Stay Ahead With Linux Security HOWTOs
How to Secure My Network
security advisory remote access
security advisory remote access Most of the time, nobody notices. SSH authentication succeeds, no alerts are generated, and the connection looks exactly the way it did the day the key was installed. That's part of the problem. . When security teams investigate unauthorized access on Linux systems, they often focus on passwords, exposed services, or vulnerable software. Trusted access receives less attention. Yet a single forgotten or unauthorized SSH key can provide the same access as a legitimate user while attracting very...
Jun 03, 2026
How to Secure My Networkintrusion detection application security
intrusion detection application security The wrong IPS rule can look like a security fix right up until it becomes an outage. . On Linux systems, detection and prevention are often discussed together, but they do not carry the same operational risk. One tells admins that something suspicious happened. The other can decide whether traffic is allowed to continue. That is why IDS vs IPS is not just a definition to memorize. It is a deployment decision about where to monitor, where to block, and how much confidence a team needs before...
Jun 01, 2026
How to Secure My Networkunauthorized access security techniques
unauthorized access security techniques Exposed SSH servers are continuously hammered by brute-force attacks, password spraying, credential stuffing, and recycled passwords from infostealer dumps. Attackers rotate usernames, test weak credentials, and probe for anything that gives them initial access. The logs usually look messy long before the compromise happens. . The difficult part is separating harmless failures from actual intrusion activity. One failed login from an internal workstation rarely matters. Repeated failures...
May 28, 2026
How to Secure My Networksecurity advisory incident response
security advisory incident response The first 30 minutes after discovering a compromised Linux server usually decide how much evidence remains available. One rushed reboot or cleanup attempt can wipe logs, terminate malicious processes, or remove network activity that investigators still need to review. Attackers also do not usually stay on one system for long once access is established. Early response is mostly about preserving visibility. Collect process information. Save network connections. Limit access carefully before...
May 28, 2026
How to Secure My Networknetwork monitoring Linux server
network monitoring Linux server When a Linux server initiates an unauthorized outbound connection to an unknown IP address, it rarely triggers an immediate system failure. Instead, the server continues running normally, and the connection is usually only discovered during a routine firewall log review, a DNS audit, or a post-incident investigation. Because there are no obvious system crashes or performance drops, these quiet outbound sessions can easily be overlooked. . However, treating these anomalies lightly is a...
May 27, 2026
Refine HOWTOs
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security HOWTOs
We found 0 articles for you...
167
security advisoryintrusion detectionnetwork monitoringHow to Install and Set Up Snort IDS on Linux (Working Alerts in 30 Minutes)
Outcome Checklist This guide installs Snort as a passive intrusion detection system on Linux and verifies functionality by generating a test alert. Each step builds on the previous one. Do not skip steps. By the end of this guide: Snort is installed, and the version confirmed. HOME_NET is correctly configured. A local rule is created. Configuration validates without errors. A real test alert appears in /var/log/snort/alert Snort runs persistently via systemd (optional).. Identify Your OS and Network Interface Snort installation and packet capture depend on the correct operating system packages and the correct network interface. Identify both before proceeding. 0.1 Confirm Your Linux Distribution Run: cat /etc/os-release Review the values for: ID= ID_LIKE= If the system is Ubuntu or Debian-based, follow the Debian-based installation section. If the system is RHEL, Rocky, AlmaLinux, or similar, follow the RHEL-based installation section. 0.2 Identify the Active Network Interface List interfaces: ip -br link Display the routing table: ip route Identify the interface associated with the default route. Example: default via 192.168.1.1 dev eth0 In this case, eth0 is the interface that must be used with Snort. If the wrong interface is specified during execution, Snort will not capture relevant traffic. 