Linux Security Configuration Guide

Complete beginner-friendly guide to securing your Linux system, covering Arch Linux, CachyOS, and other distributions including firewall setup, user management, file permissions, encryption, SSH security, and best practices.

---

Table of Contents

1. Understanding Linux Security
2. Firewall Configuration
3. User Management
4. File Permissions
5. Disk Encryption
6. SSH Security
7. System Updates
8. Security Best Practices

---

Understanding Linux Security

Security Principles

Linux security is based on several principles:

1. Least privilege: Users have minimum necessary access
2. Defense in depth: Multiple security layers
3. Regular updates: Keep system updated
4. Strong passwords: Use secure passwords
5. Access control: Control who can access what

Security Layers

Multiple layers:

• Firewall: Network security
• User permissions: File access control
• Encryption: Data protection
• Updates: Security patches
• Monitoring: Detect issues

---

Firewall Configuration

UFW (Uncomplicated Firewall)

Install UFW:

# Arch/CachyOS
sudo pacman -S ufw

# Debian/Ubuntu
sudo apt install ufw

# Fedora
sudo dnf install ufw

Enable firewall:

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

Common rules:

# Allow SSH
sudo ufw allow ssh

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Deny port
sudo ufw deny 8080/tcp

firewalld

Install firewalld:

# Arch/CachyOS
sudo pacman -S firewalld

# Debian/Ubuntu
sudo apt install firewalld

# Fedora (usually pre-installed)
sudo dnf install firewalld

Enable service:

sudo systemctl enable --now firewalld

Configure zones:

# List zones
sudo firewall-cmd --get-zones

# Set default zone
sudo firewall-cmd --set-default-zone public

# Allow service
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

iptables

Advanced firewall:

# Install iptables
sudo pacman -S iptables

# Basic rules
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP

# Save rules
sudo iptables-save > /etc/iptables/iptables.rules

---

User Management

Create User

Add user:

# Create user
sudo useradd -m -G wheel username

# Set password
sudo passwd username

Sudo Configuration

Configure sudo:

# Edit sudoers
sudo visudo

# Ensure wheel group has sudo
%wheel ALL=(ALL) ALL

Disable Root Login

Secure root:

# Lock root account
sudo passwd -l root

# Or disable root login in SSH
# Edit /etc/ssh/sshd_config
# Set: PermitRootLogin no

---

File Permissions

Understanding Permissions

File permissions:

# View permissions
ls -l file

# Output example:
# -rw-r--r-- 1 user group 1024 Jan 15 10:00 file

Permission bits:

• Owner: Read, Write, Execute
• Group: Read, Write, Execute
• Others: Read, Write, Execute

Set Permissions

Change permissions:

# Set permissions
chmod 755 file
chmod u+x file
chmod g-w file

# Recursive
chmod -R 755 directory

Change Ownership

Change owner:

# Change owner
sudo chown user:group file

# Recursive
sudo chown -R user:group directory

---

Disk Encryption

LUKS Encryption

Encrypt partition:

# Encrypt partition
sudo cryptsetup luksFormat /dev/sda2

# Open encrypted partition
sudo cryptsetup open /dev/sda2 cryptroot

# Format
sudo mkfs.ext4 /dev/mapper/cryptroot

See Disk Encryption for detailed guide.

---

SSH Security

Harden SSH

Edit SSH config:

# Edit config
sudo vim /etc/ssh/sshd_config

Security settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3

Restart SSH:

sudo systemctl restart sshd

See SSH Configuration for detailed guide.

---

System Updates

Regular Updates

Update system:

# Arch/CachyOS
sudo pacman -Syu

# Debian/Ubuntu
sudo apt update && sudo apt upgrade

# Fedora
sudo dnf update

Why updates matter:

• Security patches: Fix vulnerabilities
• Bug fixes: Improve stability
• New features: Get latest features

---

Security Best Practices

General Practices

Security checklist:

1. Keep system updated: Regular updates
2. Use firewall: Block unnecessary ports
3. Strong passwords: Use secure passwords
4. Disable root login: Use sudo instead
5. Encrypt sensitive data: Protect important files
6. Regular backups: Backup important data
7. Monitor logs: Check for suspicious activity

fail2ban

Install fail2ban:

# Arch/CachyOS
sudo pacman -S fail2ban

# Debian/Ubuntu
sudo apt install fail2ban

# Fedora
sudo dnf install fail2ban

Enable:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

---

Summary

This guide covered security configuration for Arch Linux, CachyOS, and other distributions, including firewall, user management, file permissions, encryption, SSH, and best practices.

---

Next Steps

• SSH Configuration - SSH setup
• System Hardening - Advanced security
• Disk Encryption - Encryption guide
• ArchWiki Security: https://wiki.archlinux.org/title/Security

---

This guide covers Arch Linux, CachyOS, and other Linux distributions. For distribution-specific details, refer to your distribution's documentation.