Stay Ahead With Linux Security HOWTOs
How to Secure My Network
access control Linux administration
access control Linux administration Most SSH hardening advice ends at the same recommendation: Disable password authentication and use SSH keys. . That's good advice. It removes entire classes of attacks, including password spraying, credential stuffing, and brute-force attempts against exposed servers. The problem is what happens next. Many administrators treat SSH keys as the finish line when they are really the beginning of the hardening process. Attackers rarely care whether they obtained access with a password or a private...
Jun 05, 2026
How to Secure My Networksecurity advisory remote access
security advisory remote access Most of the time, nobody notices. SSH authentication succeeds, no alerts are generated, and the connection looks exactly the way it did the day the key was installed. That's part of the problem. . When security teams investigate unauthorized access on Linux systems, they often focus on passwords, exposed services, or vulnerable software. Trusted access receives less attention. Yet a single forgotten or unauthorized SSH key can provide the same access as a legitimate user while attracting very...
Jun 03, 2026
How to Secure My Networkintrusion detection application security
intrusion detection application security The wrong IPS rule can look like a security fix right up until it becomes an outage. . On Linux systems, detection and prevention are often discussed together, but they do not carry the same operational risk. One tells admins that something suspicious happened. The other can decide whether traffic is allowed to continue. That is why IDS vs IPS is not just a definition to memorize. It is a deployment decision about where to monitor, where to block, and how much confidence a team needs before...
Jun 01, 2026
How to Secure My Networkunauthorized access security techniques
unauthorized access security techniques Exposed SSH servers are continuously hammered by brute-force attacks, password spraying, credential stuffing, and recycled passwords from infostealer dumps. Attackers rotate usernames, test weak credentials, and probe for anything that gives them initial access. The logs usually look messy long before the compromise happens. . The difficult part is separating harmless failures from actual intrusion activity. One failed login from an internal workstation rarely matters. Repeated failures...
May 28, 2026
How to Secure My Networksecurity advisory incident response
security advisory incident response The first 30 minutes after discovering a compromised Linux server usually decide how much evidence remains available. One rushed reboot or cleanup attempt can wipe logs, terminate malicious processes, or remove network activity that investigators still need to review. Attackers also do not usually stay on one system for long once access is established. Early response is mostly about preserving visibility. Collect process information. Save network connections. Limit access carefully before...
May 28, 2026
Refine HOWTOs
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security HOWTOs
We found -1 articles for you...
166
security advisorylinuxdockerGitHub Actions Linux Self-Hosted Runners Security Risks 2025-30066
Self-hosted GitHub Actions runners give organizations far more flexibility than standard cloud-hosted runners. Teams can integrate internal infrastructure directly into CI/CD workflows, automate Kubernetes deployments, run custom tooling, and manage Linux-based build environments without relying entirely on external infrastructure. . That flexibility also creates a significant security risk. A compromised self-hosted GitHub Actions runner can hand attackers direct access to Kubernetes clusters, cloud credentials, package registries, and production deployment systems—often without exploiting a single Linux vulnerability. Recent compromises, such as the poisoning of the tj-actions/changed-files Action and the Codecov supply chain breach, demonstrated how attackers increasingly target CI/CD automation. This is because the pipeline itself often provides privileged access to infrastructure and production environments already. Unlike ephemeral cloud runners, self-hosted Linux runners frequently persist long after workflows complete. In many environments, they already sit close to Kubernetes clusters, internal repositories, package publishing systems, and cloud administration tooling. Why Self-Hosted GitHub Actions Runners Create Security Risks Self-hosted runners often inherit broad operational access because they handle container builds, infrastructure deployment, cloud provisioning, and release automation simultaneously. That concentration of privileged access makes the runner itself a high-value target. As workflows expanded, self-hosted runners gradually accumulated access to: cloud deployment credentials, Kubernetes environments, internal repositories, package publishing systems, infrastructure automation tooling, container registries, and production release pipelines. The risk becomes larger when organizations place runners directly inside trusted internal networks or allow workflows to interact directly with production infrastructure. Once attackerscompromise the workflow environment, the runner may become a pivot point for lateral movement deeper into the environment. Unlike traditional endpoint compromise, attackers frequently abuse legitimate CI/CD automation behavior rather than exploiting Linux directly. That operational normalcy makes malicious workflow activity much harder to detect. How to Use Ephemeral GitHub Actions Runners on Linux Persistent runners may retain credentials, temporary artifacts, shell histories, and environment variables long after workflows finish executing. That persistence creates additional opportunities for: credential theft, workflow persistence, artifact tampering, and lateral movement across infrastructure environments. Ephemeral runners reduce that exposure window because the environment is destroyed automatically after each workflow completes. If you are running on standalone Linux hosts, you can enforce this by using the --ephemeral flag during the registration process: ./config.sh --url [https://github.com/OWNER/REPO](https://github.com/OWNER/REPO) --token YOUR_TOKEN --ephemeral Many organizations now deploy ephemeral Linux runners using the GitHub Actions Runner Controller (ARC) for Kubernetes. This allows organizations to isolate workflows using namespaces, network policies, and tightly scoped service accounts. The goal is to prevent attackers from inheriting leftover state between jobs. How to Restrict Docker Socket Access on GitHub Actions Runners Exposing the Docker socket ( /var/run/docker.sock ) inside GitHub Actions workflows effectively grants root-level control over the runner host. Many Linux CI/CD environments expose this socket so pipelines can build containers directly, but that configuration becomes dangerous during workflow compromise because attackers may use Docker socket access to escape container isolation, mount sensitive host directories, or deploy privileged containers. Organizations should avoid exposing the Docker socket whenever possible.Safer alternatives include: rootless container builds, isolated build systems, BuildKit, or Kaniko. A standard Kaniko implementation in a Kubernetes-based runner looks like this: YAML - name: Build with Kaniko image: gcr.io/kaniko-project/executor:latest args: ["--dockerfile=Dockerfile", "--destination=my-registry.com/image:latest"] How to Remove Long-Lived Secrets From GitHub Actions Workflows Long-lived credentials create unnecessary exposure. Many workflow compromises specifically target GitHub Personal Access Tokens or cloud access keys stored inside repositories. Once exposed, those credentials may continue functioning long after defenders discover the breach. Organizations should replace static credentials with OIDC (OpenID Connect) . OIDC allows workflows to request temporary cloud credentials dynamically during execution. Major cloud providers, including AWS, Azure, and Google Cloud, already support OIDC integration, which significantly reduces the operational value of stolen credentials. A hardened OIDC configuration for AWS would look like this: YAML permissions: id-token: write contents: read steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4> with: role-to-assume: arn:aws:iam::1234567890:role/my-github-role aws-region: us-east-1 How to Restrict GitHub Actions Workflow Permissions Many GitHub Actions environments still run with broader repository permissions than workflows actually require. Overly permissive configurations, such as permissions: write-all , grant workflows unnecessary repository modification privileges. A safer baseline starts with an empty permission set, explicitly granting only the permissions required for the workflow itself: YAML permissions: {} # Grant only the specific scope required permissions: contents: read Security teams should also carefully review all workflows using the pull_request_target trigger. Because thistrigger executes using the permissions of the target repository rather than the untrusted fork, attackers may abuse it to expose repository secrets. How to Review GitHub Actions Workflow Changes Safely Workflow files should be treated like infrastructure code. Modifications inside .github/workflows/ can directly affect deployment systems, cloud authentication, and runner execution behavior. Organizations should require mandatory pull request reviews and use CODEOWNERS protection to ensure security teams audit every change. Plaintext # .github/CODEOWNERS .github/workflows/ @platform-security-team In many environments, modifying a workflow effectively changes production infrastructure behavior. Security teams should monitor for unexpected workflow additions or unauthorized permission changes that could indicate a supply chain compromise in progress. How to Restrict Outbound Traffic and Monitor Activity Many CI/CD compromises rely on transmitting secrets to attacker-controlled infrastructure. Organizations should restrict unnecessary outbound traffic from runners using firewall rules, DNS filtering, or Kubernetes NetworkPolicies . For example, you can lock down a Kubernetes runner pod to only communicate with GitHub IP ranges: YAML apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: runner-egress spec: podSelector: matchLabels: app: github-runner egress: - to: - ipBlock: cidr: 140.82.112.0/20 # GitHub IP Range Because attackers frequently operate using legitimate workflow credentials, detection often depends on identifying unusual operational behavior—such as unexpected curl execution or unauthorized cloud API activity. GitHub Actions Runner Hardening Checklist Use ephemeral runners to prevent persistence between builds. Replace long-lived cloud credentials with short-lived OIDC tokens. Remove Docker socket exposure by using Kaniko or BuildKit. Isolate runners from productionnetworks and Kubernetes control planes. Restrict outbound traffic to only essential GitHub and cloud endpoints. Enforce a "deny-all" permission baseline in every workflow YAML. Require mandatory reviews for any modification to .github/workflows/ . GitHub Actions workflows now sit directly inside the software supply chain. They build applications, publish packages, and deploy infrastructure across production systems every day. That operational position makes them extremely attractive targets. For Linux-heavy infrastructure running cloud-native workloads, the risk is significant because the pipeline is no longer just a support tool—it has become part of production itself. Want more Linux security hardening guides like this? Subscribe to our newsletter for practical tutorials on Linux infrastructure, CI/CD security, cloud-native operations, and open-source security best practices. . Self-hosted GitHub Actions runners offer flexibility but pose major security risks that organizations must address effectively.. Self-hosted GitHub, Actions runners, CI/CD security, Linux infrastructure, pipeline security. . MaK Ulac
May 15, 2026
•
How to Learn Tips and Tricks
166
configurationdatabaselinuxDeploy Microsoft SQL Server in Docker On Linux Efficiently
Learn how to configure and connect to a Microsoft SQL Server Database on a Linux machine using Docker containers. . Microsoft SQL Server is a robust and widely used database management system (DBMS). Traditionally, SQL Server databases have been set up on dedicated servers or virtual machines, but Docker has changed all that. Let's take a look at how you can set up a SQL Server instance on a Linux container with Docker. . Discover the process of setting up and accessing Microsoft SQL Server on a Linux environment utilizing Docker containers in an optimal and streamlined manner.. Docker SQL Server, Linux Database Setup, Microsoft SQL Configuration, SQL Server on Linux. . Brittany Day
May 11, 2022
•
How to Learn Tips and Tricks
166
securitydockercrowdsecCrowdSec Guide: Automatic IP Banning for Docker Containers
While CrowdSec is most commonly used as a host-based defense mechanism, the free and open-source cybersecurity solution is also suitable for Docker environments. This tutorial demonstrates how to deploy a minimal yet complete applicative stack using Docker Compose and secure it with CrowdSec. . You will learn how to: Automatically ban malevolent IPs from accessing container services Manually add/remove and inspect ban decisions Monitor CrowdSec’s behavior (via CLI and Dashboards) . Discover how to protect your Docker Compose environments using CrowdSec, implementing IP bans for harmful entities while efficiently tracking security decisions.. Docker Security, CrowdSec Tutorial, Container Defense, Open Source Security. . Brittany Day
Sep 07, 2021
•
How to Learn Tips and Tricks
166
firewalllinux kernelsandboxHow To Harden Docker Containers With Seccomp Security Profiles
Are you a Linux user looking to harden your Docker containers? If so, you'll want to explore Secure Computing Mode (Seccomp) - a Linux kernel feature that can be used to help run Docker in a more secure environment. . It is more like a sandbox environment that not only acts as a firewall for syscalls but also enables you to restrict the actions available within the Docker containers to the host’s Linux kernel. In this guide, you will learn how to run a container with and without the Seccomp profile. . Enhance the security of your Docker containers by implementing Seccomp profiles to restrict syscall operations, thereby reinforcing their safety.. Container Hardening, Seccomp Security, Linux Security. . Brittany Day
Aug 24, 2020
•
How to Learn Tips and Tricks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More