Stay Ahead With Linux Security HOWTOs
How to Secure My Network
access control Linux administration
access control Linux administration Most SSH hardening advice ends at the same recommendation: Disable password authentication and use SSH keys. . That's good advice. It removes entire classes of attacks, including password spraying, credential stuffing, and brute-force attempts against exposed servers. The problem is what happens next. Many administrators treat SSH keys as the finish line when they are really the beginning of the hardening process. Attackers rarely care whether they obtained access with a password or a private...
Jun 05, 2026
How to Secure My Networksecurity advisory remote access
security advisory remote access Most of the time, nobody notices. SSH authentication succeeds, no alerts are generated, and the connection looks exactly the way it did the day the key was installed. That's part of the problem. . When security teams investigate unauthorized access on Linux systems, they often focus on passwords, exposed services, or vulnerable software. Trusted access receives less attention. Yet a single forgotten or unauthorized SSH key can provide the same access as a legitimate user while attracting very...
Jun 03, 2026
How to Secure My Networkintrusion detection application security
intrusion detection application security The wrong IPS rule can look like a security fix right up until it becomes an outage. . On Linux systems, detection and prevention are often discussed together, but they do not carry the same operational risk. One tells admins that something suspicious happened. The other can decide whether traffic is allowed to continue. That is why IDS vs IPS is not just a definition to memorize. It is a deployment decision about where to monitor, where to block, and how much confidence a team needs before...
Jun 01, 2026
How to Secure My Networkunauthorized access security techniques
unauthorized access security techniques Exposed SSH servers are continuously hammered by brute-force attacks, password spraying, credential stuffing, and recycled passwords from infostealer dumps. Attackers rotate usernames, test weak credentials, and probe for anything that gives them initial access. The logs usually look messy long before the compromise happens. . The difficult part is separating harmless failures from actual intrusion activity. One failed login from an internal workstation rarely matters. Repeated failures...
May 28, 2026
How to Secure My Networksecurity advisory incident response
security advisory incident response The first 30 minutes after discovering a compromised Linux server usually decide how much evidence remains available. One rushed reboot or cleanup attempt can wipe logs, terminate malicious processes, or remove network activity that investigators still need to review. Attackers also do not usually stay on one system for long once access is established. Early response is mostly about preserving visibility. Collect process information. Save network connections. Limit access carefully before...
May 28, 2026
Refine HOWTOs
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security HOWTOs
We found 8 articles for you...
167
security advisoryremote accessauthenticationHow to Detect Unauthorized SSH Keys on Linux Systems
Most of the time, nobody notices. SSH authentication succeeds, no alerts are generated, and the connection looks exactly the way it did the day the key was installed. That's part of the problem. . When security teams investigate unauthorized access on Linux systems, they often focus on passwords, exposed services, or vulnerable software. Trusted access receives less attention. Yet a single forgotten or unauthorized SSH key can provide the same access as a legitimate user while attracting very little scrutiny. This guide explains how to identify unauthorized SSH keys, investigate suspicious SSH activity, and determine whether the trust you've granted over time still belongs there. Why Unauthorized SSH Keys Are So Dangerous SSH keys bypass many controls that organizations traditionally depend on. A password-based attack often generates warning signs. Failed authentication attempts appear in logs. Lockout thresholds trigger. Users report suspicious activity. Security tools generate alerts. A valid SSH key behaves differently. When an attacker possesses a legitimate private key, the authentication process may look completely normal. The SSH daemon sees a trusted credential. The login succeeds. No password failures occur. No brute-force signatures appear. Nothing obviously breaks. That makes SSH keys attractive for persistence. An attacker who gains administrative access frequently adds a new public key to an existing account. Sometimes they create a new account. Sometimes they target the root directly. Other times, they hide inside a service account that rarely receives attention because administrators assume it belongs to an application. The objective is simple: maintain access after the original vulnerability gets patched. Keys also support lateral movement. Once attackers compromise one Linux host, they often search for private keys stored in home directories, automation scripts, CI/CD systems, backup repositories, or deployment servers. A single exposed private key can unlockmultiple systems. Suddenly, one foothold becomes several. The dangerous part is that none of this necessarily looks suspicious. The attacker is using a trusted authentication method exactly as it was designed to work. Where SSH Key Abuse Usually Starts Unauthorized SSH key usage rarely begins with SSH itself. The problem usually starts somewhere else in the attack chain: Developer Workstations: A compromised laptop may contain private keys used for production access. Public Repositories: Developers occasionally commit private keys, configuration files, backup archives, or deployment scripts. Automated scanning tools continuously search for exposed secrets. Service Accounts: Many organizations grant broad permissions to automation accounts because restricting access requires additional engineering work. Those accounts often hold keys that provide access across multiple environments. Vendor Access: A contractor receives temporary access to support a project. The project ends. Nobody removes the key. Months later, the account still works. Manually Added Keys: An administrator troubleshooting an outage might temporarily add a key for