partitions include: 

  • /usr
  • /home
  • /tmp 
  • /var
  • /var/tmp

Creating separate partitions for Apache and FTP server roots is also recommended. Mounting the partitions with different file permissions and mount options, such as the noexec option, prevents the execution of programs in a partition. This helps prevent attackers from exploiting vulnerabilities in the software installed on the system and limits the potential damage.

Having separate partitions also makes it easier to back up, restore, upgrade, or replace individual parts without affecting the rest of the system. In the event of a security breach, this allows for restoring the compromised partition without affecting the entire system.

31. Enable Disk Quotas

(Basic security mechanism)

Enabling disk quotas in Linux prevents the system from running out of disk space. Limited disk space makes it easier for attackers to exploit vulnerabilities or cause a denial-of-service (DoS) attack by filling up the disk. Setting disk quotas limits the disk space that each user or group takes, preventing attackers from using up all available disk space.

32. Manage "Noowner" Files

(Basic security mechanism)

Managing "noowner" files is essential for Linux security because files not owned by a valid user or group are easily manipulated by an attacker and used to hide malicious files or activities.

To manage "noowner" files:

  1. Use the find command to locate files that do not belong to a valid user or group.
  2. Investigate each reported file to determine its purpose and usage.
  3. Assign the file to an appropriate user and group, or remove it if unnecessary.

33. Backup Linux System

(Intermediate security mechanism)

Backing up a Linux system is crucial for security, allowing users to recover from a system compromise or data loss. A data backup copy helps restore the system to a secure state in case of a security breach, hardware failure, or another disaster.

To back up a Linux system, use traditional UNIX backup programs such as dump and restore or a cloud-based service such as AWS. Ensure the backups' security by encrypting and storing them in a secure location, such as an external storage device or a NAS server.

Most Linux distributions have built-in backup tools. To start with backup on Linux, search for backup tools in the system menu.

34. Install an Antivirus Program

(Basic security mechanism)

An antivirus program protects the system from viruses, trojans, and spyware. Antivirus scans the system, detects potential threats, and prevents damage.

Several antivirus options are available for Linux systems, including free and paid options. Popular free antivirus programs are ClamAV and AVG, and paid options include McAfee and Symantec. Also, regularly update and run the antivirus program to ensure that it provides the most up-to-date protection.

35. Prevent Ransomware Attacks

(Advanced security mechanism)

Ransomware is malware that encrypts user files and demands payment for the decryption key. If a Linux system is infected with ransomware, the loss of important data, files, and sensitive information is possible.

Preventing ransomware attacks requires a combination of security measures, such as:

  • Setting up a firewall.
  • Setting up ad blockers.
  • Implementing strong passwords.
  • Keeping software up-to-date.
  • Using reliable antivirus software.
  • Running regular security tests.
  • Whitelisting applications.
  • Setting up a sandbox.
  • Improving email security.
  • Employing the zero-thrust policy.

36. Regularly Perform Vulnerability Assessments

(Advanced security mechanism)

Performing regular vulnerability assessments in Linux helps identify any potential security risks and weaknesses in the system.

The process enables sysadmins to proactively mitigate the risks and improve the system's overall security.

Several tools and techniques perform vulnerability assessments in Linux, including:

  • Network scanning tools scan the network for open ports and services and identify potential vulnerabilities in the system.
  • Penetration testing tools simulate an attack on the system to identify weaknesses an attacker could exploit.
  • Code review tools analyze the source code of applications and system components, looking for potential security vulnerabilities.
  • Vulnerability databases provide information about known vulnerabilities in specific software and operating systems, including patches and workarounds.

37. Invest in Disaster Recovery

(Advanced security mechanism)

A disaster recovery plan outlines the steps to be taken in case of a system failure, data loss, or security breach. A well-designed disaster recovery minimizes a disaster's impact, reduces downtime, and increases the Linux system's security.

To create a disaster recovery plan, follow this checklist:

  • Identify critical systems and data that must be recovered in a disaster.
  • Choose a backup and recovery solution that meets your needs and budget.
  • Test the backup and recovery plan regularly to ensure it works as expected.
  • Train all personnel on the disaster recovery plan and procedures.
  • Document the plan and keep it up-to-date.

38. Upgrade Security Incident Response Plan (CSIRP)

(Advanced security mechanism)

An effective security incident response plan (CSIRP) is critical to a robust security program. It provides a clear and organized plan for responding to various security incidents, such as data breaches, cyber-attacks, and other security-related events. It is essential to periodically update the CSIRP to keep up with new security threats and be able to detect and respond to security incidents to minimize damage and data loss.

When upgrading the CRISP, make sure to:

  • Review the current plan and identify areas for improvement.
  • Evaluate contemporary security threats and assess the impact.
  • Revise incident response procedures to align with current security best practices.
  • Update incident categorization and prioritization criteria.
  • Review and update communication plans for internal and external stakeholders.
  • Test and refine the updated CSIRP through simulations and tabletop exercises.

39. Use a Security-Focused Web Browser

(Basic security mechanism)

Using a security-focused web browser and configuring it to block malicious sites on Linux protects against malware attacks by blocking access to known malicious websites and warning users about potentially dangerous sites.

Certain security-focused web browsers like Tor encrypt internet connections to protect against eavesdropping and tampering. The process creates a secure internet connection and reduces the risk of hacking or other cyber attacks.

By blocking malicious sites, security-focused web browsers reduce the risk of data breaches when users inadvertently access sites that contain malware or steal personal information.

40. Ensure Linux Server Physical Security

(Intermediate/Advanced security mechanism)

To ensure the physical security of Linux servers, organizations must implement several measures to prevent unauthorized access. Here are the key steps to consider:

  • Secure physical console access. Configure the BIOS to disable booting from external devices such as CDs, DVDs, or USB pens. Set BIOS and GRUB boot loader passwords to protect these settings.
  • Implement multi-layered security. Use physical locks on server room doors, install security cameras to monitor the area, implement access control systems to restrict access to unauthorized personnel and regularly check the servers for signs of tampering or theft.
  • Implement environmental controls. Consider installing air conditioning to prevent server damage due to heat or other environmental factors.
  • Perform regular security audits. Ensure that the physical security measures are up to date and effective in preventing unauthorized server access.
  • Lock servers in IDCs. Make sure to lock all production servers in IDCs (Internet Data Centers) and perform security checks on all personnel accessing the server.

Note Following server room design best practices ensures that the servers are physically secured, cooled, and power redundant.


After reading this article, you are familiar with all the crucial tips and tricks for Linux security. Next, read about the additional tips and tricks to secure your server.

Was this article helpful?
Sara Zivanov
Sara Zivanov is a technical writer at phoenixNAP who is passionate about making high-tech concepts accessible to everyone. Her experience as a content writer and her background in Engineering and Project Management allows her to streamline complex processes and make them user-friendly through her content.
Next you should read
Cloud Storage Security: How Secure Is Cloud Storage?
March 16, 2023

This article is an intro to cloud storage security and the techniques cloud providers use to protect data.
Read more
How to Prevent Ransomware
March 16, 2023

This article provides and explains 18 best practices for preventing ransomware and discusses what to do if you get hit by ransomware.
Read more
21 Server Security Tips
March 16, 2023

Our server security guide includes 21 best practices to protect data & stop hackers. Use our tips to protect your servers before it's too late!
Read more
10 Docker Security Best Practices
September 14, 2020

Docker security tips to keep in mind when building and running containers. Secure your containers and network with these security practices.
Read more