How to Build a Complete Linux Enterprise Security Framework—from Intrusion Detection to Incident Response
This guide walks through a real-world DDoS and SSH brute‑force incident and shows how to design a layered Linux security architecture, configure firewalls, host hardening, OSSEC HIDS, Suricata IDS, ELK monitoring, automated response scripts, and continuous improvement metrics for enterprise environments.
Incident Recap
At 03:00 a production web server showed 95% CPU usage and a traffic spike; investigation revealed a DDoS attack combined with SSH brute‑force attempts, demonstrating the need for layered security.
Step 1 – Layered Defense Architecture
Network Boundary Protection
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j ACCEPT
iptables -A INPUT -j DROPTip: Place frequently matched rules early and use -m recent for connection tracking.
Host Hardening
#!/bin/bash
echo "=== Linux Security Hardening Check ==="
awk -F: '($3 == 0) {print $1}' /etc/passwd
echo "Checking password policy..."
grep ^PASS /etc/login.defs
echo "Checking SSH config..."
grep -E "^(PermitRootLogin|PasswordAuthentication|PermitEmptyPasswords)" /etc/ssh/sshd_config
echo "Checking suspicious cron jobs..."
crontab -l 2>/dev/null | grep -v "^#"Step 2 – Intrusion Detection System (IDS)
HIDS with OSSEC
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>smtp.company.com</smtp_server>
<email_from>[email protected]</email_from>
<email_to>[email protected]</email_to>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<frequency>79200</frequency>
<directories>/etc,/usr/bin,/usr/sbin,/bin,/sbin,/var/www</directories>
<ignore>/etc/mtab</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
</rootcheck>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.0/8</allowed-ips>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
</ossec_config>Network Traffic Analysis with Suricata
# suricata.yaml
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
default-rule-path: /etc/suricata/rules
rule-files:
- suricata.rules
- /etc/suricata/rules/local.rules
af-packet:
- interface: eth0
threads: 4
cluster-id: 99
cluster-type: cluster_flow
defrag: yesPerformance tips:
Bind worker threads to specific CPU cores.
Increase ring‑buffer size for memory optimization.
Regularly update rule sets and disable unnecessary rules.
Step 3 – Security Monitoring Center
ELK Stack Log Mapping
{
"mappings": {
"properties": {
"@timestamp": {"type": "date"},
"host": {"type": "keyword"},
"source_ip": {"type": "ip"},
"dest_ip": {"type": "ip"},
"alert_level": {"type": "integer"},
"rule_id": {"type": "keyword"},
"description": {"type": "text"},
"user": {"type": "keyword"},
"command": {"type": "text"}
}
}
}Key Security Indicators (KSI)
Detection
Mean Time to Detect (MTTD) < 15 min
False‑positive rate < 5 %
Coverage > 95 %
Response
Mean Time to Respond (MTTR) < 30 min
Success rate > 98 %
Automation ratio > 80 %
Recovery
Mean Time to Recover < 2 h
Business continuity > 99.9 %
Step 4 – Incident Response Workflow
Automated Response Script
#!/bin/bash
INCIDENT_TYPE=$1
SOURCE_IP=$2
LOG_FILE="/var/log/security_incident.log"
log_incident() {
echo "$(date): [$INCIDENT_TYPE] $1" >> $LOG_FILE
}
case $INCIDENT_TYPE in
"brute_force")
log_incident "Brute‑force attack from $SOURCE_IP"
iptables -I INPUT -s $SOURCE_IP -j DROP
echo "Brute‑force alert - IP: $SOURCE_IP" | mail -s "Security Alert" [email protected]
;;
"malware")
log_incident "Malware activity detected"
systemctl stop network
dd if=/dev/mem of=/tmp/memory_dump.img
;;
"data_exfiltration")
log_incident "Data exfiltration risk detected"
iptables -P OUTPUT DROP
netstat -tulnp > /tmp/network_connections.txt
;;
esacPlaybook Steps
Rapid Assessment
Identify incident type and scope.
Evaluate business impact.
Decide whether to trigger response.
Evidence Collection
mkdir -p /tmp/incident_$(date +%Y%m%d_%H%M%S)
cd /tmp/incident_$(date +%Y%m%d_%H%M%S)
uname -a > system_info.txt
ps aux > process_list.txt
netstat -tulnp > network_connections.txt
cp /var/log/messages .
cp /var/log/secure .
cp /var/log/auth.log .
find /etc -type f -exec md5sum {} \; > etc_md5.txtThreat Elimination
Isolate affected systems.
Remove malicious code.
Patch vulnerabilities.
System Recovery
Validate system integrity.
Restore services.
Strengthen post‑incident monitoring.
Step 5 – Continuous Improvement & Optimization
Security Baseline Check (Python)
#!/usr/bin/env python3
import subprocess, json
def check_security_baseline():
results = {}
# SSH configuration
ssh_cfg = {}
with open('/etc/ssh/sshd_config') as f:
for line in f:
if line.strip() and not line.startswith('#'):
key, value = line.split(None, 1)
ssh_cfg[key] = value.strip()
results['ssh_root_login'] = ssh_cfg.get('PermitRootLogin', 'yes') == 'no'
results['ssh_password_auth'] = ssh_cfg.get('PasswordAuthentication', 'yes') == 'no'
# Firewall status
fw = subprocess.run(['systemctl', 'is-active', 'iptables'], capture_output=True, text=True)
results['firewall_active'] = fw.stdout.strip() == 'active'
# Update check (yum)
upd = subprocess.run(['yum', 'check-update'], capture_output=True, text=True)
results['system_updated'] = upd.returncode == 0
return results
if __name__ == '__main__':
print(json.dumps(check_security_baseline(), indent=2))Threat Intelligence Integration
# Update malicious IP blacklist
wget -q https://reputation.alienvault.com/reputation.data -O /tmp/reputation.data
grep "Malicious Host" /tmp/reputation.data | cut -d'#' -f1 > /etc/security/malicious_ips.txt
# Update malicious domain list
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts |
grep "0.0.0.0" | awk '{print $2}' > /etc/security/malicious_domains.txt
# Apply to firewall
while read ip; do
iptables -I INPUT -s $ip -j DROP
done < /etc/security/malicious_ips.txtKey Success Factors
Automation First : Manual steps are error‑prone.
Layered Defense : Single‑point controls inevitably fail.
Continuous Monitoring : Security is a dynamic process.
Fast Response : Delays translate to loss.
Regular Drills : Theory must be validated by practice.
Future Trends
AI‑Driven Security Analytics : Machine‑learning models for anomaly detection.
Zero‑Trust Architecture : Never trust any network traffic by default.
Cloud‑Native Security : Protect containers and micro‑services.
Security Left‑Shift : Embed security early in the development lifecycle.
Repository Links
GitHub: https://github.com/raymond999999
Gitee: https://gitee.com/raymond9
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.