convenience and forget about it afterward. Step 1: Inventory Authorized SSH Keys Across Linux Systems The first step is understanding what trusted access currently exists. Many organizations cannot answer a simple question: Which SSH keys are authorized across the environment right now? Start by identifying every authorized_keys file . Most administrators immediately think about user accounts, but SSH keys appear in many places: Root accounts Service accounts Application users Automation accounts Dormant accounts Document the username, home directory, public key fingerprint, source system, key owner, business purpose, and date added, if available. This process can be tedious, but detection depends on knowing what normal looks like. If a SOC analyst discovers a public key during an investigation, the first question should be: Who owns this key? Too often, the answer is unknown. That uncertainty creates management blindness. Step 2: Compare Keys Against Known Owners Once an inventory exists, every key should be mapped to a specific owner and business purpose. A key without an owner should immediately attract attention. The same applies to keys associated with former employees, retired systems, completed projects, old vendors, or abandoned automation. Duplicate usage is another warning sign. If the same public key appears across unrelated accounts or systems, investigate why. Shared keys often emerge from convenience-based administration practices. One administrator creates a key pair and distributes it widely because it simplifies management. Convenient. Also dangerous. Compromise that one key and the attacker inherits every trust relationship attached to it. Step 3: Monitor Changes to authorized_keys Periodic audits help, but they are not enough. An attacker does not need to wait for the next quarterly review. They only need a few seconds to add a new key. Focus on locations such as: ~/.ssh/authorized_keys /root/.ssh/authorized_keys Service account SSH directories and configuration files File integrity monitoring can detect additions, removals, and modifications. Linux audit rules can also record changes and identify which process or user performed the action. Monitoring creates a timeline. A timeline reveals who changed what and when. That evidence becomes extremely valuable during incident response. Step 4: Review SSH Authentication Logs Linux authentication logs provide insight into how SSH keys are used after they are installed. Common locations include /var/log/auth.log, /var/log/secure, or journalctl. Review successful public-key authentication events rather than focusing only on failures. Several patterns warrant investigation: Logins originating from unfamiliar IP addresses. Authentication events occurring outside normal maintenance windows. Service accounts thatsuddenly begin interactive logins. Administrator accounts that have remained dormant for months and then become active again. One successful login might be legitimate. Twenty successful logins across ten servers from a previously unseen source network tell a different story. Step 5: Correlate Key Usage With User Behavior A valid key can still be used in an invalid way. Security teams should correlate SSH activity with information about users, devices, networks, and expected administrative behavior. Questions worth asking include: Did the login originate from an approved source IP? Does the user normally access systems from this network? Does the login align with the user's role and approved change tickets? Unauthorized SSH key usage often appears as a context mismatch rather than an authentication failure. The login works exactly as expected. Everything around it does not. Step 6: Look for Persistence Patterns Persistence leaves clues. Not always immediately, but attackers tend to follow recognizable patterns. Watch for a new SSH key appearing shortly after suspicious activity. High-privilege targets deserve special attention. Keys added to root accounts, infrastructure management accounts, or systems with broad sudo privileges carry elevated risk. Watch for the same key appearing across multiple hosts, as an attacker may distribute a trusted key widely. If a login is immediately followed by privilege escalation, file staging, or outbound network connections, you aren't looking at an admin—you’re looking at an adversary. Step 7: Close Audit Gaps Many SSH-related incidents are enabled by process failures rather than technical failures. Organizations often lack a centralized inventory of SSH keys. Alerting is frequently absent. A new key can be added to a production server without generating any notification. Vendor access deserves particular attention. External access is often granted quickly, but removal tends to happen much more slowly. What Security TeamsShould Alert On Security monitoring should generate alerts for: New keys added to privileged accounts Public-key logins from previously unseen source IPs Dormant users authenticating through SSH The same key appearing across unrelated accounts SSH activity outside approved maintenance windows Modifications to the SSH configuration that weaken access controls How to Respond When Abuse Is Suspected The first instinct is often to remove the key immediately. Be careful. Preserve authentication logs, shell history, audit records, and system artifacts before making changes whenever possible. Understanding how the key arrived on the system is just as important as removing it. Identify affected accounts first. Then determine which systems trust the key. Disable or remove suspicious keys only once evidence collection is complete. Rotate exposed keys. Check cron jobs, startup scripts, and scheduled tasks. Look for lateral movement because attackers rarely stop at one host when additional access is available. Prevention: Make SSH Key Trust Verifiable The strongest defense is reducing uncertainty. Every SSH key should have a documented owner, a defined purpose, and a known lifecycle. Centralized inventories help maintain that visibility. Regular reviews help remove stale access. Continuous monitoring helps identify suspicious changes before attackers can establish long-term persistence. Separate human access from service access. Treat SSH keys as privileged credentials, because that is exactly what they are. SSH keys are trusted access mechanisms, but trust alone is not a security control. Once a key is added, many organizations assume the problem is solved. Attackers benefit from that assumption. Unauthorized SSH key usage rarely resembles a brute-force attack. It rarely generates obvious authentication failures. It often looks like a successful login from a credential the system already trusts. That is why detection depends on visibility rather than simple access controls.The key that causes a future incident is often not the newest key in the environment. It is the one nobody remembered to question. Related Reading SSH Key Sprawl on Linux: Unmanaged Access Threats and Cleanup Guide Enhance Linux Server Security Through Effective SSH Best Practices Understanding Linux Persistence Mechanisms and Detection Tools . Learn how to identify and manage unauthorized SSH keys in Linux environments effectively to enhance security.. SSH Keys, Unauthorized Access, Linux Security Practices, Key Management, Security Monitoring. . Dave Wreski
