For the common Windows user, or for even some Windows administrators, Linux often seems like a scary, foreign beast. But it doesn't have to be. It's true that Linux does things differently from Windows in many respects, but once you start to wrap your mind around how Linux works, mastering it is much less difficult than you might think.
With that need in mind, keep reading for a guide on best practices to follow when working with a Linux-based system. This article is certainly not a complete guide to Linux, but it introduces some of the key concepts you should get to know (and which may seem strange to you if you come from a Windows background).
We will discuss the best way to manage system configuration, including system updates, disabling unwanted services, and properly backing up your system. We will also cover file structure organization (including industry-standard practices), proper partitioning, and directory access rules. Finally, we’ll go over a few tips on how to properly secure your system, including covering disk encryption, password requirements, and disabling and changing default ports as needed.
It’s always a best practice to keep your system up-to-date at all times. There are a number of reasons for this. First of all, it ensures that any security holes are patched appropriately. Second, and just as important to a system administrator, is that updating your software regularly will ensure that you are running the most optimized versions possible. When bugs are discovered, they are patched via system updates.
Most Linux distributions provide tools that allow you to update all of the software on your system (not just the operating system, but all user applications, too) with just one command, if you desire. They can do this because on Linux, almost all software is installed via "packages." To update your system or an individual application, you simply install the latest available version of the packages you require. Linux is different in this respect from Windows, where individual applications are usually installed and updated separately from the operating system itself.
The way you run updates on a Linux system will vary depending on which distribution you use.
If you are running a Red Hat or Fedora system, or one based on them, use the following commands to run updates on your machine:
- dnf update (to update the entire system)
- dnf update <package-name> (to update only a specific package)
If you are running a Debian-based system, such as Ubuntu, these commands can be used:
- apt-get update (to update the list of available package versions)
- apt-get upgrade (to download and install all available updates)
- apt-get install <package-name> (to update only a specific package)
It’s important to keep in mind a few specific best practices for updating your system. Updates should be scheduled appropriately, instead of applied all at once. Updates should also only be installed from reputable sources.
Further reading Guide to Linux Patch Management
Disable Unwanted Services
Most Linux servers are configured by default with many services enables. While this is convenient if you actually need all of the services, running services that aren't necessary wastes resources and creates additional surface area for attacks.
If you are managing a system that has already been created and are looking to disable and uninstall packages that you don’t need, the process is fairly simple.
To remove an installed package on a Red Hat, CentOS, or Fedora server, use the following command -
- dnf remove <package-name>
To remove an installed package from Debian-based installation, such as Ubuntu, use this command -
- apt-get remove <package-name>
Packages that are removed can always be reinstalled later. So, as a rule of thumb, if you aren’t using it currently, remove it!
It may seem like common sense, but system backups shouldn’t be ignored. Backups should be run nightly to verify that your system is always protected and ready for recovery, if needed. A common rule of thumb for system backup practices is that you should have copies of your three most recent backups, stored in two different locations, with one of those locations being off-site. This rule is a good baseline, but it’s not a bad idea to expand upon this as well.
There are a number of Linux-compatible backup solutions out there, each with its own pros and cons. The most important thing is not which system you use, but simply ensuring that you have some backup plan in place .
There is some debate on which directories on a Linux system need to be backed up, and which should just be reinstalled upon recovery. Most administrators agree that the following two directories should be backed up, because they contain important user data or configuration files:
Beyond that, what should be backed up depends on your system. Most administrators have a good understanding of their system, and what needs to be backed up on it.
Further reading How to Back Up a Linux Server
File Structure Organization
Stick To Industry-Standard Practices
File systems on most Linux distributions are broken down into several major directories, each with a different purpose. Although you can modify the file system if you like, it's a good idea to stick with the standard structure, because it's what other administrators expect.
Here are a few industry-standard, basic rules of thumb for organizing Linux directories and the data inside them:
- /home - This is where all user data is stored. User folders are stored in subdirectories that exist within /home, generally in the format of /home/<username>.
- /etc - This is where most application configuration files are stored.
- /var - This is a directory that can be used for a number of different things, including -- and most importantly -- log files. Logs are often kept in the /var/log subdirectory.
- /tmp - This is where temporary files are stored. The system automatically removes files in this directory periodically. Therefore, files that need to be kept permanently should not be stored here. But it is a handy place for storing data that you only need to keep on hand temporarily, such as files that you are transferring to another server, or email attachments that you only need to access one time.
Following these simple rules will not only make it easier for you to manage your server, but will also simplify the jobs of other administrators that work on your system.
On Windows, the entire file system usually exists within a single partition on your hard drive. On Linux, however, you have the option of setting up different partitions to host different parts of your file system.
Although you can store everything inside one partition on Linux if desired, spreading it across multiple partitions can be advantageous in several ways. It allows you to delete data in one partition without touching other parts of the system. You can also create an image of an individual partition in order to copy or back up just that partition. Finally, partitioning offers security and access-control advantages because you can choose to "unmount" a partition when it is not in use, or mount partitions in read-only mode so that no one can modify data stored in them.
Here are a few standard partitions that exist on most Linux systems:
- / - This partition hosts the root directory of your system.
- /home - This partition hosts all of your user directories.
- /swap - This partition is used, along with RAM, for virtual memory. When you run out of RAM, the swap directory is used to house additional data.
Further reading How to Resize Partitions in Linux
Understand User Permissions
Understanding user permissions and configuring them appropriately on your system is a big part of properly administering a Linux server. There are a number of different schools of thought on the best practices for user permissions, but the one thing that all administrators agree on is that permissions on files and folders should all be configured to allow the least amount of access necessary.
There are several command-line utilities that you use on Linux to set or change file permissions:
- chmod - modifies user permissions on a specific file or directory
- chown - changes ownership of a specific file or directory
- chgrp - changes group ownership on a specific file or directory
- su or sudo - temporarily gain root privileges as a superuser
Most distributions provide graphical interfaces that you can use to configure permissions, too, if desired.
Among the most basic of security practices is disk encryption. There is almost no excuse for not having all servers with sensitive data running on encrypted hardware. If your hard dives were ever to fall into the wrong hands, encryption would render your disks unreadable by unauthorized parties. Your disks can be encrypted with Linux software packaged with your operating system, or a number of different third-party applications.
Every administrator should abide by a standard set of password requirements. These requirements should include:
- Forced passwords. Every user should be required to have a password.
- Password aging. Users should be forced to change their passwords after a set period of time.
- Password history. Users should be forced to use new, unique passwords, and not use the same passwords over and over again.
Following these simple rules goes a long way toward securing access to your system.
Port Disabling and Changes
Port management is another simple, obvious, and important part of keeping your server secure. Port security can be handled in two different ways on a Linux server: Port changes and port disabling.
If there are ports open that don’t need to be, these ports should be disabled immediately. Different Linux firewall packages, such as IPTables or SELinux, can help with disabling ports. If you do need these ports left open, you can change them so that they don't use default port numbers. (Attackers often scan systems in an attempt to identify unsecured services running on default ports.)
Further reading Linux Server Hardening Best Practices
The idea of being responsible for the management of a Linux server can be a little scary for first-time Linux administrators. However, establishing a strong set of best practices will help administrators master their Linux servers, as well as make it easier for other admins to work with the same servers in the future.
Your best practices should include considerations for system configurations, including system backups, update processes, and streamlining installed packages. File structure organization is another important feature - where its best to follow industry standards and how user permissions work. Finally, security considerations should be factored in as well, including disk encryption, password requirements, and port security. Having all of these best practices in your Linux toolbox will go a long way toward effective server management.