Comprehensive Guide to Linux Network Security
π‘οΈ Comprehensive Guide to Linux Network Security
Linux systems are widely deployed as servers, containers, routers, and even embedded systems all of which can be potential targets for cyber threats. This guide explores the core principles and practical tools to secure Linux network environments, following best practices and real world techniques.
π Securing Network Services
π§° Basics
- Network services, daemons, and servers listen on ports.
- They run in the background and write logs.
- Best security practice: one service per dedicated user.
π Hardening Techniques
- Use ports below 1024 (privileged ports) cautiously.
- Drop root privileges after binding to a port.
- Only bind to required interfaces and addresses.
π§Ή Cleanup
- Stop and uninstall unused services
1systemctl stop SERVICE
2systemctl disable SERVICE- Prefer SSH over legacy insecure protocols (e.g., rsh, rlogin, telnet).
π Preventing Information Leakage
π Leak Vectors
- Web server banners
1curl -I http://your-server- System files
/etc/motd/etc/issue/etc/issue.net
Avoid revealing service or system info in these files.
π‘ Monitoring Network Activity
π Active Services
1systemctlπΆ Listening Services
1netstat -nutlp1lsof -iπ οΈ Port Scanning
Use Nmap to find open ports:
1nmap 127.0.0.1
2nmap your.server.ipScan specific ports
1telnet HOST PORT
2nc -v HOST PORTβοΈ xinetd Security
Disable unused xinetd services
1systemctl stop xinetd
2systemctl disable xinetdWithin /etc/xinetd.d/SERVICE, set
1disable = yesπ Securing SSH
β Key based Authentication
Edit /etc/ssh/sshd_config
1PubkeyAuthentication yes
2PasswordAuthentication noπ Generate and Copy Keys
1ssh-keygen
2ssh-copy-id user@hostπ« Restrict Root Access
1PermitRootLogin noOr allow only key
1PermitRootLogin without-passwordπ§ User and Group Access Control
1AllowUsers user1 user2
2AllowGroups group1 group2
3DenyUsers baduser
4DenyGroups badgroupπͺ SSH Port Forwarding
π Forward Types
- Local
- Remote
- Dynamic (SOCKS)
π« Disable Forwarding
1AllowTcpForwarding no
2GatewayPorts noπ SSH Protocol Version and Port
1Protocol 2
2Port 2222Add to SELinux
1semanage port -a -t ssh_port_t -p tcp 2222Reload config
1systemctl reload sshdπ₯ Linux Firewalls: Netfilter + IPTables
𧱠Components
- Kernel framework: Netfilter
- User level tools: iptables
π‘οΈ Tables
- Filter
- NAT
- Mangle
- Raw
- Security
βοΈ Chains
- INPUT
- OUTPUT
- FORWARD
- PREROUTING
- POSTROUTING
π Managing Rules
π View Rules
1iptables -L
2iptables -t nat -L
3iptables -nL
4iptables -vL𧩠Set Default Policy
1iptables -P INPUT DROPβ Add / Insert / Delete Rules
1iptables -A INPUT ...
2iptables -I INPUT ...
3iptables -D INPUT ...π Flush Rules
1iptables -Fπ§ͺ Rule Specification Examples
1iptables -A INPUT -s 192.168.1.100 -j DROP
2iptables -A INPUT -p tcp --dport 22 -j ACCEPT
3iptables -A INPUT -p tcp --dport 80 -j DROPπΎ Saving Firewall Rules
Debian/Ubuntu:
1apt install iptables-persistent
2netfilter-persistent saveRedHat/CentOS:
1yum install iptables-services
2service iptables save𧩠Front End Tools
firewalld(CentOS/RHEL)ufw(Ubuntu)gufwGUI for UFW
𧱠TCP Wrappers
TCP Wrappers is a security tool for Linux and Unix systems that provides host based access control for network services. It works by restricting or allowing access to network services based on the IP address or hostname of the client attempting to connect.
π Access Control
- Files:
/etc/hosts.allow,/etc/hosts.deny - Rule format
1SERVICE : CLIENT : [ACTION]Examples
1sshd : 192.168.1.0/24
2ALL : .example.com
3sshd : .hacker.net : spawn /usr/bin/wall "Attack from %a"π Wildcards and Logging
%a: client IP%d: daemon name%u: client username
π Further Reading
1man ssh
2man sshd
3man sshd_configβ Conclusion
Linux network security requires a multi layered approach. Controlling exposed services, reducing information leakage, managing SSH access, enforcing firewall rules, and applying host level access controls like TCP Wrappers. By mastering these tools and principles, you significantly reduce your systemβs attack surface and increase resilience against network-based threats.