Arch Linux Security Configuration Guide

Complete beginner-friendly guide to securing Arch Linux, including firewall setup, user management, encryption, and security best practices.

---

Table of Contents

1. Firewall Setup
2. User Management
3. File Permissions
4. Disk Encryption
5. SSH Security
6. System Updates
7. Security Best Practices

---

Firewall Setup

UFW (Uncomplicated Firewall)

Install UFW:

# Install UFW
sudo pacman -S ufw

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

Common rules:

# Allow SSH
sudo ufw allow ssh

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Deny port
sudo ufw deny 8080/tcp

firewalld

Install firewalld:

# Install firewalld
sudo pacman -S firewalld

# Enable and start service (recommended method)
sudo systemctl enable --now firewalld

# Check status
sudo firewall-cmd --state

Configure zones:

# List zones
sudo firewall-cmd --get-zones

# Set default zone
sudo firewall-cmd --set-default-zone public

# Allow service
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

iptables

Advanced firewall:

# Install iptables
sudo pacman -S iptables

# Basic rules
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP

# Save rules
sudo iptables-save > /etc/iptables/iptables.rules

---

User Management

Create Users

Add users:

# Create user
sudo useradd -m -G wheel username

# Set password
sudo passwd username

Sudo Configuration

Configure sudo:

# Edit sudoers
sudo visudo

Ensure wheel group:

%wheel ALL=(ALL) ALL

Remove Users

Delete users:

# Remove user
sudo userdel username

# Remove with home
sudo userdel -r username

Lock Accounts

Lock/unlock accounts:

# Lock account
sudo passwd -l username

# Unlock account
sudo passwd -u username

---

File Permissions

Understanding Permissions

Permission format:

-rwxr-xr-x
││││││││││
││││││││└── Other: execute
│││││││└─── Other: read
││││││└──── Group: execute
│││││└───── Group: read
││││└────── Owner: execute
│││└─────── Owner: write
││└──────── Owner: read
│└───────── File type (- = file, d = directory)

Set Permissions

Change permissions:

# Set permissions
chmod 755 file
chmod u+x file
chmod g-w file

# Recursive
chmod -R 755 directory

Permission values:

• 4: Read
• 2: Write
• 1: Execute
• 7: Read + Write + Execute
• 5: Read + Execute

Set Ownership

Change owner:

# Change owner
sudo chown user:group file

# Recursive
sudo chown -R user:group directory

---

Disk Encryption

LUKS Encryption

Encrypt disk:

# Install cryptsetup
sudo pacman -S cryptsetup

# Encrypt partition
sudo cryptsetup luksFormat /dev/sda2

# Open encrypted partition
sudo cryptsetup open /dev/sda2 cryptroot

# Format
sudo mkfs.ext4 /dev/mapper/cryptroot

# Mount
sudo mount /dev/mapper/cryptroot /mnt

Encrypted Swap

Encrypt swap:

# Create swap
sudo cryptsetup -d /dev/urandom open --type plain /dev/sda3 swap

# Format swap
sudo mkswap /dev/mapper/swap

# Enable swap
sudo swapon /dev/mapper/swap

---

SSH Security

Install SSH

Install OpenSSH:

# Install SSH
sudo pacman -S openssh

# Enable service
sudo systemctl enable sshd
sudo systemctl start sshd

SSH Configuration

Secure SSH:

# Edit SSH config
sudo vim /etc/ssh/sshd_config

Security settings:

# Disable root login
PermitRootLogin no

# Change port
Port 2222

# Disable password auth (use keys)
PasswordAuthentication no

# Allow specific users
AllowUsers username

Restart SSH:

sudo systemctl restart sshd

SSH Keys

Generate key:

# Generate key pair
ssh-keygen -t ed25519 -C "[email protected]"

# Copy public key
ssh-copy-id user@server

---

System Updates

Regular Updates

Update system:

# Update packages
sudo pacman -Syu

# Check for updates
pacman -Qu

Security Updates

Check security:

# Install arch-audit
sudo pacman -S arch-audit

# Check vulnerabilities
arch-audit

Automatic Updates

Setup auto-updates (optional):

# Install pacman-contrib
sudo pacman -S pacman-contrib

# Create update script
sudo vim /usr/local/bin/arch-update.sh

---

Security Best Practices

General Security

Best practices:

1. Keep system updated

   sudo pacman -Syu
   

2. Use strong passwords

• Long, complex passwords
• Different passwords for different accounts

3. Enable firewall

   sudo ufw enable
   

4. Limit sudo access

• Only add trusted users to wheel

5. Disable unnecessary services

   sudo systemctl disable service-name
   

System Hardening

Additional security:

# Install security tools
sudo pacman -S fail2ban rkhunter

# Configure fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Audit System

Check system:

# Install audit tools
sudo pacman -S audit

# Enable audit
sudo systemctl enable auditd
sudo systemctl start auditd

---

Summary

This guide covered:

1. Firewall - UFW, firewalld, iptables
2. User management - Create/remove users
3. File permissions - Set proper permissions
4. Encryption - Disk encryption
5. SSH security - Secure SSH
6. Updates - Keep system updated
7. Best practices - Security tips

Key Takeaways:

• Enable firewall
• Use strong passwords
• Limit sudo access
• Keep system updated
• Encrypt sensitive data
• Secure SSH

---

Next Steps

• Arch Linux Networking - Network setup
• Arch Linux System Configuration - System setup
• ArchWiki Security: https://wiki.archlinux.org/title/Security

---

This guide is based on the ArchWiki. For the most up-to-date information, always refer to the official ArchWiki.