0.3 Baseline System Note Snort depends on a stable and properly maintained Linux host. Confirm the system is updated and hardened before installation using a standard verification process, such as this guide on verifying Linux server security . Step 1: Install Snort On Linux, package installs are predictable when repositories are correctly configured and the system is current. If dependencies fail or the binary does not register, the issue is usually repository state rather than Snort itself. Install using your distribution’s native package manager. Ubuntu / Debian Refresh package metadata: sudo apt-get update Install Snort and default rule packages: sudo apt-get install -y snort snort-common snort-rules-default During installation, you may be prompted for network configuration values. These can be adjusted later in snort.conf . Confirm the binary is present and executable: snort -V which snort snort -V must return version information. which snort must return the binary path, typically /usr/sbin/snort . If the version does not print, resolve package errors before continuing. RHEL / Rocky / AlmaLinux Update repositories: sudo dnf -y update Install Snort: sudo dnf -y install snort Verify the installation: snort -V which snort snort -V must return version information. which snort must return the binary path. If the version does not print, resolve repository or package issues before proceeding. Some RHEL-based repositories install the Snort engine without bundled rule sets. This guide uses a manually created local.rules file, so additional rule downloads are not required for validation. For source-based installations or advanced deployment scenarios, refer to the official Snort installation documentation at the Snort installation guide . Step 2: Verify Snort Version (Snort 2 vs 3 Awareness) At this point, the package should be installed and the binary available in your path. Confirm the engine starts and reports a version. snort -V The command must return version information and exit cleanly. That confirms the binary executes and the required libraries are present. This guide is written for standard Snort 2.9.x package installations that use snort.conf . There is no version comparison here. You only need to confirm that Snort runs without error. If the command fails, resolve that before touching configuration files. Step 3: Confirm Important Snort Paths Linux packages do not always place files in identical locations across distributions. Before editing anything, confirm where yoursystem installed Snort components. Run: whereis snort Review the output carefully. From this, identify: Snort binary path Typically /usr/sbin/snort . This is the executable used in manual runs and systemd . Configuration file location ( snort.conf ) Often under /etc/snort/ . This is the primary configuration file you will edit. Rules directory Commonly /etc/snort/rules/ . This is where local.rules will reside. Log directory Frequently /var/log/snort/ . This is where alert output will be written. Do not assume default paths. Confirm them on your system before proceeding to configuration changes. Step 4: Prepare Required Directories and Permissions Snort writes logs, tracks state, and loads local rules from specific directories. Package installs usually create these, but verify them explicitly on your system. Create required directories if they do not exist: sudo mkdir -p /etc/snort/rules sudo mkdir -p /var/log/snort sudo mkdir -p /var/lib/snort Create a dedicated service account if it is missing: id snort 2> /dev/null || sudo useradd -r -s /usr/sbin/nologin -d /var/lib/snort snort Set ownership and restrict access: sudo chown -R snort:snort /var/log/snort /var/lib/snort sudo chmod 750 /var/log/snort /var/lib/snort Create the local rules file: sudo touch /etc/snort/rules/local.rules sudo chmod 640 /etc/snort/rules/local.rules Snort must have write access to its log directory or alerts will not be generated. Running the process as a dedicated service user prevents permanent root execution and limits system exposure. Confirm ownership before continuing. Step 5: Configure snort.conf Snort operates here as a passive intrusion detection system and requires minimal configuration changes to begin monitoring traffic. Locate the configuration file: sudo find /etc -maxdepth 4 -iname "snort.conf" Edit the file: sudo nano /etc/snort/snort.conf Ensure these linesare present and correctly defined: ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET any var RULE_PATH /etc/snort/rules include $RULE_PATH/local.rules HOME_NET must match your actual subnet. Replace 192.168.1.0/24 with your network range if different. If this system has a single public IP address, define HOME_NET using that IP with a /32 mask. Do not modify preprocessors. Do not enable inline mode. Step 6: Add a Local Test Rule At this stage Snort is installed and configured, but it has no custom logic tied to your environment. Add a controlled rule to confirm detection works. Edit the local rules file: sudo nano /etc/snort/rules/local.rules Add the following line: alert icmp any any -> $HOME_NET any (msg:"SNORT TEST - ICMP ping detected"; itype:8; sid:1000001; rev:1;) This rule generates an alert when an ICMP echo request enters HOME_NET. It is intentionally simple and designed for validation, not production monitoring. The sid value must be unique within your rule set. Do not reuse existing IDs. Rule structure, keywords, and deeper detection logic are covered separately in this guide on network intrusion detection using Snort . Save the file before moving to validation. Step 7: Validate Configuration (Mandatory) Before running Snort live, test the configuration. This prevents runtime failures caused by syntax errors or missing includes. Run: sudo snort -T -c /etc/snort/snort.conf -i INTERFACE Replace INTERFACE with your active network interface identified earlier. This command performs a configuration test only. It does not start packet inspection. If successful, you will see a message indicating configuration validation completed. Common validation failures: Incorrect RULE_PATH Missing include $RULE_PATH/local.rules HOME_NET does not match your subnet Permission errors on rule or log directories Resolve any errors before proceeding. Snort should exit cleanly with no fatal messages. Step 8: RunSnort and Generate a Real Alert Start Snort in console mode with fast alert output: sudo snort -A fast -q -c /etc/snort/snort.conf -i INTERFACE -l /var/log/snort Replace INTERFACE with your active NIC. From another host on the network, send ICMP traffic to the Snort sensor: ping -c 3 TARGET_IP Replace TARGET_IP with the IP address of the Snort system. In a separate terminal, verify log output: sudo ls -la /var/log/snort sudo tail -n 20 /var/log/snort/alert You should see an entry containing SNORT TEST - ICMP ping detected. If no alert appears, check the following: Wrong interface specified during startup HOME_NET does not match the monitored subnet local.rules not properly included in snort.conf Once the /var/log/snort/alert file exists and contains entries, alert forwarding to syslog or external dashboards can be configured separately as described in this guide on real-time alerting with Snort . Note : If testing in a cloud environment, ensure ICMP is allowed in the provider firewall or security group. Step 9: Install systemd Service for Persistence Manual execution confirms detection works. Production systems require the service to start at boot and restart automatically if it fails. Create the systemd unit file: sudo tee /etc/systemd/system/snort.service > /dev/null /dev/null || true endscript } This configuration: Rotates logs daily Retains seven days of history Compresses older logs Preserves correct ownership and permissions Reloads the Snort service after rotation Verify logrotate configuration: sudo logrotate -d /etc/logrotate.d/snort The -d flag performs a dry run and reports potential issues without modifying files. Log management should be validated periodically, especially on high-traffic sensors. Silent disk exhaustion is avoidable. Frequently Asked Questions Does this guide enable inline blocking? No. This setup runs Snort strictly as a passive intrusiondetection sensor. Inline blocking and prevention use cases are covered separately in this overview of network intrusion prevention systems . What should I do after alerts start appearing? Installation only confirms detection works. Alert triage, escalation paths, and response handling are operational decisions covered in this guide on intrusion detection response . How do I measure Snort performance? Throughput testing, packet loss analysis, and tuning methodology are separate from installation and discussed in this analysis of intrusion detection systems by the numbers . Is signature-based detection still enough? Static rule matching works, but modern detection strategies often extend beyond traditional signatures. This guide outlines broader approaches to modernizing your intrusion detection strategy . . Ensure your network security by installing and configuring Snort IDS with this comprehensive guide for Linux users.. Snort Setup, Intrusion Detection Installation, Network Security Guide. . MaK Ulac
Feb 17, 2026
•
How to Secure My Network
162
security best practicessystemdArch LinuxDisabling Bluetooth Service on Arch Linux for Better Power Efficiency
If your Arch Linux computer supports Bluetooth but you’re not using it, it’ll just be wasting power. Instead of turning it off whenever you boot your computer, disable the Bluetooth service instead. . Bluetooth is a convenient way to wirelessly connect all manner of devices to your computer. But if you’re not planning on using Bluetooth, leaving it activated means it’ll be sitting in the background consuming power needlessly. On a laptop that means your battery discharges faster than it needs to. Depending on how your Bluetooth is configured, it might be broadcasting its ID to other devices too, soliciting connections. This is poor for security and bad for your privacy. Turning Bluetooth on and off is a trivial matter through your desktop environment. Most desktop environments provide a simple checkbox or slider control to do this. But turning it back on is just as easy, and could be done inadvertently if you, or anyone else, isn’t paying attention. If you really want to be sure Bluetooth can’t be turned on, disabling it is the safest thing to do. With Bluetooth disabled, it cannot be restored through your desktop environment. Your computer will behave as though it had no Bluetooth hardware installed at all. The good news is, disabling your Bluetooth is easy when you know how, and it’s just as easy to restore it when you do want to use it. We’re using Arch as the demonstration system, but this will work with all modern systemd-based Linux distributions. The link for this article located at How-To Geek is no longer available. . Discover the steps to turn off Bluetooth on Arch Linux, enhancing energy efficiency and bolstering security while the feature is inactive.. Arch Linux, Bluetooth Management, Power Saving Tips. . Brittany Day
