Linux-Security on K-Life Hack | Seoul Gastronomy & Travel Guide

Security Hardening and Network Infrastructure Implementation Essentials in Linux System Administration

Mon, 25 May 2026 17:49:20 +0900

Security Hardening and Network Availability Optimization in Linux System Administration

In Linux system operation and management, security hardening and ensuring network availability are top priorities for infrastructure engineers. From strengthening authentication mechanisms to network layer redundancy and permission management in task automation, the practical technical specifications are organized below.

1. Advancing SSH Authentication Mechanisms: Implementation of Key-Based Authentication

Traditional password authentication is vulnerable to brute-force attacks and credential leaks. In contrast, key-based authentication using asymmetric encryption establishes an authentication model based on possession rather than knowledge, providing a high level of security.

1.1 Key Pair Structure and Authentication Workflow

The private key generated on the client side must be stored securely, and only the public key is registered in the server’s ~/.ssh/authorized_keys. The authentication process is executed via a challenge/response method involving connection requests, authentication challenges, digital signature creation using the private key, and signature verification with the registered public key.

1.2 Implementation Command Examples

In Linux environments, ssh-keygen is used to generate key pairs, which are then deployed under appropriate permission settings.

ssh-keygen -t rsa -b 4096
ssh-copy-id user@remote_host

2. Server Security Hardening and Auditing

Password complexity and the selection of hashing algorithms are the foundation of system defense. Current standard specifications recommend hashing using SHA-512 ($6$). These settings are controlled through /etc/login.defs or PAM (Pluggable Authentication Modules) modules.

As part of security auditing by administrators, detecting weak passwords using tools like John the Ripper and static analysis of suspicious files using VirusTotal are effective. As an operational precaution, anti-phishing measures, such as verifying links hidden by URL shortening services like TinyURL, are also essential.

3. Communication Tunneling via SSH Port Forwarding

SSH tunneling is a technique for building another logical communication channel within an encrypted SSH session. This ensures a secure access path to ports restricted by firewalls.

3.1 Local Port Forwarding Implementation

This configuration forwards a specific port on the client side to a target host via a remote server.

ssh -L 8080:target_host:80 user@remote_host

4. Network Infrastructure Redundancy and Optimization

4.1 IP Aliasing (IP Binding)

Assigning multiple IP addresses to a single physical NIC enables virtual hosting and other functions. In environments like CentOS, temporary assignment is possible using specific interface configuration commands.

ifconfig eth0:0 192.168.1.100 netmask 255.255.255.0 up

4.2 Network Bonding (Channel Bonding)

Multiple physical NICs are integrated into a single logical interface to ensure bandwidth expansion and fault tolerance. The main modes are as follows:

Mode 0 (balance-rr): Load balancing via round-robin.
Mode 1 (active-backup): Only one NIC is active, with automatic failover to the standby system upon failure.
Mode 4 (802.3ad LACP): Link aggregation in coordination with a switch.

5. Granular Permission Management via FACL (File Access Control Lists)

For complex permission requirements that the standard owner/group/others model cannot handle, FACL is used to grant individual permissions to specific users or groups.

setfacl -m u:username:rwx /path/to/file
getfacl /path/to/file

6. Task Automation and Access Control: Cron and At

Cron is used for periodic backups and log rotations, while at is used for one-time executions. Execution permissions for these must be strictly managed via /etc/cron.allow and /etc/cron.deny.

6.1 Cron Configuration Specifications

The following configuration describes settings for automatically executing jobs based on a specific schedule.

# Execute backup script every day at 3:00 AM
00 03 * * * /usr/local/bin/backup.sh

7. Log Management and System Observability

Log data accumulated under /var/log/ is a lifeline for fault diagnosis. To prevent disk space exhaustion, proper generation management and compression using logrotate are essential. Additionally, real-time system monitoring using the watch command and measuring process execution time with the time command provide fundamental data for performance tuning.