Jun 03, 2026
•
How to Secure My Network
166
security advisorylinuxdockerGitHub Actions Linux Self-Hosted Runners Security Risks 2025-30066
Self-hosted GitHub Actions runners give organizations far more flexibility than standard cloud-hosted runners. Teams can integrate internal infrastructure directly into CI/CD workflows, automate Kubernetes deployments, run custom tooling, and manage Linux-based build environments without relying entirely on external infrastructure. . That flexibility also creates a significant security risk. A compromised self-hosted GitHub Actions runner can hand attackers direct access to Kubernetes clusters, cloud credentials, package registries, and production deployment systems—often without exploiting a single Linux vulnerability. Recent compromises, such as the poisoning of the tj-actions/changed-files Action and the Codecov supply chain breach, demonstrated how attackers increasingly target CI/CD automation. This is because the pipeline itself often provides privileged access to infrastructure and production environments already. Unlike ephemeral cloud runners, self-hosted Linux runners frequently persist long after workflows complete. In many environments, they already sit close to Kubernetes clusters, internal repositories, package publishing systems, and cloud administration tooling. Why Self-Hosted GitHub Actions Runners Create Security Risks Self-hosted runners often inherit broad operational access because they handle container builds, infrastructure deployment, cloud provisioning, and release automation simultaneously. That concentration of privileged access makes the runner itself a high-value target. As workflows expanded, self-hosted runners gradually accumulated access to: cloud deployment credentials, Kubernetes environments, internal repositories, package publishing systems, infrastructure automation tooling, container registries, and production release pipelines. The risk becomes larger when organizations place runners directly inside trusted internal networks or allow workflows to interact directly with production infrastructure. Once attackerscompromise the workflow environment, the runner may become a pivot point for lateral movement deeper into the environment. Unlike traditional endpoint compromise, attackers frequently abuse legitimate CI/CD automation behavior rather than exploiting Linux directly. That operational normalcy makes malicious workflow activity much harder to detect. How to Use Ephemeral GitHub Actions Runners on Linux Persistent runners may retain credentials, temporary artifacts, shell histories, and environment variables long after workflows finish executing. That persistence creates additional opportunities for: credential theft, workflow persistence, artifact tampering, and lateral movement across infrastructure environments. Ephemeral runners reduce that exposure window because the environment is destroyed automatically after each workflow completes. If you are running on standalone Linux hosts, you can enforce this by using the --ephemeral flag during the registration process: ./config.sh --url [https://github.com/OWNER/REPO](https://github.com/OWNER/REPO) --token YOUR_TOKEN --ephemeral Many organizations now deploy ephemeral Linux runners using the GitHub Actions Runner Controller (ARC) for Kubernetes. This allows organizations to isolate workflows using namespaces, network policies, and tightly scoped service accounts. The goal is to prevent attackers from inheriting leftover state between jobs. How to Restrict Docker Socket Access on GitHub Actions Runners Exposing the Docker socket ( /var/run/docker.sock ) inside GitHub Actions workflows effectively grants root-level control over the runner host. Many Linux CI/CD environments expose this socket so pipelines can build containers directly, but that configuration becomes dangerous during workflow compromise because attackers may use Docker socket access to escape container isolation, mount sensitive host directories, or deploy privileged containers. Organizations should avoid exposing the Docker socket whenever possible.Safer alternatives include: rootless container builds, isolated build systems, BuildKit, or Kaniko. A standard Kaniko implementation in a Kubernetes-based runner looks like this: YAML - name: Build with Kaniko image: gcr.io/kaniko-project/executor:latest args: ["--dockerfile=Dockerfile", "--destination=my-registry.com/image:latest"] How to Remove Long-Lived Secrets From GitHub Actions Workflows Long-lived credentials create unnecessary exposure. Many workflow compromises specifically target GitHub Personal Access Tokens or cloud access keys stored inside repositories. Once exposed, those credentials may continue functioning long after defenders discover the breach. Organizations should replace static credentials with OIDC (OpenID Connect) . OIDC allows workflows to request temporary cloud credentials dynamically during execution. Major cloud providers, including AWS, Azure, and Google Cloud, already support OIDC integration, which significantly reduces the operational value of stolen credentials. A hardened OIDC configuration for AWS would look like this: YAML permissions: id-token: write contents: read steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4> with: role-to-assume: arn:aws:iam::1234567890:role/my-github-role aws-region: us-east-1 How to Restrict GitHub Actions Workflow Permissions Many GitHub Actions environments still run with broader repository permissions than workflows actually require. Overly permissive configurations, such as permissions: write-all , grant workflows unnecessary repository modification privileges. A safer baseline starts with an empty permission set, explicitly granting only the permissions required for the workflow itself: YAML permissions: {} # Grant only the specific scope required permissions: contents: read Security teams should also carefully review all workflows using the pull_request_target trigger. Because thistrigger executes using the permissions of the target repository rather than the untrusted fork, attackers may abuse it to expose repository secrets. How to Review GitHub Actions Workflow Changes Safely Workflow files should be treated like infrastructure code. Modifications inside .github/workflows/ can directly affect deployment systems, cloud authentication, and runner execution behavior. Organizations should require mandatory pull request reviews and use CODEOWNERS protection to ensure security teams audit every change. Plaintext # .github/CODEOWNERS .github/workflows/ @platform-security-team In many environments, modifying a workflow effectively changes production infrastructure behavior. Security teams should monitor for unexpected workflow additions or unauthorized permission changes that could indicate a supply chain compromise in progress. How to Restrict Outbound Traffic and Monitor Activity Many CI/CD compromises rely on transmitting secrets to attacker-controlled infrastructure. Organizations should restrict unnecessary outbound traffic from runners using firewall rules, DNS filtering, or Kubernetes NetworkPolicies . For example, you can lock down a Kubernetes runner pod to only communicate with GitHub IP ranges: YAML apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: runner-egress spec: podSelector: matchLabels: app: github-runner egress: - to: - ipBlock: cidr: 140.82.112.0/20 # GitHub IP Range Because attackers frequently operate using legitimate workflow credentials, detection often depends on identifying unusual operational behavior—such as unexpected curl execution or unauthorized cloud API activity. GitHub Actions Runner Hardening Checklist Use ephemeral runners to prevent persistence between builds. Replace long-lived cloud credentials with short-lived OIDC tokens. Remove Docker socket exposure by using Kaniko or BuildKit. Isolate runners from productionnetworks and Kubernetes control planes. Restrict outbound traffic to only essential GitHub and cloud endpoints. Enforce a "deny-all" permission baseline in every workflow YAML. Require mandatory reviews for any modification to .github/workflows/ . GitHub Actions workflows now sit directly inside the software supply chain. They build applications, publish packages, and deploy infrastructure across production systems every day. That operational position makes them extremely attractive targets. For Linux-heavy infrastructure running cloud-native workloads, the risk is significant because the pipeline is no longer just a support tool—it has become part of production itself. Want more Linux security hardening guides like this? Subscribe to our newsletter for practical tutorials on Linux infrastructure, CI/CD security, cloud-native operations, and open-source security best practices. . Self-hosted GitHub Actions runners offer flexibility but pose major security risks that organizations must address effectively.. Self-hosted GitHub, Actions runners, CI/CD security, Linux infrastructure, pipeline security. . MaK Ulac
May 15, 2026
•
How to Learn Tips and Tricks
167
security advisoryintrusion detectionnetwork monitoringHow to Install and Set Up Snort IDS on Linux (Working Alerts in 30 Minutes)
Outcome Checklist This guide installs Snort as a passive intrusion detection system on Linux and verifies functionality by generating a test alert. Each step builds on the previous one. Do not skip steps. By the end of this guide: Snort is installed, and the version confirmed. HOME_NET is correctly configured. A local rule is created. Configuration validates without errors. A real test alert appears in /var/log/snort/alert Snort runs persistently via systemd (optional).. Identify Your OS and Network Interface Snort installation and packet capture depend on the correct operating system packages and the correct network interface. Identify both before proceeding. 0.1 Confirm Your Linux Distribution Run: cat /etc/os-release Review the values for: ID= ID_LIKE= If the system is Ubuntu or Debian-based, follow the Debian-based installation section. If the system is RHEL, Rocky, AlmaLinux, or similar, follow the RHEL-based installation section. 0.2 Identify the Active Network Interface List interfaces: ip -br link Display the routing table: ip route Identify the interface associated with the default route. Example: default via 192.168.1.1 dev eth0 In this case, eth0 is the interface that must be used with Snort. If the wrong interface is specified during execution, Snort will not capture relevant traffic. 0.3 Baseline System Note Snort depends on a stable and properly maintained Linux host. Confirm the system is updated and hardened before installation using a standard verification process, such as this guide on verifying Linux server security . Step 1: Install Snort On Linux, package installs are predictable when repositories are correctly configured and the system is current. If dependencies fail or the binary does not register, the issue is usually repository state rather than Snort itself. Install using your distribution’s native package manager. Ubuntu / Debian Refresh package metadata: sudo apt-get update Install Snort and default rule packages: sudo apt-get install -y snort snort-common snort-rules-default During installation, you may be prompted for network configuration values. These can be adjusted later in snort.conf . Confirm the binary is present and executable: snort -V which snort snort -V must return version information. which snort must return the binary path, typically /usr/sbin/snort . If the version does not print, resolve package errors before continuing. RHEL / Rocky / AlmaLinux Update repositories: sudo dnf -y update Install Snort: sudo dnf -y install snort Verify the installation: snort -V which snort snort -V must return version information. which snort must return the binary path. If the version does not print, resolve repository or package issues before proceeding. Some RHEL-based repositories install the Snort engine without bundled rule sets. This guide uses a manually created local.rules file, so additional rule downloads are not required for validation. For source-based installations or advanced deployment scenarios, refer to the official Snort installation documentation at the Snort installation guide . Step 2: Verify Snort Version (Snort 2 vs 3 Awareness) At this point, the package should be installed and the binary available in your path. Confirm the engine starts and reports a version. snort -V The command must return version information and exit cleanly. That confirms the binary executes and the required libraries are present. This guide is written for standard Snort 2.9.x package installations that use snort.conf . There is no version comparison here. You only need to confirm that Snort runs without error. If the command fails, resolve that before touching configuration files. Step 3: Confirm Important Snort Paths Linux packages do not always place files in identical locations across distributions. Before editing anything, confirm where yoursystem installed Snort components. Run: whereis snort Review the output carefully. From this, identify: Snort binary path Typically /usr/sbin/snort . This is the executable used in manual runs and systemd . Configuration file location ( snort.conf ) Often under /etc/snort/ . This is the primary configuration file you will edit. Rules directory Commonly /etc/snort/rules/ . This is where local.rules will reside. Log directory Frequently /var/log/snort/ . This is where alert output will be written. Do not assume default paths. Confirm them on your system before proceeding to configuration changes. Step 4: Prepare Required Directories and Permissions Snort writes logs, tracks state, and loads local rules from specific directories. Package installs usually create these, but verify them explicitly on your system. Create required directories if they do not exist: sudo mkdir -p /etc/snort/rules sudo mkdir -p /var/log/snort sudo mkdir -p /var/lib/snort Create a dedicated service account if it is missing: id snort 2> /dev/null || sudo useradd -r -s /usr/sbin/nologin -d /var/lib/snort snort Set ownership and restrict access: sudo chown -R snort:snort /var/log/snort /var/lib/snort sudo chmod 750 /var/log/snort /var/lib/snort Create the local rules file: sudo touch /etc/snort/rules/local.rules sudo chmod 640 /etc/snort/rules/local.rules Snort must have write access to its log directory or alerts will not be generated. Running the process as a dedicated service user prevents permanent root execution and limits system exposure. Confirm ownership before continuing. Step 5: Configure snort.conf Snort operates here as a passive intrusion detection system and requires minimal configuration changes to begin monitoring traffic. Locate the configuration file: sudo find /etc -maxdepth 4 -iname "snort.conf" Edit the file: sudo nano /etc/snort/snort.conf Ensure these linesare present and correctly defined: ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET any var RULE_PATH /etc/snort/rules include $RULE_PATH/local.rules HOME_NET must match your actual subnet. Replace 192.168.1.0/24 with your network range if different. If this system has a single public IP address, define HOME_NET using that IP with a /32 mask. Do not modify preprocessors. Do not enable inline mode. Step 6: Add a Local Test Rule At this stage Snort is installed and configured, but it has no custom logic tied to your environment. Add a controlled rule to confirm detection works. Edit the local rules file: sudo nano /etc/snort/rules/local.rules Add the following line: alert icmp any any -> $HOME_NET any (msg:"SNORT TEST - ICMP ping detected"; itype:8; sid:1000001; rev:1;) This rule generates an alert when an ICMP echo request enters HOME_NET. It is intentionally simple and designed for validation, not production monitoring. The sid value must be unique within your rule set. Do not reuse existing IDs. Rule structure, keywords, and deeper detection logic are covered separately in this guide on network intrusion detection using Snort . Save the file before moving to validation. Step 7: Validate Configuration (Mandatory) Before running Snort live, test the configuration. This prevents runtime failures caused by syntax errors or missing includes. Run: sudo snort -T -c /etc/snort/snort.conf -i INTERFACE Replace INTERFACE with your active network interface identified earlier. This command performs a configuration test only. It does not start packet inspection. If successful, you will see a message indicating configuration validation completed. Common validation failures: Incorrect RULE_PATH Missing include $RULE_PATH/local.rules HOME_NET does not match your subnet Permission errors on rule or log directories Resolve any errors before proceeding. Snort should exit cleanly with no fatal messages. Step 8: RunSnort and Generate a Real Alert Start Snort in console mode with fast alert output: sudo snort -A fast -q -c /etc/snort/snort.conf -i INTERFACE -l /var/log/snort Replace INTERFACE with your active NIC. From another host on the network, send ICMP traffic to the Snort sensor: ping -c 3 TARGET_IP Replace TARGET_IP with the IP address of the Snort system. In a separate terminal, verify log output: sudo ls -la /var/log/snort sudo tail -n 20 /var/log/snort/alert You should see an entry containing SNORT TEST - ICMP ping detected. If no alert appears, check the following: Wrong interface specified during startup HOME_NET does not match the monitored subnet local.rules not properly included in snort.conf Once the /var/log/snort/alert file exists and contains entries, alert forwarding to syslog or external dashboards can be configured separately as described in this guide on real-time alerting with Snort . Note : If testing in a cloud environment, ensure ICMP is allowed in the provider firewall or security group. Step 9: Install systemd Service for Persistence Manual execution confirms detection works. Production systems require the service to start at boot and restart automatically if it fails. Create the systemd unit file: sudo tee /etc/systemd/system/snort.service > /dev/null /dev/null || true endscript } This configuration: Rotates logs daily Retains seven days of history Compresses older logs Preserves correct ownership and permissions Reloads the Snort service after rotation Verify logrotate configuration: sudo logrotate -d /etc/logrotate.d/snort The -d flag performs