Linux file access auditing. How to audit server security without worrying about data leakage

In today's article, we will introduce you to best Linux security auditing utilities or as our English-speaking colleagues say - Hardening Linux... So, the topic of the article is checking the security level of Linux systems and assessing the correctness of configs from the point of view of information security. Of course, we will not only review the programs, but also give examples of their use.

In-house Linux security audit

System administrators, and even more so before information security auditors, are often faced with the task of checking the security of a large number of hosts in a very short time. And of course, there are specialized tools for solving these problems in the Enterprise segment, for example, such as. I am sure that all of them - from open sources of the OpenVAS engine to commercial products like Nessus or Nexpose - are known to our reader. But this software is usually used to search for outdated and therefore vulnerable software and then run patch management. In addition, not all security scanners take into account certain specific features of the built-in security mechanisms of Linux and other open source products. And last but not least, the price of the issue matters, because paid products can only be afforded by companies that allocate some budgets for this business.

That is why today we will talk about a specialized set of free utilities that can diagnose the current level of system security, assess potential risks, for example, "extra services" sticking out on the Internet, or an unsafe default config, and in certain cases, offer options for fixing the problems found by the audit ... Another advantage of using these tools is the ability to replicate typical farm test scripts from any number of Linux systems and create a documented test base in the form of logs and separate reports.

Practical Aspects of Linux Security Auditing

When viewed through the eyes of an auditor, the testing approach can be divided into two types.

First- this is compliance with the so-called compliance requirements, here the presence of mandatory elements of protection prescribed in any international standard or "best practice" is checked. A classic example is PCI DSS requirements for payment IT systems, SOX404, NIST-800 series,.

Second- This is a purely rational approach based on the question "What else can be done to increase security?" There are no mandatory requirements - only your knowledge, bright mind and skillful hands. For example, this is updating the version of the kernel and / or application packages, enabling, forcing SELinux, configuring the iptables firewall.

Everything related to the second approach is usually called a special term Linux hardening, what else can be defined as "actions aimed at enhancing the level of the initial security of the OS (or software) mainly by standard means".

Compliance with compliance requirements is usually checked in preparation for passing a statutory audit such as PCI DSS or other certification audit. We will pay more attention to the Hardening component. All major vendors offer for their products Hardening Guidelines- manuals containing tips and recommendations on how to enhance security, taking into account the standard security mechanisms and software specifics. So, similar guides are available from Red Hat, Debian, Oracle, Cisco.

Hardening is a term from the world of information security that denotes the process of ensuring the security of a system (program) by reducing its vulnerability and, as a rule, using only standard utilities or protection mechanisms.

By the way, we already once had an article about setting the Hardening options, but in that article it was just about setting up. We will first check our system using specialized utilities, that is, we will conduct a security audit, assess the current level of protection, and then we will wind up the security option there, if necessary. Well, or even as an option: if the server is already configured from a security point of view, our tools will be able to check this and, possibly, suggest what else can be done.

Linux security audit tools

Lynis - auditing system hardening testing

Installation on macOS:

Initializing Tests
Test results from the System Tool and Boot & Services group
Test results from the Kernel and Memory & Process auditing group
Test results from the User and Group & Authentication group

It is always a good idea to check if a new version of Lynis is available before auditing:

If you want to put the name of the auditor who started the test, just add the -auditor parameter :

sudo lynis audit system - c - auditor Daddy

At any stage of the Linux security audit, the verification process can be continued (Enter) or forcibly terminated (Ctrl + C). The results of the tests performed will be written to the Lynis log in the /var/log/lynis.log directory. Please note that the log file will be overwritten with each next launch of the utility.

For testing on a permanent basis in automatic mode, you can assign the corresponding task to the Cron scheduler using the -cronjob switch. In this case, Lynis will start according to the specified template (config) and will not display any unnecessary interactive messages, questions or warnings. All results will be saved to the log. For example, here is a script to run the utility with default settings once a month:

#! / bin / sh AUDITOR = ”automated” DATE = $ (date +% Y% m% d) HOST = $ (hostname) LOG_DIR = "/ var / log / lynis" REPORT = ”$ LOG_DIR / report - $ (HOST). $ (DATE) " DATA = ”$ LOG_DIR / report - data - $ (HOST). $ (DATE). txt " cd / usr / local / lynis ... / lynis - c –auditor “$ (AUDITOR)” –cronjob> $ (REPORT) mv / var / log / lynis - report. dat $ (DATA) # End

Save this script in the /etc/cron.monthly/lynis directory. And do not forget to add the paths for saving the logs (/ usr / local / lynis and / var / log / lynis), otherwise it may not work correctly.

