π° Unix-like Security: Guarding Your Digital Castle
Imagine your computer is a medieval castle. Youβre the ruler, and you need to decide who can enter which rooms, what they can touch, and how to keep invaders out. Thatβs exactly what Unix-like security does!
ποΈ The Big Picture: Your Three-Layer Shield
graph TD A["π° Your System"] --> B["πͺ File Permissions"] A --> C["π‘οΈ Security Controls"] A --> D["π Hardening"] B --> E["Who can read?"] B --> F["Who can write?"] B --> G["Who can execute?"]
Think of Unix security like a castle with:
- Locked doors (file permissions)
- Guards (security controls)
- Strong walls (hardening)
- Secret tunnels (SSH)
π Linux File Permissions: The Three Keys
The Magic Numbers: Read, Write, Execute
Every file in Linux has three types of permission:
| Symbol | Number | Meaning | Castle Analogy |
|---|---|---|---|
r |
4 | Read | Look at the treasure |
w |
2 | Write | Add or remove treasure |
x |
1 | Execute | Use the magic sword |
The Three Groups: Owner, Group, Others
-rwxr-xr--
βββ βββ βββ
βββ βββ βββ Others (everyone else)
βββ βββββββ Group (your team)
βββββββββββ Owner (you, the king!)
Real Example:
ls -l myfile.txt
-rw-r--r-- 1 alice staff 1024 Jan 1 myfile.txt
This means:
- Owner (alice): Can read and write β
- Group (staff): Can only read π
- Others: Can only read π
Changing Permissions: The chmod Command
Using numbers (easy math!):
chmod 755 script.sh
- 7 = 4+2+1 (read+write+execute) for owner
- 5 = 4+1 (read+execute) for group
- 5 = 4+1 (read+execute) for others
Using letters:
chmod u+x script.sh # Give owner execute
chmod go-w file.txt # Remove write from group/others
Special Permissions: The Super Powers
| Permission | Symbol | Effect |
|---|---|---|
| SUID | s on owner |
Run as file owner |
| SGID | s on group |
Run as file group |
| Sticky | t |
Only owner can delete |
Example: The /tmp folder has sticky bit:
drwxrwxrwt /tmp
Everyone can write, but only you can delete YOUR files!
π‘οΈ Linux Security Controls: Your Castle Guards
SELinux: The Strict Librarian
SELinux (Security-Enhanced Linux) is like having a very strict librarian who checks EVERYTHING.
graph TD A["Process wants to access file"] --> B{SELinux Check} B -->|Allowed| C["β Access Granted"] B -->|Denied| D["β Access Blocked"] B -->|Audit| E["π Logged for review"]
Three Modes:
- Enforcing: Rules strictly applied π¨
- Permissive: Only logs violations π
- Disabled: No protection β οΈ
Check your mode:
getenforce
AppArmor: The Friendly Bouncer
AppArmor is like a bouncer with a guest list. Simpler than SELinux!
Example Profile:
/usr/bin/firefox {
/home/*/.mozilla/ rw,
/tmp/ r,
deny /etc/passwd r,
}
Firefox can read/write its own folder, but NOT your password file!
Capabilities: Splitting the Kingβs Power
Instead of giving ALL power (root), give just whatβs needed:
| Capability | What It Does |
|---|---|
CAP_NET_BIND_SERVICE |
Bind to ports below 1024 |
CAP_SYS_ADMIN |
Many admin tasks |
CAP_CHOWN |
Change file ownership |
Example: Let a web server bind to port 80 without being root:
setcap 'cap_net_bind_service=+ep' /usr/bin/myserver
π¨ Linux Hardening: Building Stronger Walls
Step 1: Remove Unused Services
Every running service is a potential door for attackers!
