Linux has a well-deserved reputation for security, but “more secure than Windows” does not mean “secure by default without any effort.” A few essential steps — keeping software updated, enabling a firewall, and using strong authentication — dramatically reduce your attack surface.
This guide covers the fundamental security practices that every Linux user should implement, whether on a desktop or a home server.
Why Linux security matters
The Linux security model starts with a strong foundation. The permission system (covered in our file permissions guide) means that even if malware runs under your user account, it cannot directly modify system files or other users’ files. Most Linux software is open source, meaning security vulnerabilities are found and patched quickly. And unlike Windows, Linux does not auto-execute programs from email attachments or USB drives by default.
However, these advantages are not unlimited. Unpatched software has known vulnerabilities that attackers exploit. A misconfigured firewall exposes services to the internet. Weak passwords invite brute-force attacks. Security is an ongoing practice, not a one-time setup.
The threat model matters. A personal desktop computer behind a home router needs less hardening than a public-facing server. This guide covers both scenarios, noting which steps are critical for servers.
Keeping your system updated
The most important security measure is keeping your system up to date. Software vulnerabilities are discovered continuously, and distributions release security patches quickly. Running outdated software means running with known vulnerabilities.
Manual updates:
sudo apt update && sudo apt upgrade # Ubuntu/Debian
sudo dnf upgrade # Fedora
sudo pacman -Syu # Arch/ManjaroRun this at least weekly. The apt update step refreshes the list of available packages; apt upgrade installs the updates.
What to do with kernel updates: Kernel updates require a reboot to take effect. Check if a reboot is pending:
[ -f /var/run/reboot-required ] && echo "Reboot required" || echo "No reboot needed"Enabling and configuring UFW firewall
UFW (Uncomplicated Firewall) provides a simple interface for managing Linux’s built-in netfilter/iptables firewall. On Ubuntu, UFW is installed by default but must be explicitly enabled.
Check UFW status:
sudo ufw statusEnable UFW (do this before enabling SSH if you are connected remotely):
sudo ufw enableAllow specific services:
sudo ufw allow ssh # allow SSH (port 22)
sudo ufw allow 80/tcp # allow HTTP
sudo ufw allow 443/tcp # allow HTTPS
sudo ufw allow samba # allow Samba file sharing
sudo ufw allow 8096/tcp # allow JellyfinAllow from a specific IP address only:
sudo ufw allow from 192.168.1.0/24 to any port 22 # allow SSH from local network onlyDeny a specific port:
sudo ufw deny 23 # deny telnet (old, insecure protocol)Remove a rule:
sudo ufw delete allow 8096/tcpView the firewall rules:
sudo ufw status verboseFor servers: The principle of least privilege applies to firewalls. Deny everything by default and only allow the specific services you actually run. UFW’s default policy is already deny-incoming, allow-outgoing — good starting defaults.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
# Add any services you run:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enableSetting up SSH key authentication
Connecting to servers with a password has a critical weakness: passwords can be guessed, intercepted, or stolen. SSH key authentication replaces passwords with a cryptographic key pair, eliminating these risks entirely.
SSH keys come in two parts:
- A private key stored on your computer — this is a secret you never share
- A public key placed on the server — this is safe to share
Authentication works like a lock and key: only someone holding the private key can use the corresponding public key to connect.
Step 1: Generate a key pair on your local machine:
ssh-keygen -t ed25519 -C "your-email@example.com"Accept the default file location (~/.ssh/id_ed25519). You can optionally add a passphrase to protect the private key — this adds a layer of security if someone gains access to your computer.
Step 2: Copy the public key to your server:
ssh-copy-id username@server-ipThis command adds your public key to ~/.ssh/authorized_keys on the server. Enter your SSH password once when prompted — this is the last time you will need it.
Step 3: Test the connection:
ssh username@server-ipIf setup is correct, you connect without entering a password.
Step 4: Verify your private key is protected:
ls -la ~/.ssh/id_ed25519
# Should show: -rw------- (permissions 600, readable only by you)If the permissions are wrong, fix them:
chmod 600 ~/.ssh/id_ed25519Disabling password authentication for SSH
Once SSH key authentication is working, disable password authentication entirely. This means even if an attacker knows your username and password, they cannot log in via SSH without your private key.
Edit the SSH server configuration:
sudo nano /etc/ssh/sshd_configFind and change (or add) these lines:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin noRestart the SSH service:
sudo systemctl restart sshdBefore closing your current SSH session, open a new terminal window and verify you can still connect with your key:
ssh username@server-ipIf it works, the configuration is correct. Only close your current session after confirming access.
Setting PermitRootLogin no prevents anyone from logging in directly as root — a common attack target. If you need root access, log in as a regular user and use sudo.
Automatic security updates
For servers that run continuously, automatic security updates ensure patches are applied even if you do not log in regularly.
Install and configure unattended-upgrades on Ubuntu:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgradesSelect “Yes” when asked if you want to automatically download and install stable updates.
The configuration file is at /etc/apt/apt.conf.d/50unattended-upgrades. By default, it only installs security updates, not all updates. This is the conservative setting — system stability updates require a manual decision.
Verify the service is running:
sudo systemctl status unattended-upgradesFor Fedora, enable automatic security updates:
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timerUser accounts and sudo
Managing user accounts and sudo access properly limits the damage any compromised account can cause.
Principle of least privilege: Each user should have only the access they need. Avoid adding users to the sudo group unless they actually need administrator access.
View users with sudo access:
grep -E '^sudo:.*:' /etc/group
getent group sudoAdd a user to sudo (grant administrator access):
sudo usermod -aG sudo usernameRemove a user from sudo:
sudo gpasswd -d username sudoCheck sudo activity (who ran what with sudo):
sudo grep COMMAND /var/log/auth.log | tail -20Lock an account (when a user leaves or an account is no longer needed):
sudo usermod -L usernameMonitoring your system
Watching for unusual activity helps detect problems early.
Check for failed login attempts:
sudo grep "Failed password" /var/log/auth.log | tail -20
sudo grep "Invalid user" /var/log/auth.log | tail -20If you see thousands of failed login attempts from different IP addresses, your SSH port is being targeted by automated bots. Options include: moving SSH to a non-standard port, using fail2ban to automatically ban IPs with too many failed attempts, or using SSH keys with password authentication disabled (the most effective solution).
Install and configure fail2ban (optional but recommended for servers):
sudo apt install fail2ban
sudo systemctl enable --now fail2banFail2ban monitors log files for repeated failed authentication attempts and automatically blocks the offending IP addresses using the firewall.
Check listening services (what is exposed to the network):
sudo ss -tlnpThe output shows all services listening for incoming connections. Verify you recognize everything listed — unknown services warrant investigation.
Check for recently modified system files:
find /etc -mtime -7 -type f 2>/dev/nullThis shows files in /etc modified in the last 7 days. Unexpected changes to system configuration files can indicate a compromise.
Useful security tools
Lynis — a security auditing tool that scans your system and gives recommendations:
sudo apt install lynis
sudo lynis audit systemLynis generates a report with a “hardening index” score and a prioritized list of suggestions. An excellent tool for learning what else you can harden.
ClamAV — an open-source antivirus scanner:
sudo apt install clamav
sudo freshclam # update virus definitions
clamscan -r ~/Downloads/ # scan a directoryPrimarily useful if you share files with Windows users.
Rkhunter — checks for rootkits (malware that hides itself at the kernel level):
sudo apt install rkhunter
sudo rkhunter --checkGoing further
The steps in this guide cover the fundamentals. Once you are comfortable with these, the next areas to explore are:
AppArmor or SELinux — mandatory access control systems that restrict what individual programs can do, even if they run as root. Ubuntu uses AppArmor by default.
Two-factor authentication (2FA) for SSH — adds a time-based one-time password (TOTP) requirement on top of SSH key authentication. Useful for highly sensitive servers.
Log monitoring — tools like Logwatch, Graylog, or the ELK stack aggregate and analyze logs from multiple services, helping spot patterns that indicate attacks.
Network monitoring — Wireshark and tcpdump let you inspect network traffic to verify what your system is actually sending and receiving.
For professional IT support and cybersecurity advice for businesses, particularly in western France, the team at jthinformatique.com provides reliable expertise for SMBs that need hands-on Linux and security assistance.
Security is not a destination but a continuous process. Stay informed about vulnerabilities affecting software you use, review your setup periodically, and update your practices as the threat landscape evolves.