π Linux/Unix: Basic Security Tools β chattr, semanage, ufw, firewalld Explained
𧲠Introduction β Why Learn Linux Security Tools?
Securing a Linux system isnβt just about strong passwordsβitβs about controlling file immutability, access policies, and firewall configurations. Whether you’re protecting log files from tampering or securing ports, tools like chattr, semanage, ufw, and firewalld provide fine-grained control over security without requiring third-party software.
π― In this guide, youβll learn:
- How to make files immutable with
chattr - How to manage SELinux contexts with
semanage - How to control firewall access using
ufwandfirewalld - Real-world use cases and examples
π‘οΈ 1. chattr β Make Files Immutable or Append-Only
β
What is chattr?
chattr (change attribute) sets file attributes on ext-based filesystems (ext2/3/4), allowing you to make files immutable (cannot be modified or deleted) or append-only.
π οΈ Syntax:
sudo chattr [+/-][attribute] filename
πΉ Common Attributes:
| Attribute | Description |
|---|---|
+i | Immutable (cannot be changed/deleted) |
+a | Append-only (can only add data) |
π§ͺ Example 1: Make a log file immutable
sudo chattr +i /var/log/syslog
π§ Even root canβt modify or delete it until you remove the attribute:
sudo chattr -i /var/log/syslog
π 2. semanage β Manage SELinux Policies (RHEL-based)
β
What is semanage?
semanage is a policy management tool for SELinux, used to manage file contexts, ports, and booleans in a secure, persistent way.
π¦ Install:
sudo yum install policycoreutils-python-utils # RHEL/CentOS
π οΈ Syntax:
semanage [object_type] -l/add/delete -a -t context name
π§ͺ Example 1: Allow HTTP on a custom port
sudo semanage port -a -t http_port_t -p tcp 8081
β Now SELinux wonβt block Apache on port 8081.
π§ͺ Example 2: View port rules
semanage port -l | grep http
π§ Used in SELinux-enabled systems (RHEL, Fedora, CentOS) to prevent false positives and service denials.
π₯ 3. ufw β Uncomplicated Firewall (Debian-based)
β
What is ufw?
ufw is a simplified firewall frontend for iptables, ideal for Ubuntu/Debian systems. It helps you allow/deny traffic with a human-readable syntax.
π¦ Install:
sudo apt install ufw
πΉ Common ufw Commands:
| Command | Description |
|---|---|
sudo ufw enable | Enable the firewall |
sudo ufw allow 22 | Allow SSH |
sudo ufw deny 80 | Deny HTTP |
sudo ufw allow 443/tcp | Allow HTTPS TCP |
sudo ufw status | Show current rules |
π§ͺ Example:
sudo ufw allow from 192.168.1.10 to any port 22
β Allows only a specific IP to SSH into the system.
π₯ 4. firewalld β Dynamic Firewall Manager (RHEL/Fedora)
β
What is firewalld?
firewalld is a zone-based firewall daemon using iptables/nftables, ideal for RHEL, CentOS, Fedora, and supports dynamic changes without restarting services.
π¦ Install:
sudo yum install firewalld
Start and enable:
sudo systemctl enable --now firewalld
πΉ Common firewalld Commands:
| Command | Description |
|---|---|
firewall-cmd --state | Check if firewalld is running |
firewall-cmd --add-port=80/tcp --permanent | Open port 80 permanently |
firewall-cmd --reload | Apply permanent changes |
firewall-cmd --list-all | Show current zone settings |
π§ͺ Example:
sudo firewall-cmd --zone=public --add-service=ssh --permanent
sudo firewall-cmd --reload
β Adds SSH to the public zone.
π§ Tool Comparison Table
| Tool | Use Case | Platform | Persistent? | Access Level |
|---|---|---|---|---|
chattr | Locking/immutability of files | All Linux | β Yes | Root only |
semanage | SELinux policy management | RHEL/Fedora | β Yes | Root |
ufw | Basic firewall configuration | Ubuntu/Debian | β Yes | Sudo/root |
firewalld | Zone-based firewall management | RHEL/Fedora | β Yes | Root |
π Summary β Recap & Next Steps
Security is a layered practice. With chattr, you can prevent tampering. With semanage, SELinux security contexts are managed properly. With ufw and firewalld, youβre able to filter and control traffic effortlessly.
π Key Takeaways:
- Use
chattr +ito protect critical files from deletion. - Use
semanageto whitelist custom ports in SELinux. - Use
ufworfirewalldfor user-friendly firewall control. - Always test configurations to ensure access is not unintentionally blocked.
β FAQs
β What happens if I make /etc/passwd immutable?
β οΈ System won’t be able to modify it. Avoid using chattr +i on critical system files unless absolutely needed.
β Can I use both ufw and firewalld together?
β No. They both manage iptables/nftables. Use only one firewall tool at a time.
β What if semanage isn’t found?
β
Install it via:
sudo yum install policycoreutils-python-utils
β Is ufw secure enough for production?
β
Yes, for most standard firewall configurations. For complex needs, consider iptables or nftables directly.
β How do I reset ufw to default settings?
β
Run:
sudo ufw reset
Share Now :
