Security & Hardening
SSH hardening, sudo, fail2ban, SELinux/AppArmor, firewalls and disk encryption.
Seccomp-BPF Syscall Filtering
Apply seccomp-BPF syscall filtering with libseccomp and systemd SystemCallFilter to harden Linux services using allowlists, denylists, and argument-level rules.
Linux Capabilities Explained
Learn how Linux capability bits work, how to audit and replace setuid binaries with setcap/getcap, and how to use ambient capabilities in systemd services.
Hands-on Linux Auditing with auditd
Learn to configure auditd rules, watch critical files and syscalls, and extract actionable security intelligence with ausearch and aureport on modern Linux.
Install the Wazuh Agent on Linux
Install and configure the Wazuh Agent on Linux: add the repo, enroll with your manager, set up log collection, file integrity monitoring, and vulnerability detection.
Runtime Security with Falco
Install Falco with the modern eBPF probe, write custom detection rules, and route real-time runtime security alerts to Grafana Loki and Slack.
Install BunkerWeb for nginx-based WAF
Deploy BunkerWeb as an nginx-based WAF using Docker Compose, configure ModSecurity with OWASP CRS, enable bot blocking, and verify malicious traffic is blocked.
Apply CIS Benchmarks with OpenSCAP
Use OpenSCAP and scap-security-guide to evaluate, report on, and remediate Linux systems against CIS Benchmarks — covering install, eval, and automation.
Manage Secrets with Ansible Vault
Encrypt Ansible secrets with AES-256 using ansible-vault: encrypt files and inline vars, automate with password files, and isolate group-level secrets with vault IDs.
Use a YubiKey for SSH and GPG
Move SSH and GPG private keys onto a YubiKey using the OpenPGP applet with gpg-agent and FIDO2 resident keys, with touch policies and offline backups.
Use pass — the UNIX Password Manager
Set up pass, the UNIX password manager: initialise a GPG-encrypted store, manage credentials, sync across machines with Git, and integrate with your browser.
Encrypt Files with age and rage
Learn to encrypt and decrypt files with age and rage: generate keys, encrypt for multiple recipients, use SSH keys, and integrate with the passage password manager.
Replace fail2ban with CrowdSec
Replace fail2ban with CrowdSec: install the agent and firewall bouncer, activate crowd-sourced blocklists, configure scenarios, and verify enforcement with nftables.
Protect SSH against Brute-force with fail2ban
Install and configure fail2ban to automatically block SSH brute-force attacks using jails, custom ban times, allowlists, and the recidive jail.
Use osquery for Linux Host Visibility
Install osquery on Linux, write SQL queries against processes, files, and sockets, configure FIM packs, and enroll hosts into a Fleet manager for full fleet visibility.
Manage SSH Keys and the SSH Agent
Generate ed25519 and RSA SSH keys, manage passphrases with ssh-agent and keychain, forward credentials safely, and harden with FIDO2 hardware tokens.
Audit a Linux Server with Lynis
Run Lynis on any Linux server, interpret the hardening index and findings, apply the most impactful fixes, and automate weekly audits with a systemd timer.
Lock Down systemd Services (Sandboxing)
Harden Linux daemons using systemd sandboxing directives: ProtectSystem, PrivateTmp, NoNewPrivileges, CapabilityBoundingSet, and SystemCallFilter explained step by step.
Detect Rootkits and Malware on Linux
Use chkrootkit, rkhunter, ClamAV, and Lynis to scan a Linux system for rootkits and malware — what each tool actually checks and how to read the results.
Linux Disk Encryption Strategies
A practical guide to Linux disk encryption: full-disk LUKS2, encrypted /home partitions, kernel-native fscrypt, and file-level tools age and gocryptfs.
Auto-unlock LUKS at Boot with TPM2 and Clevis
Bind a LUKS2 volume to your TPM2 chip with Clevis so encrypted disks unlock automatically at boot—without sacrificing your recovery passphrase.
chrony and Secure Time on Linux
Configure chrony with NTS (authenticated NTP over TLS) on Linux to prevent clock-skew attacks and protect Kerberos, TLS, and TOTP authentication.
