Linux / OS Hardening Articles

dm-verity gives you a read-only root that fails to mount if a single block is tampered with. dm-integrity adds runtime checksumming. Together: immutable, evidence-bearing systems.

lsm_bpf attaches eBPF programs to LSM hooks. Define security policy in code, push without reboot, audit at the syscall boundary. AppArmor for cloud-native systems.

Ambient capabilities, CapDrop in systemd units, auditing capability use with auditd and bpftrace. Least-privilege for services that run as root by legacy necessity.

USB devices are a peripheral attack surface most servers ignore. USBGuard provides allowlist-based authorization, blocking BadUSB and malicious-cable threats.

ed25519-sk and ecdsa-sk bind SSH keys to a hardware token. Phishing-resistant, exfiltration-proof, increasingly the default. Two short commands to switch.

Lockdown mode separates root from kernel. integrity blocks code modification; confidentiality also blocks reads. Cheap, broad, underused.

Landlock lets an unprivileged process restrict its own filesystem and network access at the kernel level. AppArmor without root, seccomp with semantics.

io_uring gives userspace a submission queue that sidesteps the normal syscall path. It has produced a steady stream of kernel CVEs and routinely bypasses seccomp.

Cloud VMs exposed to the internet with password-only SSH are compromised within hours. This article covers the complete secure access stack: SSH key authentication, TOTP two-factor login, WireGuard VPN as a network-layer gate, and audit logging to track who did what and when.

Every SSH hardening guide starts and ends with the same three changes: disable root login, require key-based authentication, change the default port.

Most Linux hosts resolve DNS in plaintext over UDP port 53. On a stock Ubuntu 24.04 or RHEL 9 system:

Linux kernels ship with defaults optimised for compatibility, not security. On a stock Ubuntu 24.04 or RHEL 9 installation.

Without boot security, an attacker with physical access or console access (BMC, IPMI, cloud serial console) to a Linux system can.

/proc and /sys are virtual filesystems that expose kernel internals, hardware details, and process information to userspace.

auditd is the kernel-level audit system on Linux, it captures syscalls, file access, user commands, and privilege changes that no userspace tool can...

iptables is deprecated. nftables is the replacement in every modern Linux kernel (5.0+).

Without resource limits, a single service, container, or compromised process can consume all available CPU, memory, I/O bandwidth, or PIDs on a host.

SELinux is the most powerful mandatory access control system on Linux, and the most disabled. The result: services have no MAC confinement.

Accurate time is a silent dependency of almost every security control on a Linux system.

Manual OS hardening does not scale. The sysctl settings from Hardening the Linux Kernel Attack Surface with sysctl and Boot...

PAM (Pluggable Authentication Modules) is the authentication foundation on Linux.

The Linux kernel loads modules on demand. When a process requests a capability that is not built into the running kernel (a filesystem type, a...

ubuntu:latest ships with over 200 packages. At any given point, a vulnerability scan with Trivy will report 50 or more CVEs, most of which are in...

AppArmor is the default mandatory access control system on Ubuntu and Debian. It restricts applications to specific file paths, capabilities, and...

systemd provides over 30 security-relevant directives for sandboxing services, yet the vast majority of unit files (including those shipped by...

Default Linux installations mount most filesystems with permissive options. On a stock Ubuntu 24.04 or RHEL 9 system: