This document provides a complete overview of basic security mechanisms in Linux systems:
sudo apt install ufw
sudo ufw enable
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw deny 23
sudo ufw status numbered
sudo ufw delete 2 # Rule number
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw reload
sudo iptables -L -v -n
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -s 192.168.1.10 -j DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -F
On Debian-based:
sudo apt install iptables-persistent
sudo netfilter-persistent save
On RHEL-based:
sudo service iptables save
⚠️
iptablesis being replaced bynftableson newer distros.
sudo apt install fail2ban # Debian/Ubuntu
sudo dnf install fail2ban # RHEL/Fedora
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
/etc/fail2ban/jail.conf/etc/fail2ban/jail.local (recommended)[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
sudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client set sshd unbanip 192.168.1.5
sestatus
getenforce
| Mode | Description |
|---|---|
| Enforcing | SELinux policies are enforced |
| Permissive | Logs policy violations, doesn’t block |
| Disabled | SELinux is turned off |
sudo setenforce 0 # Permissive
sudo setenforce 1 # Enforcing
Edit /etc/selinux/config:
SELINUX=permissive
sudo restorecon -Rv /var/www/html
ls -Z
ps -eZ
sudo aa-status
sudo systemctl enable apparmor
sudo systemctl start apparmor
/etc/apparmor.d/
sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd
sudo aa-complain /etc/apparmor.d/usr.sbin.sshd
sudo apparmor_status
fail2ban, logwatch, or journalctl.| Task | Command Example |
|---|---|
| Enable UFW | sudo ufw enable |
| Allow SSH via UFW | sudo ufw allow ssh |
| View iptables rules | sudo iptables -L -v -n |
| Allow SSH via iptables | sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
| Install Fail2Ban | sudo apt install fail2ban |
| Start Fail2Ban | sudo systemctl start fail2ban |
| Check SELinux status | sestatus or getenforce |
| Change SELinux to permissive | sudo setenforce 0 |
| View AppArmor profiles | sudo aa-status |
| Enforce AppArmor profile | sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd |
✅ These tools work best together to secure your Linux system: