10 Basic Linux Security Best Practices
I've evangelized Linux operating systems (OSes) — or distributions (distros) — and free open-source software (FOSS) for over a decade. Since then, cybersecurity has evolved so much, especially with the evolution of artificial intelligence (AI). But I haven't addressed this directly in quite some time. Below I'll share 10 basic Linux security best practices with actionable solutions.
Delete Bloatware to Free Space and Memory
Like Windows, many Linux OSes come with apps preinstalled which you might not want or need. Unlike Windows, you can uninstall bloatware on Linux. Many users hear "bloatware" and focus on graphical applications that show in the apps menu. However, Linux OSes include various command line interface (CLI) — or terminal — applications that you may want to remove for various reasons:
- Unused packages (orphans) that were required for another app you've uninstalled, and are therefore no longer needed
- Conflicting packages during updates to other software required by the OS or your needs
- Older versions of CLI apps
The easiest way to view installed CLI apps is in your OS software center. Read what the app does. Sometimes, you'll learn more from reading its CLI manual with "man packagename." If you don't find it necessary, remove it.
Ubuntu/Debian: To remove unused dependencies and clear cached .deb files:
sudo apt autoremove && sudo apt autoclean
Red Hat Enterprise Linux (RHEL)-family distros (Fedora, AlmaLinux): To remove unneeded dependencies and clear the package cache in:
sudo dnf autoremove && sudo dnf clean all
Arch Linux: To view orphaned packages:
sudo pacman -Qdt
To remove older cached versions of installed packages:
sudo pacman -Sc
Install Only Software Vetted by Your Linux OS
When unsure about the validity of an application:
- Check whether it's in your OS official software repository
- Check whether it's in snap, flatpak, or Docker
- Check for popularity and other activity on GitHub, Launchpad, GitLab, etc.
- Research whether something you already have installed (especially CLI apps) can do the same job
If you're not sure about the results you get, don't install it.
Use Strong Passwords and Password Management
If possible, use a password manager to save and create passwords. It's the easiest password management solution. There are multiple free options for your preferred workflow:
- Bitwarden, KeePassXC, and many other desktop apps
- pass CLI password manager
- Web browser password manager
If for some reason you need a strong password, and don't want to bang on the keyboard for a few seconds, here are a few ways to create strong passwords in the Linux CLI. Which ones you prefer will likely depend on your password requirements and what's available on your system.
This shuf command includes all alphanumeric characters and standard special characters. I recommend shuf password generation over the other alternatives. Its syntax allows easily changing the string output length and which special characters are used. The "-n20" specifies the length of the output. Change the "20" and remove special characters — '!' for example — as needed.
shuf -er -n20 {A..Z} {a..z} {0..9} '!' '@' '#' '$' '%' '^' '&' '*' '(' ')' | tr -d '\n'
If you need a password without special characters:
shuf -er -n20 {A..Z} {a..z} {0..9} | tr -d '\n'
This tr command is shorter and includes alphanumeric and standard special characters. The "10" at the end sets the output length.
tr -dc '[:print:]' < /dev/urandom | head -c 10; echo
To exclude special characters, simply change "print" to "alnum."
tr -dc '[:alnum:]' < /dev/urandom | head -c 10; echo
Similarly, this base64 command includes alphanumeric and standard special characters. The "44" sets the length.
base64 < /dev/urandom | head -c 44; printf '\n'
The openssl command is probably the most popular on the list. This command only outputs alphanumeric characters. The "60" is the output length.
openssl rand -hex 32 | tr -d '\n' | head -c 60
The alternative below uses A-Z, a-z, 0-9, +, /, and =. Change the "10" to adjust the output length.
openssl rand -base64 32 | head -c 10
Use a Regular User Account instead of Root
Always use a regular user account, then escalate (sudo) to root when needed. Many Linux distros force you to do this for good reasons. Doing everything as root:
- Bypasses security restrictions and logging
- Doesn't prompt you to be sure before executing system-wide changes
- Increases security vulnerabilities when applications are run with root privileges
Ubuntu regular user creation (replacing "newuser" with the username):
adduser newuser
Allow the user to use the sudo command:
usermod -aG sudo newuser
Verify user was created with sudo access.
id newuser
RHEL-based distro user creation (do both):
useradd newuser
passwd newuser
Add the user to the wheel (sudo) group:
usermod -aG wheel newuser
Verify user was created with sudo access:
id newuser
Arch Linux user creation and access to sudo privileges:
useradd -m -G wheel newuser
passwd newuser
Edit /etc/sudoers to allow sudo access to the wheel user group:
visudo
Uncomment this line and save changes:
# %wheel ALL=(ALL:ALL) ALL
Configure a Firewall to Close Network Ports
A basic, traditional firewall closes ports so that only necessary network data can enter and leave your Linux PC. The most popular Linux system firewalls are UncomplicatedFirewall (UFW) and Firewalld.
UFW — and its graphical user interface (GUI) wrapper GUFW — is a traditional (stateful) firewall. It opens and closes ports.
Firewalld includes zones for setting specific rules per network connection (wired versus Wi-Fi).
Linux security news: ConfigServer Security & Firewall (CSF) is discontinued as of September 2025. If you want to use it, consider searching for a reputable CSF fork.
If you want next generation firewall (NGFW) features, you could install Fail2ban alongside UFW or Firewalld. Fail2ban is a dynamic intrusion prevention system (IPS). It monitors service logs (e.g., SSH, email, FTP) for malicious patterns (e.g., repeated failed logins) and modifies UFW or Firewalld to ban the offending IP addresses.
The average user will need the following ports open:
- Port 53 (UDP/TCP) DNS resolution (e.g., turning [anydomain].com into an IP address)
- Port 80 (TCP): Unencrypted web browsing (HTTP)
- Port 443 (TCP): SSL / TLS encrypted web browsing (HTTPS)
- Ports 25, 587, 465 (TCP): Sending email (SMTP)
- Ports 110, 995, 143, 993 (TCP): Receiving email (POP3/IMAP)
Configure Automated Linux Security Scans
Open-source software, including Linux, is not inherently less secure than proprietary software. But Linux is not impenetrable to malware. A high percentage of web servers, including supercomputers, run on Linux. Note: Some stats argue most servers but add BSD and other Unix-like OSes to boost the number. Regardless of the exact number, it's easy to understand why. It's cheaper. It's easy to find free server management software. A 2015 survey comparing Windows and Linux concluded participants found Linux somewhat more secure, reliable, and scalable than Windows.
Popularity with users brings more attention from cyber attackers. Debian, Fedora, and Ubuntu are in the top 10 of digital products with the most CVEs. So, a malware scanner is a valuable tool for crafting your own Linux NGFW setup.
- ClamAV is the most popular CLI antivirus (AV) software for Linux. Many open-source projects web applications have plugins to integrate ClamAV for on-demand file scans. ClamTK is a free graphical wrapper app for using ClamAV outside of the terminal.
- Chkrootkit scans for known rootkit signatures, something AV software usually can't scan.
- Rkhunter (Rootkit Hunter) scans for rootkits, hidden files, and suspicious permissions and kernel modules.
- Lynis audits the system for vulnerabilities, configuration errors, and malware indicators.
As you likely noticed, all four do slightly different things. You could use all four to get a better understanding of your Linux security posture. How? Easy. Install them all, then create cron jobs, scheduled tasks that work in the background. While crontab manages automated tasks, crond daemon executes the commands.
The cron bundle is included with every Linux distro I've used. To create a cron job in the terminal:
crontab -e
This example cron job runs ClamAV every Monday ("first day" of the week) at 9 AM in the entire userdir directory. It displays only infected files but also outputs the results to results.txt in the user's home directory.
0 9 * * 1 clamscan ~/home/userdir -ir >> ~/results.txt
You can use various cron job creators to simplify this. Monthly and on separate days may suffice for the other scanners.
Update and Harden the Linux Kernel
The #1 product with the most common vulnerabilities and exposures (CVEs) is the Linux kernel. That stat deserves further context.
- Jerry Gamblin warns that the reason mostly stems from the Linux kernel maintainers — The Linux Foundation — becoming their own CVE Numbering Authority (CNA) in 2024. The Linux Foundation is very transparent with reporting even minor kernel issues. Therefore, they self-report a lot of CVEs unlike Windows and Apple.
- A 2026 study highlights that newer kernel versions receive updates much faster than older ones.
- In 2022, a study titled Set the Configuration for the Heart of the OS: On the Practicality of Operating System Kernel Debloating claimed that "50%–85% of the attack surface can be reduced by debloating the Linux kernel for the server software and that 34%–74% of known security vulnerabilities can be nullified in the Linux kernel by only including kernel modules that are needed by the target applications."
What should you take from this information? Update your kernel to the latest stable or long-term support (LTS) version. In many Linux distros, it shows as another package in your software center. To view your current Linux kernel version in the terminal, type:
uname -r
You can compare this to the latest Linux kernel versions at kernel.org.
Want to learn more in-depth about the Linux kernel? Learn how to remove unnecessary Linux kernel modules from your system. This is known as recompiling a custom Linux kernel. Check out the Linux Foundation kernel development course which awards a Credly digital badge on completion.
Harden Your Web Browser and Home Network
I've already discussed in-depth basic browser security and network security. The most notable advice I'll emphasize here: Configure network security features on your home router.
For deeper protection, use a custom DNS resolver (or DNS filter) which blocks gambling, porn, and other malicious websites. You can set a custom DNS resolver in your browser and home router. If you set the custom DNS resolver in the browser, other browsers are unaffected. If you set it on your home network, every device connected to your network is affected.
A quick search shows the most popular options are DNSforFamily, CleanBrowsing, OpenDNS Family Shield, Cloudflare for Families, and AdGuard Family Protection. To test a DNS filter, search for steps to change your DNS resolver in your browser or home router.
If you prefer to manually create your own, you can download community-driven filter lists to your hosts file.
Be careful when trying any of these. Research the validity and privacy policies of the DNS filter companies before trying them. Be cautious of any files you download from the GitHub repository. Don't try any of this before something requiring network access like an online meeting.
Use Rsync or SFTP Instead of Deprecated Secure Copy Linux CLI App
Secure copy protocol (SCP) was deprecated in OpenSSH 9.0 in April 2022. Per OpenSSH in 2019:
The scp protocol is outdated, inflexible and [CVEs] not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead.
The scp command now uses SSH File Transfer Protocol (SFTP) to upload files. If you only need to upload files to a Linux server, try rsync:
rsync -avzhe ssh file.txt root@1.2.3.4:/var/www/
SFTP is better for further file management — uploading and downloading files:
sftp server_user@server_ip_or_hostname
Take a break from Linux security hardening with one of my favorite Linux games.
Tags: IT, linux, free-open-source-software