Apr 04, 2023
•
How to Strengthen My Privacy
166
service managementsystemdsystemctlManaging Systemd Services: Your Guide to Systemctl Command Usage
Your Linux computer relies on a lot of background tasks called services or daemons. On systemd-based distributions you have built-in commands that let you see which services are running, disabled, or failed. . Services and daemons are background tasks that run without a user interface, don’t require human interaction, and are usually started as the computer boots up. At one time, services were launched by init , which was the very first process to be launched. The details of the services were held in a collection of scripts located in the “/etc/init/d” directory. On non-systemd distributions that’s still the case. The link for this article located at How-To Geek is no longer available. . Gain insight into administrating and enumerating services on systemd-powered Linux distributions through the proficient use of systemctl commands.. Service Management,Systemctl Commands,Daemon Administration,Linux Systemd,Background Tasks. . Brittany Day
Oct 24, 2022
•
How to Learn Tips and Tricks
166
Linux administrationsecurity techniquesservice hardeningHardening Systemd Services To Secure Linux Systems Against Threats
Learn how to reduce the attack surface of your Linux system by hardening the Systemd service in this tutotal. . In an age where hacker attacks are a daily occurrence, it is of fundamental importance to minimize the attack surface. Containerization is probably the best way to isolate a service provided for the public, but this is not always possible for several reasons. For example, think of a legacy system application developed on systemd. This could make the most of the capabilities provided by a systemd-based operative system and it could be managed via a systemd unit, or it could automatically pull updates using a systemd timer, and so on. For this reason, we are going to explain how to improve the security of a systemd service. But first, we need to step back for a moment. With the latest releases systemd has implemented some interesting features relating to security, especially sandboxing. In this article we are going to show step-by-step how to strengthen services using specific directives, and how to check them with the provided systemd suite. . Discover pivotal strategies to fortify systemd services and effectively minimize your Linux environment's vulnerability footprint.. Systemd Hardening, Linux Security Solutions, Minimize Attack Surface, Service Management. . Brittany Day
May 18, 2021
•
How to Learn Tips and Tricks
166
system managementlog analysislog managementExploring Systemd Log Files Effectively with Journalctl Commands
There are various commands available to Linux users for troubleshooting desktop and server logs. Learn the basics of the journalctl utility of Systemd and its commands that can be used to view and analyze Systemd Logs in this DebugPoint.com guide. . Many say that Systemd is not good, it is heavy on the system and it is a debated topic always. But you can not deny that it provides a well set of utilities to manage, troubleshoot a system. Imagine you end up with a broken system with no GUI. You probably messed up boot and GRUB as well. In those kinds of scenarios or in general – you can boot from a LIVE system, mount your Linux partition and explore the Systemd logs to find out about the problem. Systemd has three basic components as follows – systemd : System and service manager for Linux operating systems. systemctl : Command to introspect and control the state of the systemd system and service manager. systemd-analyze : Provides system boot-up performance statistics and retrieve other state and tracing information from the system and service manager Apart from these three, there are additional services that systemd provides such as – journald, logind, networkd, etc. In this guide we will talk about the journald service of systemd. . Learn the ins and outs of utilizing journalctl for examining Systemd log files, along with essential troubleshooting commands to enhance system oversight.. Systemd Logs, Journalctl Commands, Linux Troubleshooting. . Brittany Day
Dec 08, 2020
•
How to Learn Tips and Tricks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More