a dry run and reports potential issues without modifying files. Log management should be validated periodically, especially on high-traffic sensors. Silent disk exhaustion is avoidable. Frequently Asked Questions Does this guide enable inline blocking? No. This setup runs Snort strictly as a passive intrusiondetection sensor. Inline blocking and prevention use cases are covered separately in this overview of network intrusion prevention systems . What should I do after alerts start appearing? Installation only confirms detection works. Alert triage, escalation paths, and response handling are operational decisions covered in this guide on intrusion detection response . How do I measure Snort performance? Throughput testing, packet loss analysis, and tuning methodology are separate from installation and discussed in this analysis of intrusion detection systems by the numbers . Is signature-based detection still enough? Static rule matching works, but modern detection strategies often extend beyond traditional signatures. This guide outlines broader approaches to modernizing your intrusion detection strategy . . Ensure your network security by installing and configuring Snort IDS with this comprehensive guide for Linux users.. Snort Setup, Intrusion Detection Installation, Network Security Guide. . MaK Ulac
Feb 17, 2026
•
How to Secure My Network
161
firewallnetworkingpacket filteringPacket Filtering Overview in Linux Firewalls for Effective Security
A packet filtering firewall gives Linux a simple way to sort traffic at the packet level. The kernel reads the header fields, checks them against its rules, and makes a decision that stays consistent under load. The logic isn’t fancy, but it shapes how the rest of the system handles new connections. . The process is predictable. Packets arrive, their basic fields get inspected, and the filtering layer decides whether they move forward or stop right there. No payload review. No protocol deep dive. Just enough structure for the system to keep its footing. This article lays out that foundation so beginners can see how the filtering layer actually works inside Linux. Once the basic packet path is clear, the behavior of higher-level firewall tools becomes easier to understand, even when the setup remains simple. What Is Packet Filtering? Packet filtering is a basic check the system performs on every packet that reaches the kernel. A packet filtering firewall focuses on the packet header. That header is a small block of fields that the packet carries everywhere. It holds the source and destination addresses. It notes the protocol. It records the ports tied to the exchange, and that tiny set of values is enough for Linux to sort traffic quickly without reaching deeper layers. These fields give the system the minimum it needs to sort traffic. Nothing more. The idea grew out of early network equipment that had to make quick decisions with limited resources. The pattern still holds. Internet background noise shows the same thing every day. Port scans, stray connection attempts, and misrouted packets all carry enough header data for the firewall to judge them without reading the payload. The kernel leans on that predictability. The decision itself follows a straight line. The packet arrives. The header fields are compared to the rules in order. The first rule that fits determines what happens next. Some packets move forward. Some stop immediately. It is the simplest filtering model Linux uses,and it sets the base layer for everything that comes after, including more advanced stateful checks. What a Packet Looks Like A packet filtering firewall only sees what is in the packet header. Everything else is invisible at this stage. Breaking the header down makes the filtering step easier to understand. IP header fields the firewall can read: Source address Destination address Protocol value Basic routing and lifetime fields These pieces tell the kernel where the traffic came from and what type of packet it is. Nothing in this layer describes the application itself. It is all structural data that the system can trust. TCP header fields: Source and destination ports Sequence and acknowledgment numbers Flags like SYN, ACK, FIN TCP gives the firewall a sense of how a connection is forming. A SYN flag signals a new attempt. A FIN signals a close. These are simple indicators, not full context, but they help the kernel understand the packet’s place in a flow. UDP header fields: Source and destination ports Length Checksum UDP offers less information than TCP. The firewall still gets ports and protocols, which is usually enough for basic filtering, but there is no concept of connection steps. Ports in plain terms: Port 443 commonly maps to encrypted web traffic Port 22 commonly maps to SSH The firewall treats these as numbers, not guarantees Ports give a hint about the service behind the packet. The system reads them as numeric fields, and no more. Flags in plain terms: A SYN marks the start of a TCP connection An ACK signals progress in the exchange A FIN marks the close Flags help the kernel place a packet in time. They don’t reveal intent or payload, but they shape the early decision. All Linux firewall tools interpret these same fields. Interfaces differ, but the packet does not. Even early questions about choosing a Linux firewall eventually circle back to this structurebecause the filtering decision begins and ends with what the header exposes. How Linux Evaluates Packets Linux follows a steady evaluation path inside the kernel. Packets move through a small set of checkpoints, and each checkpoint gives the system a chance to make a filtering decision before the packet reaches anything higher in the stack. Packet Flow Into Netfilter Every packet hits Netfilter as soon as the kernel receives it. Netfilter assigns the packet to a chain based on direction, which keeps local traffic, outbound traffic, and transit traffic from mixing together in the filtering path. Linux Firewall Chains Explained Linux relies on three core chains for packet evaluation. INPUT checks packets headed to the local machine. OUTPUT handles packets generated by the host. FORWARD governs packets passing through the system. These chains form the backbone of Linux filtering behavior. Linux Firewall Tables Overview Rules sit inside tables, each built for a specific task. The filter table drives allow or drop decisions. NAT and other tables exist, but beginners mainly need to know that packets only touch the tables relevant to their path. The structure keeps evaluation predictable, a pattern reflected across major Linux distributions, including the Red Hat packet filtering documentation , which outlines the same table-driven model. How Netfilter Makes Decisions Netfilter processes rules in order. The kernel reads from the top of the chain, stops at the first rule that matches, and applies that result. The rest of the chain never runs. This simple flow explains why two similar rules can yield different outcomes. Why Firewall Rule Order Matters A broad rule placed early can catch traffic before a more specific rule even appears in the evaluation path. The kernel is only following its first-match logic, yet the effect can be surprising. This is where topics like firewall rule ordering basics become useful for understanding real behavior. How Packet Evaluation Fits theFiltering Model All of these decision points rely on the same header fields described earlier. The chains and tables simply give Linux a structure for reading them. Once the packet’s path is clear, the rest of the filtering model becomes easier to map, even when different firewall tools present it in their own style. Stateful Packet Filtering and Connection Tracking Stateful filtering expanded what Linux could do with packet decisions. Instead of treating every packet as a separate event, the system tracks how a connection forms and uses that memory to guide later decisions. It is a small shift in logic that changes the whole filtering model. What Stateful Packet Filtering Means Stateful packet filtering keeps a record of traffic that has already been approved. A new packet is marked as the start of a connection. Follow-up packets are marked as established. Related packets fall into a secondary category that still fits the flow. The firewall can make better judgments because it knows where the packet sits in the conversation. What Connection Tracking Actually Does Connection tracking holds a lightweight entry for each active connection. It does not store payloads or application data. It just records enough detail for the kernel to match replies to earlier packets. This keeps the evaluation orderly. Tools aimed at beginners rely on this for predictable behavior, and topics like UFW basics highlight how the heavy lifting happens behind the scenes. Why Statefulness Matters in Linux Filtering Without statefulness, the firewall would need broad rules to avoid blocking normal traffic. With it, the system sees which packets belong to a valid exchange and which do not. Established traffic moves with minimal checks. New traffic gets a closer look. It is one of the core steps that moved Linux away from older, strictly stateless models. How nftables Evaluates Packets nftables reorganized how Linux handles filtering decisions. The firewall still checks packet headers the same way, butthe path is cleaner, and the evaluation work sits closer to the packet flow. This keeps the packet filtering model consistent across tools. Key parts of the nftables model: Hooks that follow the packet path: Hooks sit at points where the kernel already processes traffic. When a packet reaches one of these points, nftables runs the rules tied to that hook. It keeps the evaluation aligned with the packet’s direction without adding extra steps. Efficient matching structures: nftables uses sets that let the kernel match addresses and ports quickly. This avoids long walks through rule lists and holds up well when traffic increases or when rulesets grow larger. Simplified filtering logic: nftables keeps decisions in fewer places. Tables map cleanly to hooks, and each rule has a focused job. The layout is easier to read and makes the evaluation path more transparent. These shifts don’t change the underlying ideas. Linux still reads the header, checks the state, and makes a decision. For someone working through the firewall troubleshooting steps , it helps to know that nftables reorganizes the filtering path without changing the core ideas. Why Packet Filtering Matters in Linux Firewalling Packet filtering matters because it gives the kernel a stable first decision on every packet, and that early verdict shapes how the rest of the firewall stack behaves. It also forms a big part of the groundwork people learn when they first look into Linux firewall basics , since most later behavior traces back to this early check. It underpins the basics of Linux firewalls. The initial allow or drop decision frames the rest of the packet’s path. Once that call is made, later components build on it rather than re-evaluating the packet from scratch. It keeps higher-level tools consistent. UFW stays predictable because the kernel already marks traffic as new or established. nftables benefits from the same foundation. Its cleaner structure still depends on the packet’s earliestevaluation inside the kernel. It shapes the troubleshooting pattern. When traffic behaves in unexpected ways, analysts often start with this first checkpoint. The decisions made here ripple through every later stage, and workflows described in firewall troubleshooting steps eventually point back to this point. It supports both inbound and outbound control. The same header checks drive decisions in both directions. Outbound filtering uses the same logic as inbound control, and concepts explored in Egress filtering continue from that shared mechanism. Packet filtering ends up as the quiet anchor that keeps Linux firewall behavior consistent, even as rule sets and tools evolve around it. Common Misunderstandings About Packet Filtering A few misunderstandings show up early when people start looking at how Linux evaluates packets. Much of it comes from expecting a packet filtering firewall to see more than it actually can or from mixing up how different layers of the system behave. Assuming the firewall inspects full payloads: Packet filtering only reads the header. The contents stay untouched at this stage. Mixing up stateless checks with stateful behavior: The firewall tracks established traffic, but not every decision comes from connection state. The distinction is easy to blur. Expecting rules to run in the wrong chain: Packets follow a specific path. If traffic never reaches a chain, its rules never apply. Thinking the firewall sees more than the header provides: The system makes its call based on fields