You can see a list of all the commands available for calling:

Brief instructions for working with the utility:

man lynis

The options for possible statuses based on the results of the check are limited to the following list: NONE, WEAK, DONE, FOUND, NOT_FOUND, OK, WARNING.

Example of displaying statuses

Running individual tests in Lynis

In practice, it may be necessary to carry out only a few specific tests. For example, if your server performs only Mail Server or Apache functions. We can use the -tests parameter for this. The command syntax looks like this:

In addition, the functionality of Lynis is expanded by various add-ons that you can add yourself, or you can add new ones to an existing directory.

All Warnings will be listed after the results. Each begins with a warning text, then the test that generated it is indicated in parentheses next to it. The next line offers a solution to the problem, if it exists, of course. In fact, the last line is a URL where you can view the details and find additional recommendations on how to fix the problem that has arisen.

Conclusion of recommendations on how to fix found problems

Profiles

The profiles that control auditing are defined in files with the .prf extension located in the / etc / lynis directory. The default profile is named, predictably, default.prf. The developers advise against editing it directly: any changes that you want to make in the audit are best added to the custom.prf file located in the same directory.

Create and edit a custom profile:

touch / etc / lynis / custom. prf sudo nano / etc / lynis / custom. prf

In this file, you can define a list of tests to exclude from Lynis auditing. For example:

• FILE-6310: checking partitions;
• HTTP-6622: test nginx installation;
• HTTP-6702: Apache installation test.

To exclude a specific test, use the skip-test directive and specify the test ID. For example, like this:

# Is nginx installed? skip - test = HTTP - 6622 # Is Apache installed? skip - test = HTTP - 6702

Hardening state assessment

Based on the results of all tests, at the end of each audit output of the utility (just below the suggestions section), you will find a section that looks something like this:

Lynis security scan details: Hardening index: 57 [############ .........] Tests performed: 216 Plugins enabled: 0

Final assessment of hardening state

This result, expressed as a number, shows the number of tests passed and the security index of the system, that is hardening index is the final number that Lynis uses to estimate the overall security level of the server. And it's very important not to forget that the Security Index changes based on the number of warnings that have been fixed and Lynis recommendations that have been implemented. Therefore, after fixing the found problems, a repeated security audit may show a completely different number!

All manipulations with the system in superuser mode require close attention and increased responsibility. Perform only those actions that you are aware of and of which you are sure. Don't forget to make backups and snapshots.

Lunar - a UNIX security auditing tool

Examples of running commands from the CLI:

View All Launch Options for Lunar

Launching Lunar in security audit mode, i.e. without making changes to the system:

List of tests:

Run in fix mode, i.e. with changes to the system:

An example of running tests for the Apache web server

Nix Auditor - a CIS Audit made easier

Nix Auditor is another script for checking whether the security of Linux systems meets the requirements of the CIS indicator. Focuses on RHEL, CentOS and other RPM distributions.

The developers claim the following advantages of Nix Auditor:

• scanning speed- you can carry out a basic OS check in less than 120 seconds and get a report right there;
• verification accuracy- Nix Auditor has been tested on different versions of CentOS and Red Hat distributions;
• customizability- the sources with the documentation for the program are on GitHub, so the code is easily customizable in accordance with the type of OS and the set of system elements that need to be checked;
• ease of use- it is enough to make the start script executable, and it is already ready for testing.

An example of executing commands to download the utility from the GitHub repository and then run the script:

git clone https: //github.com/XalfiE/Nix-Auditor.git cd Nix - Auditor chmod + x nixauditor ... / nixauditor

Example of information output after starting Nix Auditor

Loki - Simple IOC and Incident Response Scanner

The Loki utility is not exactly a classic Linux audit tool, but it is great for finding traces of a compromise, which is, but in part, can be attributed to the practice of auditing.

According to the developers, these are the capabilities that Loki - Simple IOC and Incident Response Scanner gives us:

I. Four ways to detect a breach:

• filenames (match the full file path regex);
• check in accordance with the Yara rules (search for compliance with Yara signatures by the contents of files and process memory);
• checking and analyzing hashes (comparing scanned files with hashes (MD5, SHA-1, SHA-256) of known malicious files);
• C2 feedback check (compares process connection endpoints to C2 IOC).

II. Additional checks:

• checking the Regin file system (via -reginfs);
• checking anomalies of system and user processes;
• scanning unpacked SWFs;
• SAM dump check;
• DoublePulsar check - an attempt to identify a backdoor listening on ports 445 / tcp and 3389 / tcp.

Let's just touch on how the program determines the fact of a hack. Typical signs (Indicators of Compromise), indicating that a computer has been compromised (that is, hacked), can be:

• the appearance on the computer of malware (viruses, backdoors, cryptors, and so on), as well as hacker utilities (for example, for network exploration, exploitation of vulnerabilities, collection of credentials);
• the appearance of unknown new executable and other files, even if they are not detected by the anti-virus engine as malware code;
• abnormal network activity (connecting to remote hosts, opening ports for listening by unknown programs, etc.);
• abnormal activity on disk devices (I / O) and increased consumption of system resources (CPU, RAM, Swap).

Before starting the installation, you need to install several dependent packages. These are colorama (gives line coloring in the console), psutil (a process checking utility) and, if not already installed, the Yara package.

So let's get started. Installation in (the Yara package must first be installed, which is already installed in Kali Linux by default):

cd Loki / python2 loki - upgrader. py python2 loki. py - h

Installation on Ubuntu / Debian:

sudo apt - get install yara python - yara python - pip python - setuptools python - dev git sudo pip2 install - upgrade pip sudo pip2 install - U setuptools sudo pip2 install psutil netaddr pylzma colorama git clone https: //github.com/Neo23x0/Loki cd / home / download / Loki python2 loki - upgrader. py python2 loki. py - h

Installation in BlackArch:

sudo pacman - S yara python2 - pip python2 - yara sudo pip2 install psutil netaddr pylzma colorama git clone https: //github.com/Neo23x0/Loki cd / home / download / Loki python2 loki - upgrader. py python2 loki. py - h

Usage example

Some startup options:

optional arguments: H, - help show this help message and exit

Information security is a priority issue for any business operating on the Internet. Virus infections and external attacks, as well as unauthorized access to information - all this entails major financial and reputational risks. Therefore, when choosing a server platform, business owners are always interested in the degree of resource security.
And in order to check how well the protection system works, whether there are any vulnerabilities or "holes" in it, it is recommended to conduct a server security audit at least once a month.

What is included in a server security audit

Even a seemingly insignificant factor, such as incorrect settings on the server itself or outdated software, can become a security threat. An audit helps to identify security vulnerabilities and take timely measures to eliminate them before data infection or theft occurs.
The server administrator checks the installed software, its compliance with the latest updates, evaluates the server security settings and eliminates errors, if any, and also analyzes the compliance of employee access rights settings to certain resources.

How to audit a virtual dedicated server with your own hands

Every user can check the security of servers on Windows or Linux platforms; for this, it is not necessary to have special programming knowledge.
The security check can be divided into several stages:

Physical access

In the case of a dedicated server, physical access to the server of third parties is limited by default, this is provided by the data center. But the user can additionally set a password to access the BIOS.

Firewall

Windows Firewall must be properly configured and enabled for continuous monitoring of software and ports. For Linux, SELinux system can be used for access control. You can also rent a hardware firewall Cisco ASA or Fortinet FortiGate 60D from us.

File system

checking for updates

Configure the server to automatically receive and install updates.

Password policy

Set with the help of local Windows security policies, be sure to require complex passwords, their expiration date, as well as blocking the account after several unsuccessful authorizations or entering an empty password.

Controlling logs

Turn on logging for critical infrastructure segments and check them regularly.

Network security

VPN and VLAN are recommended for node segmentation and link security.
You should also change the default settings and redirect the network equipment service ports.
The IPsec service can be used to encrypt traffic. And to view open ports, use the Netstat utility.

Access control

Differentiate user access rights to critical files, disable guest access and users with an empty password. Disable unused roles and applications on the server.

Backup

Take advantage of the file backup service, it is profitable and reliable. Do not keep backups unencrypted. If you rent a server from us, you can choose a place for backups.

Database access

Critical databases should be stored on separate SQL servers. You need to configure the launch on behalf of a user with minimal privileges or from a pre-configured white list of IP addresses.

Antivirus protection

For the server to work on Windows, the installation of automatically updated antivirus software is recommended when users work with network storages. For Linux, the installation of an antivirus is not required, provided that the server's security is monitored regularly and unauthorized access is controlled. The Tiger utility can be useful for this.

Such an audit once a month will help to check the correct operation of the server, eliminate vulnerabilities and monitor the security of the network infrastructure.

The issue of IT infrastructure security is of great relevance for any type of business. Whether it is a group of companies with an extensive branch network or an online store with 1-2 sellers.
For each server, the main purpose of which is to provide hosting for sites, there is an acute issue of ensuring the protection of user data.
Our company offers a server security audit service.

This service includes:

- Analysis of software versions installed on the server for compliance with the current current versions, devoid of known security problems. As a rule, for web servers, the relevance of the versions of the following software is important: mail server, web server, caching web server (if any), interpreter of the programming language (in which sites are written, for example, PHP), ftp server, web applications (to provide simplified access to certain server settings and work with data);
- Analysis of web server settings, related software settings for compliance with basic security requirements;
- Analysis of operating system settings. This point is an analysis of the main points related to the potential for an attacker to seize control of the server. As a rule, the ssh server settings, options for working with hard drives are examined;
- Analysis of access rights to the main files and folders of the system containing confidential information. As a rule, within the framework of this item, there is an examination of the main system folders, files of the server control panel, directories with backups, rights to user folders;
- On a server that is suspected of being compromised and can be used by intruders to conduct malicious actions, our specialists will take the necessary measures to clean it from malware and prevent this situation from recurring;

Linux server security is very important to keep your data, intellectual property, and time out of the hands of hackers. The system administrator is responsible for the security of the Linux operating system. In this article, we'll look at twenty things to do with your Linux operating system to keep it safe and secure at all times. If this is a home computer, then perhaps there is no point in worrying about security so much; strong passwords and blocking access to ports from the Internet will be enough. But in the case of a public server, you should pay attention to ensuring its protection.

These instructions will work for any distribution, it doesn't matter if you are using CentOS, Red Hat or Ubuntu, Debian.

1. Encryption of communication

All data transmitted over the network are open for monitoring. Therefore, it is necessary to encrypt the transmitted data, where possible, using passwords, keys or certificates.

Use scp, ssh, rsync, or sftp to transfer files. You can also mount the remote filesystem to your home directory using tools like shhfs.

GnuPG allows you to encrypt and sign your data using a special private key. There are also functions for managing keys and accessing public keys.

Fugu is a graphical SFTP file transfer tool. SFTP is very similar to FTP, but the entire session is encrypted here. This means that no passwords or commands are sent in cleartext. Therefore, such transfers are less vulnerable to third parties. You can also use FileZilla, a cross-platform FTP client that supports FTS over SSH / TLS and SSH File Transfer Protocol (SFTP).

OpenVPN is an efficient and lightweight VPN client with SSH encryption support.

2. Try not to use FTP, Telnet, Rlogin and RSH

On most networks, usernames, passwords from FTP, Telnet, RSH commands can be intercepted by someone on the same network using a packet sniffer. A common solution to this problem is to use OpenSSH, SFTP, or SFTP, which adds SSL or TLS to regular FTP. Run this command to remove NIS, RSH, and other obsolete services:

yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve

3. Reduce the amount of software

Do you really need all the web services installed? You should not install unnecessary software to avoid vulnerabilities in these programs. Use your package manager to view installed programs and remove all unnecessary ones:

yum list installed
$ yum list package
$ yum remove package

dpkg --list
$ dpkg --info package
$ apt-get remove package

4. One car - one service

Run different services on separate servers or virtual machines. This limits the number of services that can be compromised. For example, if an attacker can break into Apache, then he will gain access to the entire server. Including services such as MySQL, email server and so on. You can use software like XEN or OpenVZ for virtualization.

5. Keep your Linux kernel and software up to date

Applying security patches is a very important part of keeping your Linux server secure. The operating system provides all the tools for keeping the system up to date and updating to new versions. All security updates should be applied as soon as possible. This is where you need to use your package manager too. For example:

Or for Debian based systems:

sudo apt update && sudo apt upgrade

You can configure Red Hat or Fedora to send you email notifications when new security updates are available. You can also set up automatic updates via cron, or you can use Debian's aptcron to notify you when you need to update your system.

6. Use Linux security extensions

The Linux operating system comes with various security patches that can be used to protect against misconfiguration or malware. But you can also use additional application access control systems such as SELinux or AppArrmor.

SELinux provides various security policies for the Linux kernel. Here it is possible to control access to any system resources using roles. This or that resource can only be accessed by a program whose role allows it, and even superuser rights do not matter. SELinux greatly enhances the security of the Linux system, since even root is considered a normal user here. More about it is described in a separate article.

7. User accounts and strong passwords

Use the useradd and usermod commands to create and maintain user accounts. Make sure you have a good and strong password, it must contain at least eight characters, preferably in different case, among which there must be special characters or numbers. For example, 8 characters, of which seven are letters and one character or number. Use tools like John the ripper to find weak user passwords on the server, and tweak pam_cracklib.so to enforce password policy.

8. Change passwords from time to time

The change command allows you to specify the number of days before the date of the forced password change. This information is used by the system to determine when the user should change it. These settings are located in /etc/login.defs. To disable password aging, enter the following command:

change -l username

To get information about the password validity string, enter the command:

You can also configure everything manually, in the / etc / shadow file:

(user): (password): (last_change):(max_days): (min_days): (A warning):(deactivate):(valid_strings):

• Minimum days- the minimum interval between password changes, that is, how often the user can change the password.
• Maximum days- how many days the password will be valid, after this period the user will be forced to change the password.
• A warning- the number of days after which the user will be warned that he needs to change the password.
• Valid_strings- the number of days since January 1, 1970 when the account will be completely disabled.

chage -M 60 -m 7 -W 7 username

It is also advisable to prohibit users from using old passwords, otherwise all efforts to force them to forcibly change passwords will be reduced to zero.

9. Block accounts after unsuccessful login attempts

On Linux operating system, you can use the faillog command to view failed login attempts by users. You can also use it to set a limit on unsuccessful login attempts. All information about failed login attempts is stored in the / var / log / faillog file. To watch it, type:

And to set the limit of login attempts for a specific account, use:

faillog -r -u user

You can also manually block or unblock accounts using the passwd command. To block use:

passwd -l user

And to unlock:

passwd -u user

It is also advisable to check if the system has accounts with empty passwords. To do this, run:

awk -F: "($ 2 ==" ") (print)" / etc / shadow

Also check if there are any users with a group or id 0. There should only be one such user, and this is root. You can check using the following command:

awk -F: "($ 3 ==" 0 ") (print)" / etc / passwd

There should only be one line:

root: x: 0: 0: root: / root: / bin / bash

If there are others, delete them. Users, and especially their weak passwords, are one of the most vulnerable things that can compromise security on linux.

10. Disable superuser login

To keep your linux system secure, never log in as root. You can use sudo to gain the necessary privileges and run the desired command as the superuser. This command allows you to keep your superuser password secret from being shared with other admins, and provides tools to monitor, limit, and track actions.

11. Physical security of the server

Linux server security should include physical security. You must restrict physical access to the server console. Configure BIOS to not support booting from external media such as DVD, CD, USB. Also set the BIOS password and GRUB bootloader to protect their options.

12. Disable unnecessary services

Disable all unused services and daemons. Also, don't forget to remove these services from startup. You can see a list of all active services on Red Hat systems with the command:

chkconfig --list | grep "3: on"

To disable the service use:

service service stop
$ chkconfig service off

Find all ports open by programs:

The same can be done with the nmap scanner:

nmap -sT -O localhost

Use iptables to close all ports that should not be accessible from the network. Or stop unnecessary services as described above.

13. Remove the X server

An X server on a server computer is completely optional. You don't need to run a graphical environment on a dedicated Apache or Email server. Uninstall this software to increase security and performance.

14. Configure Iptables

iptables is a user-space program for configuring the kernel's built-in Netfilter firewall. It allows you to filter all traffic and only allow certain types of traffic. Also use TCPWrappers - ACL system to filter Internet access. You can prevent many types of DOS attacks with iptables. Network security in Linux is a very important point in overall system security.

15. Configure the kernel

The /etc/sysctl.conf file contains kernel settings that are loaded and applied at system startup.

Enable execshield buffer overflow protection:

kernel.exec-shield = 1
kernel.randomize_va_space = 1

Enable IP spoofing protection:

net.ipv4.conf.all.rp_filter = 1

Disable IP forwarding:

net.ipv4.conf.all.accept_source_route = 0

Ignore broadcast requests:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1

Log all spoofed packages:

net.ipv4.conf.all.log_martians = 1

16. Partition your hard drive

Partitioning the hard drive based on the purpose of the files improves the security of the Linux OS. It is recommended to make separate sections for such directories:

• / home
• / var and / var / tmp

Make separate sections for the root directories of Apache and FTP servers. Open the / etc / fstab file and set special options for the required partitions:

• noexec- do not execute any programs or executable files on this section, only scripts are allowed
• nodev- do not allow symbolic or special devices on this section.
• nosuid- do not allow SUID / SGID access for programs from this section.

17. Use disk space limitation

Limit available disk space for users. To do this, create a disk quota in / etc / fstab, remount file systems, and create a disk quota database. This will improve security on Linux.

18. Disable IPv6

The next generation Internet protocol IPv6 will replace the already used IPv4 in the future. But at the moment there are no tools to check the security of an IPv6-based network. Many Linux distributions allow IPv6 by default. Hackers can send unwanted traffic and administrators cannot track it. So if you don't need this service, disable it.

19. Disable unused SUID and SGID binaries

All executable files for which the SUID or SGID flag is enabled are potentially dangerous. This flag means that the program will run with superuser rights. This means that if the program has any vulnerability or bug, then a local or remote user will be able to use this file. Find all such files with the following command:

find / -perm +4000

Find files with SGID flag set:

find / -perm +2000

Or we can combine it all in one command:

find / \ (- perm -4000 -o -perm -2000 \) -print
$ find / -path -prune -o -type f -perm +6000 -ls

You will have to examine in detail each file you find in order to understand how much you need this or that file.

20. Public files

It is also advisable to find files that can be modified by all users on the system. To do this, use the following command:

find / dir -xdev -type d \ (- perm -0002 -a! -perm -1000 \) -print

Now you need to check if the rights for the group and the owner of this each file are correctly set and if this does not pose a security risk.

It is also advisable to find all files that do not belong to anyone:

find / dir -xdev \ (- nouser -o -nogroup \) -print

21. Use a centralized authentication system

Without a centralized authentication system, user data becomes inconsistent, which can lead to outdated credentials and forgetting accounts that should have been deleted long ago. The centralized service will allow you to maintain control over user accounts and credentials across Linux and Unix systems. You can sync authentication data between servers. But don't use NIS service, better look towards Open DAP.

One of the interesting implementations of such a system is Kerberos. It allows users to be authenticated using a private key on networks where packets can be intercepted and modified. Kerberos uses a symmetric key to encrypt data and requires a Key Management Center to function. You can configure remote login, remote copying, secure copying of files between systems, and other tasks with a high level of security.

22. Logging and audit

Set up logging and auditing to collect and save all failed login attempts and hacking attempts. By default, all logs, or at least most of them, are located in the / var / log / folder. In more detail, we talked about what certain ones are responsible for in a separate article.

You can view the logs using utilities such as logwatch or logcheck. They greatly simplify the reading of the logs. You can view not the entire file, but only the events you are interested in, and also send yourself a notification to your email address.

Monitor the system using the auditd service. The program writes to disk all audit events that interest you. All audit settings are stored in the /etc/audit.rules file when the system starts up, the service reads all the rules from this file. You can open it and configure everything as needed, or use a separate utility - auditctl. You can configure such moments:

• System startup and shutdown events
• Date and time of the event
• Custom events (for example, access to a specific file)
• Event type (edit, access, delete, write, update, etc.)
• Success or failure in the execution of the event
• Recording events of changing network settings
• Record of changing users and groups
• Monitoring file changes

23. Protect your OpenSSH server

Allow only protocol 2:

Deny login as superuser:

24. Install IDS

IDS or Intrusion Detection System tries to detect suspicious, malicious activity such as DOS attack, port scanning, or even attempts to hack into your computer by monitoring network traffic.

It is good practice to deploy such software before the system is available from the internet. You can install AIDE, which is a HIDS (Host based IDS) that can control all aspects of the internal structure of your system.

Snort is software for detecting intrusion attempts from the network. It is capable of analyzing and logging packets and analyzing network traffic in real time.

25. Protect your files and directories

Linux has excellent protection against unauthorized access to files. However, the permissions set by Linux and the file system mean nothing when an attacker has physical access to the computer and can simply connect the computer's hard drive to another system to copy your data. But you can easily protect your files with encryption:

• Use GPG to encrypt and decrypt a file using a password
• It is also possible to protect files using OpenSSL
• Directory encryption is done with ecryptfs
• TrueCrypt - Free Disk Encryption Tool for Windows and Linux

conclusions

Now the security of linux os on your computer will be much increased. Do not forget to put complex passwords from time to time. Write your favorite system security tool in the comments.