linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/Security

kb/security

Linux security: SSH, SELinux, audit, firewall

Linux security and server hardening: SSH access by keys only, SELinux and AppArmor MAC policies, auditd for compliance, firewalld vs nftables for packet filtering, the PAM stack, and fail2ban against brute-force logins. These are real configs you can run, not theory.

8 статей в категории

§ статьи

  • auditdauditd: syscall and file auditauditd writes kernel events to /var/log/audit/audit.log: file watches (-w), syscall rules (-a), execs. Use ausearch to search, aureport for reports. This is the basis of compliance (PCI-DSS, HIPAA, FZ-152).
  • cis-benchmark-hardeningCIS Benchmark and system hardening (lynis, OpenSCAP)CIS Benchmark is the Linux hardening standard. Lynis is a fast local audit with a score, OpenSCAP is the formal one with XCCDF profiles and a SCAP report. ansible-lockdown remediates. Keep audit and remediate separate.
  • fail2banfail2ban: automatic bans from logsfail2ban reads logs (sshd, nginx, postfix), uses a regex to catch N failed attempts in a window, and adds the IP to firewall rules for bantime. It is the main tool against SSH brute-force.
  • firewalld-vs-nftablesfirewalld vs nftables: what to choosefirewalld is a daemon wrapper with zones, services, and rich rules; the backend since RHEL 8 is nftables. Plain nft gives more control, sets, and atomic reload. firewalld fits desktop and multi-zone, nft fits a server fleet.
  • pamPAM: Pluggable Authentication ModulesPAM is the authentication framework in Linux. Programs (sudo, login, sshd) do not check passwords themselves. They call PAM, which decides whether to let you in through a stack of modules in `/etc/pam.d/<service>`.
  • secrets-managementSecrets management: Vault, k8s Secrets, sealed-secretsKeep secrets out of git and out of env vars in code. Options: HashiCorp Vault (general purpose, dynamic creds), k8s Secrets (base64, needs encryption- at-rest), sealed-secrets (commit-friendly), external-secrets (sync from a cloud vault).
  • selinux-policySELinux policy: types, domains, audit2allowSELinux: every process has a domain, every object has a type. The policy defines which domains may do what to which types. audit2allow generates rules from AVC denials, semanage tunes, and .pp files are policy modules.
  • ssh-hardeningSSH hardening: locking down the serverSSH hardening: keys only (PasswordAuthentication no), disable root login, AllowUsers/AllowGroups, MaxAuthTries, a fail2ban jail on sshd. Optionally a custom port plus Match blocks for guests.

← вернуться ко всем категориям базы знаний

Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies