Securing a Linux server requires a deep understanding of essential commands that help mitigate vulnerabilities, manage user access, and enforce system integrity. Here’s a comprehensive list of the top 50 Linux commands for securing a Linux server, organized into categories for better readability. I’ll cover each command with an explanation of its purpose and usage to give you an in-depth guide on securing your server.

User Management and Access Control

1. adduser
   • Creates a new user account with a home directory and initial configurations. Run adduser [username].
2. usermod
   • Modifies a user account. Useful for changing user groups, shell, and other settings: usermod -aG [group] [username].
3. passwd
   • Changes user passwords. It can also set password expiration policies with options like -e (expire): passwd [username].
4. sudo
   • Provides superuser privileges to a user. Control sudo permissions through the /etc/sudoers file for fine-grained access.
5. lastlog
   • Displays the last login times of all users, useful for identifying suspicious logins.
6. who
   • Shows who is currently logged into the system: who -a.
7. chage
   • Configures password aging policies for a user, enforcing periodic password changes: chage -E [expire_date] [username].
8. faillog
   • Displays failed login attempts to monitor unauthorized access attempts: faillog -u [username].

Filesystem Permissions and Ownership

9. chmod
   • Changes file or directory permissions: chmod 700 [filename].
10. chown
    • Changes file or directory ownership: chown user:group [filename].
11. umask
    • Sets default permissions for newly created files and directories. Use umask 027 for more restrictive permissions.
12. lsattr
    • Lists file attributes, useful for finding immutable or restricted files: lsattr [filename].
13. chattr
    • Changes file attributes to make files immutable (useful for critical system files): chattr +i [filename].
14. find
    • Searches for files with specific permissions, users, or groups: find / -type f -perm 777.
15. getfacl
    • Views Access Control List (ACL) permissions for files: getfacl [filename].
16. setfacl
    • Sets ACLs for users or groups on files: setfacl -m u:username:rwx [filename].

Network Security

17. iptables
    • Configures the firewall for packet filtering and traffic control: iptables -A INPUT -p tcp --dport 22 -j ACCEPT.
18. firewalld
    • Manages firewall rules dynamically. Use firewall-cmd to add/remove firewall rules: firewall-cmd --zone=public --add-port=22/tcp --permanent.
19. nmap
    • Scans open ports on a network to detect vulnerabilities: nmap -sS [target_ip].
20. netstat
    • Displays network connections and listening ports: netstat -tuln.
21. ss
    • A faster alternative to netstat for checking socket statistics: ss -tuln.
22. tcpdump
    • Captures network packets to monitor traffic: tcpdump -i eth0.
23. ufw
    • Uncomplicated Firewall, simplifying iptables for common use: ufw enable.
24. fail2ban
    • Monitors log files for failed login attempts and blocks IP addresses. Configuration is in /etc/fail2ban/jail.conf.

Process and Resource Monitoring

25. ps
    • Lists active processes, essential for detecting unauthorized processes: ps aux.
26. top
    • Displays real-time resource usage, monitoring for unusual activity.
27. htop
    • An enhanced version of top with a more user-friendly interface.
28. kill
    • Terminates suspicious processes by their process ID (PID): kill -9 [PID].
29. lsof
    • Lists open files and the processes using them: lsof -i.
30. strace
    • Traces system calls of a process to identify vulnerabilities in real-time: strace -p [PID].

Logging and Auditing

31. journalctl
    • Views and manages systemd logs: journalctl -u ssh.service.
32. logrotate
    • Manages log rotation for various system logs, configured in /etc/logrotate.conf.
33. auditctl
    • Configures auditing rules for monitoring file access or command execution. Useful for compliance and security.
34. ausearch
    • Searches through audit logs for specific events: ausearch -c '[command]'.
35. auditd
    • A daemon that manages and logs events specified by auditctl rules.
36. cat /var/log/auth.log
    • Reads the authentication log file, showing login attempts.
37. cat /var/log/syslog
    • Reads the system log for broader logging information on errors and activities.

Security Updates and Maintenance

38. apt-get update && apt-get upgrade
    • Installs security patches and updates on Debian-based systems.
39. yum update
    • Updates packages for Red Hat-based systems.
40. unattended-upgrades
    • Configures automatic updates to keep your system secure with critical patches.
41. rkhunter
    • Scans for rootkits and other vulnerabilities on the system.
42. chkrootkit
    • Another tool for rootkit detection: chkrootkit.

7. SSH Configuration

43. sshd_config
    • Configures the SSH daemon. Secure it by editing /etc/ssh/sshd_config (e.g., disable root login with PermitRootLogin no).
44. ssh-keygen
    • Generates SSH key pairs for secure password-less authentication.
45. ssh-copy-id
    • Installs public keys on remote hosts to allow key-based SSH login: ssh-copy-id [user@host].
46. scponly
    • Restricts users to SCP/SFTP commands only, enhancing secure file transfers.

Disk and File Integrity Monitoring

47. aide
    • A tool that checks for changes to files and directories, useful for integrity verification: aide --check.
48. tripwire
    • Another file integrity checker that creates a snapshot of your system’s filesystem.
49. md5sum
    • Checksums files for data integrity verification.
50. sha256sum
    • Similar to md5sum, but uses SHA-256 for a more secure hash: sha256sum [filename].

What are the Tips for Linux Server Security?

1. Disable Unnecessary Services

Unused services are potential vulnerabilities, as each open service represents a possible entry point for attackers. By identifying and disabling unnecessary services, you reduce the system’s exposure to threats and conserve server resources. Begin by listing all active services and then decide which ones are essential to your server’s functions. For example, if you identify services like FTP that are not required, disabling them will help secure the system. After disabling a service, it’s best to stop it from running to prevent it from restarting until it’s genuinely needed.

2. Limit Sudo Access

The sudo privilege grants users elevated access to execute commands as a superuser, which can pose a security risk if widely distributed. By limiting sudo privileges to essential users only, you ensure a smaller attack surface and reduce the chances of accidental or malicious misuse. You can manage sudo access by editing the sudoers configuration file and defining permissions specific to each user or group. Additionally, it’s beneficial to assign users to a dedicated group with sudo access rather than granting it individually. This practice makes it easier to manage and audit privileges. Configuring sudo permissions for specific commands only adds another layer of security by allowing users to perform certain tasks without unrestricted access.

3. Regular Backups

Backups are essential to ensure data integrity and availability. In case of data loss, corruption, or a security breach, backups allow you to restore your system to its previous state, reducing downtime and data loss. Regular backups should ideally be automated to maintain consistency. Tools like rsync allow for incremental backups, meaning only modified files are updated, saving time and storage space. Setting up automated backup schedules with cron jobs enables your server to run backups at regular intervals, such as daily or weekly, based on your requirements. It’s also beneficial to store backups offsite or in a secure cloud location, protecting them from potential local threats.

4. Limit Open Ports

Every open port on your server is a pathway for external connections, which could be exploited if not properly managed. By limiting open ports to only those that are essential, you significantly reduce the network attack surface. Regularly review open ports to ensure they align with your server’s purpose, and close any unnecessary ones. You can monitor open ports by listing network services and reviewing which ports are open. To secure your server, implement firewall rules to block or restrict access to specific ports. For instance, allowing only SSH traffic while blocking other unused ports makes your system less accessible to unauthorized users. Regularly review and update firewall rules to maintain a minimal and secure port configuration.

5. Check System Integrity

File integrity monitoring is crucial for detecting unauthorized changes to files and directories. Tools like AIDE (Advanced Intrusion Detection Environment) and Tripwire help monitor the filesystem by creating a baseline database that represents a known good state of critical files. By periodically comparing the current state of files with this baseline, you can detect and respond to unauthorized modifications or tampering, which is often an indication of malicious activity. Set up regular integrity checks with these tools to automatically scan your system and notify you of any discrepancies. This proactive approach ensures you quickly detect security issues that could otherwise go unnoticed.

Continuous Monitoring and Proactive Security

Maintaining a secure Linux server requires a continuous commitment to monitoring and updating security practices. Periodically audit user privileges, keep services and packages updated, and ensure your firewall and backup configurations are aligned with best practices. Centralized logging and monitoring solutions, such as Syslog servers or Security Information and Event Management (SIEM) systems, allow for effective, scalable, and comprehensive server security management. These tools help identify unusual patterns and system anomalies, enabling you to proactively respond to threats and safeguard your Linux server.