Conclusion

The core of Linux system administration lies in the thorough application of the Principle of Least Privilege through SSH key authentication and FACL, combined with achieving both network flexibility and robustness through bonding and tunneling. By appropriately combining these technical elements, a secure and highly available infrastructure foundation can be realized.

Implementing Process Auditing and Log Forwarding Using auditd and rsyslog

Sun, 24 May 2026 10:21:24 +0900

Building an Audit Log Management Infrastructure in Linux Systems: Secure System Call Monitoring and External Forwarding with auditd and rsyslog

1. Challenges and Background in Auditing and Log Management

In Linux systems, monitoring process execution states and system calls is fundamental to ensuring security. However, relying solely on standard application-level log output (such as syslog) introduces several serious challenges.

⚠️ Risk of Log Tampering: If an attacker gains root privileges, locally stored plaintext log files (such as /var/log/auth.log) can be easily cleared or tampered with.

⚠️ Lack of System Call-Level Visibility: Standard syslog relies on logs self-reported by applications, making it impossible to forcibly capture system calls (such as file modification or privilege escalation) executed directly by unauthorized binaries.

To address these challenges, we define the implementation steps for an auditing infrastructure that combines auditd, which intercepts system calls at the kernel level, and rsyslog, which forwards logs externally over a highly reliable TCP connection.

2. Technology Selection and Trade-offs

In the design of system auditing and log management, the following trade-offs were considered.

Comparison of syslog and auditd: syslog is suitable for recording application-layer events but cannot forcibly track process behavior. On the other hand, auditd captures system calls at the kernel boundary, preventing processes from taking evasive actions. However, depending on the rule configuration, a large volume of logs may be generated, creating a trade-off that strains disk I/O and storage capacity.

Comparison of UDP Forwarding and TCP Forwarding: In remote forwarding via rsyslog, UDP (@) is fast but carries a risk of packet loss. TCP (@@) is connection-oriented and performs retransmission control even during temporary network disconnections, so TCP is adopted for forwarding security audit logs.

3. Implementation Steps

3.1 Installing and Enabling auditd

In a Debian/Ubuntu environment, run the following commands to install auditd and enable the service.

sudo apt-get update
sudo apt-get install -y auditd audispd-plugins
sudo systemctl enable --now auditd

3.2 Defining Audit Rules

Add custom rules to /etc/audit/rules.d/audit.rules to monitor access to critical files and directories.

-w /etc/shadow -p wa -k shadow_watch
-w /etc/sudoers -p wa -k sudoers_watch

Reload the audit rules to apply the configuration.

sudo auigenrules --load

3.3 Remote TCP Forwarding Configuration via rsyslog

To prevent local log tampering, add a remote forwarding rule to /etc/rsyslog.conf (or a configuration file under /etc/rsyslog.d/).

*.* @@remote-log-server:514

After modifying the configuration, restart the rsyslog service.

sudo systemctl restart rsyslog

4. Operational Verification and Log Analysis Pipeline

4.1 Searching Audit Logs (ausearch)

Search for events matching the defined key (shadow_watch) and display them with numeric values converted to a human-readable format.

sudo ausearch -k shadow_watch -i

4.2 Detecting Deleted Executable Binaries

💡 Identify suspicious processes that are running in memory but have been deleted from the disk.

sudo ls -l /proc/*/exe | grep "deleted"

4.3 Aggregating SSH Brute-Force Attacks

Extract IP addresses with a high number of failed login attempts from /var/log/auth.log and sort them in descending order.

grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

5. Deployment Benefits

With the deployment of this configuration, the following benefits have been verified.

💡 Improved Audit Comprehensiveness: Modifications to /etc/shadow and /etc/sudoers are now reliably recorded at the kernel level along with the executing user ID (auid).

💡 Ensured Log Integrity: Thanks to rsyslog’s TCP forwarding configuration, even if local logs are cleared, the event history remains traceable on the remote log server.