Security & Hardening

Oreon Linux comes with robust security features enabled by default. This guide covers essential security practices and hardening techniques.

Security First

Security is a continuous process. Regular updates, proper configuration, and following best practices are essential for maintaining a secure system.

Firewall (firewalld)

Oreon uses firewalld as the default firewall management tool, providing a dynamic interface to manage iptables rules.

Basic Commands

# Check status
sudo firewall-cmd --state

# List active zones
sudo firewall-cmd --get-active-zones

# List services in default zone
sudo firewall-cmd --list-services

Managing Services

# Add service permanently
sudo firewall-cmd --add-service=ssh --permanent

# Remove service
sudo firewall-cmd --remove-service=http --permanent

# Reload firewall
sudo firewall-cmd --reload

Advanced Example

Allow SSH only from a specific subnet:

# Remove default ssh service if present
sudo firewall-cmd --remove-service=ssh --permanent
# Add specific rule
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' --permanent
# Reload firewall
sudo firewall-cmd --reload

SELinux

SELinux (Security-Enhanced Linux) provides Mandatory Access Control (MAC), enforcing fine-grained permissions beyond standard Linux discretionary access controls.

Enforcing

Actively blocks actions violating policy (Default & Recommended)

Permissive

Logs violations but does not block them (Useful for debugging)

Disabled

SELinux is turned off (Strongly discouraged)

Key SELinux Commands

Command Description
sestatus Check SELinux status and configuration
getenforce Check current enforcement mode
sudo setenforce 0 Temporarily set to permissive mode
sudo setenforce 1 Temporarily set to enforcing mode
ausearch -m avc Search for SELinux violations in audit log

User Privileges & sudo

Adhere to the principle of least privilege. Avoid using the root account directly for daily tasks.

Best Practices

  • Use standard user accounts for daily tasks
  • Elevate privileges only when necessary using sudo
  • Manage sudo permissions carefully using visudo
  • Grant specific commands rather than full root access

sudo Configuration

# Edit sudoers file safely
sudo visudo

# Example: Allow user to restart services
username ALL=(ALL) /bin/systemctl restart *

SSH Security

Secure Shell (SSH) is often the primary remote access method. Proper configuration is crucial for security.

SSH Hardening

  • • Disable root login
  • • Use key-based authentication
  • • Change default port
  • • Limit user access
  • • Use fail2ban for intrusion prevention

Configuration File

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Key settings:
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

System Updates

Keeping the system updated is one of the most critical security practices. Updates patch known vulnerabilities.

Update Strategy

  • • Regularly run sudo dnf update
  • • Consider configuring automatic updates using dnf-automatic
  • • Monitor security advisories
  • • Test updates in non-production environments first

See the System Updates guide for more details.

Additional Security Tools

Fail2ban

Intrusion prevention system that monitors logs and bans IPs with malicious activity.

sudo dnf install fail2ban
sudo systemctl enable --now fail2ban

AIDE

Advanced Intrusion Detection Environment for file integrity monitoring.

sudo dnf install aide
sudo aide --init
sudo aide --check