systemctl list-unit-files --state=enabled
systemctl disable bluetooth.service
Step 2: Firewall Configuration (iptables/nftables)
# Block everything, allow only what you need
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Step 3: Kernel Hardening
Add to /etc/sysctl.conf:
# Disable IP forwarding
net.ipv4.ip_forward = 0
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1
Step 4: User Account Security
# Lock unused accounts
usermod -L olduser
# Set password expiration
chage -M 90 username
# Check for empty passwords
awk -F: '($2 == "") {print}' /etc/shadow
The Hardening Checklist
| Task | Command | Why |
|---|---|---|
| Update system | apt update && apt upgrade |
Fix known bugs |
| Remove old packages | apt autoremove |
Less attack surface |
| Check open ports | ss -tulpn |
Know your doors |
| Review users | cat /etc/passwd |
Know whoβs inside |
π SSH Security: The Secret Tunnel
SSH is like a secret, encrypted tunnel into your castle.
Basic Hardening in /etc/ssh/sshd_config
# Disable root login
PermitRootLogin no
# Use SSH keys only (no passwords!)
PasswordAuthentication no
# Change default port (optional)
Port 2222
# Allow only specific users
AllowUsers alice bob
SSH Keys: Your Magic Passport
graph LR A["Your Computer"] -->|Private Key π| B["SSH Connection"] C["Server"] -->|Public Key π| B B --> D["β Secure Access!"]
Generate your key pair:
ssh-keygen -t ed25519 -C "your@email.com"
Copy to server:
ssh-copy-id user@server
SSH Config: Making Life Easier
Create ~/.ssh/config:
Host myserver
HostName 192.168.1.100
User alice
Port 2222
IdentityFile ~/.ssh/mykey
Now just type: ssh myserver π
Fail2Ban: The Automatic Guard
Fail2Ban watches for repeated failed logins and blocks attackers:
# Install
apt install fail2ban
# Check banned IPs
fail2ban-client status sshd
π macOS Security Controls: The Apple Fortress
macOS shares Unix roots but adds its own security layers!
Gatekeeper: The App Bouncer
Gatekeeper checks if apps are from trusted sources.
graph TD A["App Download"] --> B{Gatekeeper Check} B -->|App Store| C["β Trusted"] B -->|Signed Developer| D["β Verified"] B -->|Unknown| E["β οΈ Blocked!"]
Control via Terminal:
# Check status
spctl --status
# Allow app manually
spctl --add /path/to/app
System Integrity Protection (SIP)
SIP protects critical system filesβeven from root!
Protected areas:
/System/usr(except/usr/local)/bin,/sbin
Check SIP status:
csrutil status
FileVault: Full Disk Encryption
FileVault encrypts your entire drive. Even if someone steals your Mac, they canβt read your files!
# Check status
fdesetup status
# Enable (requires restart)
sudo fdesetup enable
macOS Firewall
# Check firewall status
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
# Enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
TCC: Transparency, Consent, Control
TCC manages app permissions for:
- Camera π·
- Microphone π€
- Location π
- Contacts, Calendar, Photos
Apps must ASK before accessing these!
π― Quick Reference: Security Commands
| Task | Linux | macOS |
|---|---|---|
| Check file permissions | ls -la |
ls -la |
| Change permissions | chmod 755 file |
chmod 755 file |
| Check listening ports | ss -tulpn |
lsof -i -P |
| View firewall rules | iptables -L |
pfctl -sr |
| Check users | cat /etc/passwd |
dscl . list /Users |
| SSH config location | /etc/ssh/sshd_config |
/etc/ssh/sshd_config |
π Your Security Superpower Checklist
β Understand rwx permissions (4, 2, 1) β Know the three groups: owner, group, others β Use SELinux or AppArmor for extra protection β Harden your system: disable unused services β Secure SSH: keys over passwords, disable root β Enable macOS protections: Gatekeeper, SIP, FileVault
π Remember
βSecurity is not a product, but a process.β β Bruce Schneier
Your castle needs:
- Strong doors (file permissions)
- Alert guards (security controls)
- Thick walls (hardening)
- Secret passages (secure SSH)
Now youβre ready to defend your digital kingdom! π°π‘οΈ