Post

Linux Security Cheat Sheet for Sysadmins

Posted
By Liviu Gelca
3 min read
Linux Security Cheat Sheet for Sysadmins

Linux Security Cheat Sheet for Sysadmins

A focused reference for Linux security, hardening, auditing, and compliance best practices.

🔹 User & Access Management

  • Check Logged In Users:
    1
2

    who
w
  • Check Last Logins:
    1

    last
  • Check Sudo Access:
    1

    sudo -l
  • Lock a User Account:
    1

    sudo usermod -L username
  • Force Password Change on Next Login:
    1

    sudo chage -d 0 username
  • Check Password Expiry:
    1

    chage -l username

🔹 SSH Hardening

  • Disable root login:
    1
2

    # Edit /etc/ssh/sshd_config
PermitRootLogin no
  • Disable password authentication:
    1
2

    # Edit /etc/ssh/sshd_config
PasswordAuthentication no
  • Limit allowed users:
    1
2

    # Edit /etc/ssh/sshd_config
AllowUsers adminuser
  • Change default SSH port (optional):
    1
2

    # Edit /etc/ssh/sshd_config
Port 2222
  • Restart SSH:
    1

    sudo systemctl restart sshd

🔹 Firewall Management

UFW (Ubuntu/Debian)

  • Enable firewall:
    1

    sudo ufw enable
  • Allow SSH:
    1

    sudo ufw allow 22/tcp
  • Check status:
    1

    sudo ufw status verbose

Firewalld (RHEL/CentOS/Fedora)

  • Add a port:
    1
2

    sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload
  • List allowed services:
    1

    sudo firewall-cmd --list-all

🔹 SELinux & AppArmor

  • Check SELinux status:
    1
2

    getenforce
sestatus
  • Set SELinux mode temporarily:
    1
2

    setenforce 1   # Enforcing
setenforce 0   # Permissive
  • View SELinux logs:
    1

    ausearch -m avc
  • AppArmor status:
    1

    aa-status
  • Enable/Disable AppArmor profile:
    1
2

    sudo aa-enforce /etc/apparmor.d/profile
sudo aa-disable /etc/apparmor.d/profile

🔹 System Auditing

  • Check Audit Logs:
    1
2

    ausearch -m avc
ausearch -ts today
  • List Active Audit Rules:
    1

    auditctl -l
  • Add a Rule to Monitor File Access:
    1

    auditctl -w /etc/passwd -p wa -k passwd_changes
  • Generate Report:
    1

    aureport -f

🔹 Log Monitoring & Analysis

  • System Logs:
    1
2
3

    journalctl -xe
tail -f /var/log/syslog
tail -f /var/log/auth.log
  • Failed Login Attempts:
    1

    grep "Failed password" /var/log/auth.log
  • Last Successful Logins:
    1

    lastlog

🔹 Malware & Integrity Checks

  • Scan for Rootkits:
    1
2

    sudo rkhunter --check
sudo chkrootkit
  • File Integrity Check:
    1

    sudo aide --check
  • Install AIDE Database:
    1
2

    sudo aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

🔹 Kernel & Network Hardening

  • Disable IP Forwarding:
    1

    sysctl -w net.ipv4.ip_forward=0
  • Enable TCP SYN Cookies:
    1

    sysctl -w net.ipv4.tcp_syncookies=1
  • Ignore ICMP Broadcast Requests:
    1

    sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
  • Disable Source Routed Packets:
    1
2

    sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
  • Enable Reverse Path Filtering:
    1

    sysctl -w net.ipv4.conf.all.rp_filter=1

🔹 Fail2Ban & Brute Force Protection

  • Check Status:
    1

    sudo fail2ban-client status
  • Check Jail Status:
    1

    sudo fail2ban-client status sshd
  • Restart Fail2Ban:
    1

    sudo systemctl restart fail2ban

🔹 Package & Updates Security

  • Update System Packages:
    1
2
3

    sudo apt update && sudo apt upgrade
sudo yum update
sudo dnf upgrade
  • Check for Vulnerabilities in Packages:
    1
2

    debsecan            # Debian/Ubuntu
rpm -Va             # RHEL/CentOS
  • Remove Unused Services & Packages:
    1
2

    sudo systemctl disable service
sudo apt purge package

🔹 Backup & Recovery

  • Backup Important Configs:
    1

    tar -czvf /backup/etc-backup.tar.gz /etc
  • Test Backup Restore:
    1

    tar -xzvf /backup/etc-backup.tar.gz -C /tmp
  • Use rsync for Remote Backup:
    1

    rsync -avz /etc backupserver:/backup/etc

🔹 Legend (Linux Security Terms)

  • SELinux/AppArmor – Mandatory access control frameworks.
  • Auditd – Linux auditing daemon for logging security events.
  • Rootkit – Malicious software to gain admin control.
  • Fail2Ban – Protects services from brute-force attacks.
  • TCP SYN Cookie – Defense against SYN flood attacks.
  • AIDE – Advanced Intrusion Detection Environment.
  • Jail – Fail2Ban configuration protecting a service.
  • Sysctl – Interface to kernel parameters.
  • Immutable File – File cannot be modified or deleted (chattr +i).

🔹 Best Practices

  • Always use least privilege and avoid logging in as root.
  • Use SSH key authentication and disable passwords.
  • Keep firewalls enabled and only allow necessary ports.
  • Regularly review audit logs and failed login attempts.
  • Scan for malware/rootkits periodically.
  • Harden kernel parameters with sysctl.
  • Backup /etc, /home, and critical configs frequently.
  • Remove unnecessary packages and services.
  • Enable automatic security updates where possible.
Cheat Sheet, Linux, Security
linux security hardening audit
This post is licensed under CC BY 4.0 by the author.