like addresses, ports, and protocols. Anything outside that view sits out of reach. Clearing these points early keeps the filtering model steady before moving into more advanced pieces of the firewall stack. Packet Filtering Firewall FAQ A few questions come up often when people start learning how packet filtering works in Linux. Does packet filtering inspect full packets? No. It only reviews the header fields. The payload stays untouched in thisstage of the process. Is packet filtering the same as a firewall? It’s one part of a firewall. Packet filtering provides the first decision point, but higher layers build on that foundation. Do modern firewalls still use packet filtering? Yes. Even with newer designs, the header check remains the starting point for how Linux decides what to do with a packet. Where Packet Filtering Fits in Your Overall Linux Firewall Knowledge Packet filtering sits at the base of Linux firewalling, and most of the system’s behavior traces back to this early inspection step. Once the packet’s path makes sense, the rest of the firewall stack settles into a clearer shape. Rule ordering starts to feel more predictable because you understand why the kernel reaches a decision when it does. Stateful checks, which build on the same packet flow, become easier to read once you see how new and established traffic forms at the header level. Even egress control and basic troubleshooting rely on this groundwork, since every later step depends on how the packet was first classified. Nothing in the next layer is more complicated. Each concept is just an extension of the logic introduced here, and the model holds up as the ruleset grows or the network gets louder. Packet filtering ends up being the foundation that keeps everything else steady. Once this layer makes sense, the rest of the firewall stack stops feeling unpredictable. . The process is predictable. Packets arrive, their basic fields get inspected, and the filtering laye. packet, filtering, firewall, gives, linux, simple, traffic, level, kernel. . MaK Ulac
Dec 06, 2025
•
How to Secure My Firewall
167
remote accessnetwork protocolsystem administrationResolving SSH Connection Refused Problems for Effective Remote Access
The SSH "connection refused" error can prevent you from accessing remote machines on a network. Here's how you can troubleshoot it. . SSH is a network protocol that allows you to securely access and manage a remote system over a network. While connecting to a remote machine via SSH, you might have encountered the "connection refused" error. Experiencing this issue can be frustrating especially if you are a system admin and have to perform some tasks on the remote system on an urgent basis. Let's look at some of the possible causes of getting the SSH "connection refused" error and methods to resolve it. . To swiftly fix SSH connection refused issues, confirm the server IP, verify SSH status, and check firewall settings. Review sshd configs and network logs for further insights. SSH Connection, Remote Access, Error Resolution, Network Security, Linux Admin. . Brittany Day
Mar 03, 2023
•
How to Secure My Network
163
securityconfigurationnginx25 Essential Strategies for Securing Nginx Web Servers on Linux Systems
This tutorial explains how to improve the security of Nginx web servers running on Linux. . Nginx is a lightweight, high-performance web server/reverse proxy and e-mail (IMAP/POP3) proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to Netcraft, 13.50% of all domains on the Internet use nginx web server. Nginx is one of a handful of servers written to address the C10K problem. Unlike traditional servers, Nginx doesn’t rely on threads to handle requests. Instead, it uses a much more scalable event-driven (asynchronous) architecture. Nginx powers several high traffic web sites, such as WordPress, Hulu, Github, and SourceForge. The link for this article located at nixCraft is no longer available. . Elevate the security of your Nginx web server by implementing these 25 essential strategies tailored for Linux systems.. Nginx Security Practices, Secure Web Server Setup, Linux Security Guidelines. . Brittany Day
Feb 11, 2023
•
How to Secure My Webserver
166
configurationubuntudatabaseStep-by-Step Guide To Install And Configure MariaDB On Ubuntu 22.04
MariaDB, a fork of MySQL, is a popular database widely used by organizations and enterprises online. Here's how you can install it on Ubuntu. . MariaDB is a widely used database in Linux systems. In this guide, you will explore how to install the database on Ubuntu 22.04 with the help of a few easy-to-follow commands. Once you've installed and configured MariaDB, you will learn how to interact with it through the MariaDB command line. In the end, you will also see a command to uninstall the database from Ubuntu. . Follow this step-by-step guide to easily install and configure MariaDB on Ubuntu 22.04, ensuring a smooth setup and optimal performance. Install MariaDB, Ubuntu Database, Linux Database Setup. . Brittany Day
Dec 14, 2022
•
How to Learn Tips and Tricks
166
linuxsshdeploymentQuick Steps To Create A Local Git Repository With SSH On Linux
Have you ever found yourself in a situation where you need to deploy a quick Git repository on a machine within your LAN? Here's what to do. . Have you ever found yourself in a situation where you need to deploy a quick Git repository on a machine within your LAN? If you’re a developer, chances are pretty good this task has fallen into your lap on several occasions. Fortunately, you don’t really need to depend on a bunch of overly complicated software packages or third-party tools to make this happen. Sure, if you want a sweet GUI to make the lives of all those who will contribute to your development project considerably easier, you might turn to a platform like Gitea . But if you prefer the simplicity and ease of deployment that comes along with the command line, you’re going to want to give this method a go. It might not have all the bells and whistles of the web-based options but it does the job reliably and quickly. The link for this article located at The New Stack is no longer available. . Discover the seamless process of establishing a Git repository on your Linux system via SSH in a flash!. local Git repository, SSH deployment, command line Git. . Brittany Day
Nov 19, 2022
•
How to Learn Tips and Tricks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More