本文由 AI 分析生成
建立時間: 2026-03-28 來源: https://pablogonzalez.me/posts/linux_security/
Summary
Pablo González’s comprehensive Linux security hardening reference covering physical security, bootloader protection, user/password policies, SSH hardening, filesystem permissions, firewall configuration (iptables/nftables), intrusion detection (fail2ban, AIDE), and audit logging.
Pablo González 的全面 Linux 安全加固參考,涵蓋物理安全、引導加載程序保護、用戶/密碼策略、SSH 加固、文件系統權限、防火牆配置(iptables/nftables)、入侵檢測(fail2ban、AIDE)和審計日誌。
Key Points
- Physical security: BIOS password, disable USB boot; otherwise physical access = root access
- Bootloader: password-protect GRUB; prevent single-user mode shell as root bypass
- User management: principle of least privilege; disable root SSH login (
PermitRootLogin no);sudofor privilege escalation - SSH hardening: key-only auth (
PasswordAuthentication no), non-default port,AllowUserswhitelist, fail2ban for brute force - Filesystem: sticky bits, SUID/SGID audit;
/tmpwithnoexec,nosuid; encrypted partitions with LUKS - Firewall: default DENY policy; only open required ports; log INVALID packets; separate INPUT/OUTPUT/FORWARD chains
- Intrusion detection: fail2ban for repeated auth failures; AIDE for filesystem integrity monitoring (detects changes)
- Auditing: auditd for syscall logging; syslog centralization; regular log review
Insights
The physical security section is the correct starting point — all software security is meaningless if an attacker has physical access to the machine. The BIOS password + GRUB password combination closes the most obvious local attack vectors. The SSH hardening section covers the most common real-world vector for server compromise: default port + password auth is scanned constantly by automated bots. AIDE (file integrity monitoring) represents the “post-breach detection” layer — it won’t prevent compromise but will tell you when files have been modified, which is crucial for incident response.
Connections
Raw Excerpt
There is a gradual line that implies comfort and security. An ultra-secure system is almost none comfortable, while a super comfortable flow isn’t always the most secure.