How to Use a YubiKey on Linux
Use a YubiKey on Linux for PIV SSH, FIDO2 sudo and login via PAM, GPG smart card subkeys, and SSH through gpg-agent — step by step.
How to Add Two-Factor Authentication to SSH
Enforce two-factor authentication on SSH using PAM and Google Authenticator TOTP, with YubiKey alternatives and per-user exemption patterns for automation accounts.
How to Scan a Linux System for Malware with ClamAV
Install ClamAV on Linux, update virus signatures with freshclam, run on-demand and scheduled scans, and verify detection works with the EICAR test file.
How to Protect nginx with fail2ban
Build custom fail2ban filters for nginx to block bad bots, brute-force attempts, and scanners — with tuned ban times and firewall backend configuration.
How to Detect Rootkits with rkhunter
Install rkhunter, build a clean file-property baseline, tune the config to cut false positives, and automate daily scans with a systemd timer.
How to Configure ModSecurity as a Web Application Firewall
Install ModSecurity with OWASP CRS on Apache or Nginx, run it in detection mode to catch false positives, tune exclusions, then enforce blocking.
How to Audit Linux Hardening with Lynis
Run Lynis to audit your Linux server, interpret the hardening index and warning output, and work through findings from critical to low-effort wins.
Shadow Passwords Explained
Learn why /etc/shadow exists, how to read its nine fields, which hashing algorithms are current, and how to manage password aging with chage, pwconv, and pwck.
How to Set Up GPG Encryption
Generate GPG key pairs, encrypt and decrypt files, sign data, manage your keyring, and verify signatures on Debian, Fedora, and Arch Linux.
How to Set Up a Firewall with UFW
Learn to configure UFW on Linux: set secure default policies, open only the ports you need, read existing rules, and verify your firewall is working correctly.
How to Set Up a Firewall with firewalld
Learn how to configure firewalld using zones, services, rich rules, and source bindings — with a clear explanation of runtime vs permanent changes.
SELinux Explained (and How to Live With It)
Learn SELinux modes, file contexts, booleans, and how to fix denials with restorecon, setsebool, and audit2allow — without ever disabling it.
How to Secure Webmin
Harden Webmin against attack: restrict access by IP, enforce HTTPS with valid certs, set up TOTP two-factor auth, integrate Fail2ban, and lock down modules.
Linux Server Security Checklist
A step-by-step Linux server hardening checklist: secure SSH, firewall rules, automatic updates, service auditing, fail2ban, and intrusion detection for any internet-facing server.
How to Install and Configure fail2ban
Install fail2ban, configure the SSH jail, tune ban times, write custom filters, and verify bans are working — on Debian, Fedora, and Arch.
How to Harden SSH on Linux
Lock down OpenSSH with key-only auth, disabled root login, user allowlists, and firewall rules. Step-by-step for Ubuntu, Fedora, RHEL, and Arch.
How to Encrypt a Disk with LUKS
Encrypt a full disk or individual partition on Linux using LUKS2 and cryptsetup, including key management, boot integration, and header backups.
How to Configure sudo Safely
Learn to configure sudo securely using visudo, sudoers syntax, per-command restrictions, NOPASSWD, and drop-in files to enforce least-privilege access on Linux.
How to Enable Automatic Security Updates
Enable automatic security updates on Debian, Ubuntu, Fedora, and RHEL using unattended-upgrades and dnf-automatic — configured to patch safely without manual effort.
How to Audit a Linux System with auditd
Set up auditd on Linux to track file access, syscalls, and privilege use. Covers persistent rules, file watches, ausearch, and aureport across major distros.
AppArmor Explained
Learn how AppArmor profiles work, how to switch between enforce and complain mode, create new profiles, and diagnose access denials on Ubuntu, Debian, and Arch.