CachyOS Security Configuration - ryzendew/Linux-Tips-and-Tricks GitHub Wiki

CachyOS Security Configuration Guide

Complete beginner-friendly guide to securing your CachyOS system, including firewall, user management, encryption, and security best practices.

Table of Contents

  1. Understanding Linux Security
  2. Firewall Configuration
  3. User Management
  4. File Permissions
  5. Encryption
  6. SSH Security
  7. System Updates
  8. Security Best Practices

Understanding Linux Security

Security Principles

Linux security is based on several principles:

  1. Least privilege: Users have minimum necessary access
  2. Defense in depth: Multiple security layers
  3. Regular updates: Keep system updated
  4. Strong passwords: Use secure passwords
  5. Access control: Control who can access what

Security Layers

Multiple layers:

  • Firewall: Network security
  • User permissions: File access control
  • Encryption: Data protection
  • Updates: Security patches
  • Monitoring: Detect issues

Firewall Configuration

What is a Firewall?

Firewall controls network traffic to/from your system.

Why it matters:

  • Blocks attacks: Prevents unauthorized access
  • Controls traffic: Allows/denies connections
  • Protects services: Secures network services

Using firewalld

Install firewalld:

sudo pacman -S firewalld

Start firewalld:

sudo systemctl enable --now firewalld

Check status:

sudo firewall-cmd --state

What this does:

  • Shows firewall status
  • running: Firewall is active
  • not running: Firewall is off

Basic Firewall Rules

List active zones:

sudo firewall-cmd --get-active-zones

What this does:

  • Shows active firewall zones
  • Shows which interfaces are in zones

List allowed services:

sudo firewall-cmd --list-services

What this does:

  • Shows allowed services
  • Shows what's permitted

Allow service:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

What this does:

  • Allows HTTP service
  • --permanent: Makes change permanent
  • --reload: Applies changes

Block port:

sudo firewall-cmd --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

What this does:

  • Allows port 8080
  • tcp: TCP protocol
  • Can also use udp

User Management

User Accounts

Create user:

sudo useradd -m -G wheel username

What this does:

  • -m: Creates home directory
  • -G wheel: Adds to wheel group (sudo access)
  • Creates new user

Set password:

sudo passwd username

What this does:

  • Sets user password
  • Prompts for password
  • Secures user account

Delete user:

sudo userdel -r username

What this does:

  • -r: Removes home directory
  • Deletes user account
  • ** Permanent action**

Sudo Configuration

Edit sudoers:

sudo visudo

What this does:

  • Opens sudo configuration
  • Safe editing (validates syntax)
  • ** Edit carefully**

Allow user sudo:

username ALL=(ALL) ALL

What this does:

  • Allows user full sudo access
  • Can run any command as root
  • Add to sudoers file

Restrict sudo:

username ALL=(ALL) NOPASSWD: /usr/bin/pacman

What this does:

  • Allows specific command only
  • No password required
  • More restrictive

File Permissions

Understanding Permissions

File permissions control who can access files.

Permission types:

  • Read (r): Can view file
  • Write (w): Can modify file
  • Execute (x): Can run file

Permission groups:

  • Owner: File owner
  • Group: File group
  • Others: Everyone else

Setting Permissions

View permissions:

ls -l file.txt

What this shows:

-rw-r--r-- 1 user group 1024 Jan 1 12:00 file.txt

What this means:

  • -rw-r--r--: Permissions
  • user: Owner
  • group: Group
  • 1024: Size

Change permissions:

chmod 644 file.txt

What this does:

  • Sets permissions to 644
  • Owner: read+write
  • Group: read
  • Others: read

Permission numbers:

  • 4: Read
  • 2: Write
  • 1: Execute
  • 7: All (4+2+1)

Change owner:

sudo chown user:group file.txt

What this does:

  • Changes file owner
  • Changes file group
  • Requires sudo

Encryption

Disk Encryption

Full disk encryption protects all data.

During installation:

  • Enable encryption in installer
  • Set encryption password
  • Protects entire system

LUKS encryption:

  • Linux Unified Key Setup
  • Standard disk encryption
  • Strong encryption

File Encryption

Encrypt files with GPG:

gpg -c file.txt

What this does:

  • Encrypts file
  • Creates file.txt.gpg
  • Requires password

Decrypt file:

gpg -d file.txt.gpg > file.txt

What this does:

  • Decrypts file
  • Requires password
  • Outputs to file

Install GPG:

sudo pacman -S gnupg

SSH Security

SSH Configuration

Edit SSH config:

sudo nano /etc/ssh/sshd_config

Security settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

What this does:

  • PermitRootLogin no: Disables root login
  • PasswordAuthentication no: Disables password auth
  • PubkeyAuthentication yes: Enables key auth

Restart SSH:

sudo systemctl restart sshd

What this does:

  • Applies SSH configuration
  • Restarts SSH service
  • Changes take effect

SSH Keys

Generate SSH key:

ssh-keygen -t ed25519

What this does:

  • Creates SSH key pair
  • -t ed25519: Key type
  • More secure than RSA

Copy public key:

ssh-copy-id user@server

What this does:

  • Copies public key to server
  • Enables key-based login
  • More secure than passwords

System Updates

Security Updates

Update system:

sudo pacman -Syu

What this does:

  • Updates all packages
  • Includes security updates
  • Keeps system secure

Check for updates:

pacman -Qu

What this does:

  • Lists available updates
  • Shows what needs updating
  • Check regularly

Automatic Updates

Enable automatic updates (optional):

# Create update script
sudo nano /usr/local/bin/auto-update.sh

Add:

#!/bin/bash
pacman -Syu --noconfirm

Schedule with systemd:

sudo systemctl enable --now update.timer

** Automatic updates can be risky!**

Security Best Practices

Password Security

Strong passwords:

  • Length: At least 12 characters
  • Complexity: Mix of letters, numbers, symbols
  • Uniqueness: Different for each account
  • No dictionary words: Avoid common words

Password manager:

  • Use password manager
  • Generate strong passwords
  • Store securely

Regular Backups

Backup regularly:

  • Protects against data loss
  • Enables recovery
  • Important for security

See Backup and Restore Guide

Monitoring

Check logs:

journalctl -p err

What this does:

  • Shows error logs
  • Helps detect issues
  • Monitor regularly

Check failed logins:

sudo lastb

What this does:

  • Shows failed login attempts
  • Helps detect attacks
  • Monitor for suspicious activity

Additional Resources

Summary

This guide covered:

  1. Understanding Linux security - Security principles
  2. Firewall configuration - Network security
  3. User management - User accounts and sudo
  4. File permissions - Access control
  5. Encryption - Data protection
  6. SSH security - Remote access security
  7. System updates - Security patches
  8. Best practices - Security recommendations

Key Takeaways:

  • Use firewall to protect network
  • Create users with appropriate permissions
  • Set strong passwords
  • Encrypt sensitive data
  • Keep system updated
  • Monitor logs for issues
  • Follow security best practices
  • Regular backups are important

This guide is based on the CachyOS Wiki and Arch Linux Wiki and expanded with detailed explanations for beginners. For the most up-to-date security information, always refer to the official documentation.