Skip to content

Arch Linux Security Configuration

Jump to bottom
Mattscreative edited this page Dec 5, 2025 · 3 revisions

Arch Linux Security Configuration Guide

Complete beginner-friendly guide to securing Arch Linux, including firewall setup, user management, encryption, and security best practices.

Table of Contents

  1. Firewall Setup
  2. User Management
  3. File Permissions
  4. Disk Encryption
  5. SSH Security
  6. System Updates
  7. Security Best Practices

Firewall Setup

UFW (Uncomplicated Firewall)

Install UFW:

# Install UFW
sudo pacman -S ufw

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

Common rules:

# Allow SSH
sudo ufw allow ssh

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Deny port
sudo ufw deny 8080/tcp

firewalld

Install firewalld:

# Install firewalld
sudo pacman -S firewalld

# Enable and start service (recommended method)
sudo systemctl enable --now firewalld

# Check status
sudo firewall-cmd --state

Configure zones:

# List zones
sudo firewall-cmd --get-zones

# Set default zone
sudo firewall-cmd --set-default-zone public

# Allow service
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

iptables

Advanced firewall:

# Install iptables
sudo pacman -S iptables

# Basic rules
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP

# Save rules
sudo iptables-save > /etc/iptables/iptables.rules

User Management

Create Users

Add users:

# Create user
sudo useradd -m -G wheel username

# Set password
sudo passwd username

Sudo Configuration

Configure sudo:

# Edit sudoers
sudo visudo

Ensure wheel group:

%wheel ALL=(ALL) ALL

Remove Users

Delete users:

# Remove user
sudo userdel username

# Remove with home
sudo userdel -r username

Lock Accounts

Lock/unlock accounts:

# Lock account
sudo passwd -l username

# Unlock account
sudo passwd -u username

File Permissions

Understanding Permissions

Permission format:

-rwxr-xr-x
││││││││││
││││││││└── Other: execute
│││││││└─── Other: read
││││││└──── Group: execute
│││││└───── Group: read
││││└────── Owner: execute
│││└─────── Owner: write
││└──────── Owner: read
│└───────── File type (- = file, d = directory)

Set Permissions

Change permissions:

# Set permissions
chmod 755 file
chmod u+x file
chmod g-w file

# Recursive
chmod -R 755 directory

Permission values:

  • 4: Read
  • 2: Write
  • 1: Execute
  • 7: Read + Write + Execute
  • 5: Read + Execute

Set Ownership

Change owner:

# Change owner
sudo chown user:group file

# Recursive
sudo chown -R user:group directory

Disk Encryption

LUKS Encryption

Encrypt disk:

# Install cryptsetup
sudo pacman -S cryptsetup

# Encrypt partition
sudo cryptsetup luksFormat /dev/sda2

# Open encrypted partition
sudo cryptsetup open /dev/sda2 cryptroot

# Format
sudo mkfs.ext4 /dev/mapper/cryptroot

# Mount
sudo mount /dev/mapper/cryptroot /mnt

Encrypted Swap

Encrypt swap:

# Create swap
sudo cryptsetup -d /dev/urandom open --type plain /dev/sda3 swap

# Format swap
sudo mkswap /dev/mapper/swap

# Enable swap
sudo swapon /dev/mapper/swap

SSH Security

Install SSH

Install OpenSSH:

# Install SSH
sudo pacman -S openssh

# Enable service
sudo systemctl enable sshd
sudo systemctl start sshd

SSH Configuration

Secure SSH:

# Edit SSH config
sudo vim /etc/ssh/sshd_config

Security settings:

# Disable root login
PermitRootLogin no

# Change port
Port 2222

# Disable password auth (use keys)
PasswordAuthentication no

# Allow specific users
AllowUsers username

Restart SSH:

sudo systemctl restart sshd

SSH Keys

Generate key:

# Generate key pair
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy public key
ssh-copy-id user@server

System Updates

Regular Updates

Update system:

# Update packages
sudo pacman -Syu

# Check for updates
pacman -Qu

Security Updates

Check security:

# Install arch-audit
sudo pacman -S arch-audit

# Check vulnerabilities
arch-audit

Automatic Updates

Setup auto-updates (optional):

# Install pacman-contrib
sudo pacman -S pacman-contrib

# Create update script
sudo vim /usr/local/bin/arch-update.sh

Security Best Practices

General Security

Best practices:

  1. Keep system updated

    sudo pacman -Syu

  2. Use strong passwords

  • Long, complex passwords
  • Different passwords for different accounts

  1. Enable firewall

    sudo ufw enable

  2. Limit sudo access

  • Only add trusted users to wheel
  1. Disable unnecessary services 
    sudo systemctl disable service-name

System Hardening

Additional security:

# Install security tools
sudo pacman -S fail2ban rkhunter

# Configure fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Audit System

Check system:

# Install audit tools
sudo pacman -S audit

# Enable audit
sudo systemctl enable auditd
sudo systemctl start auditd

Summary

This guide covered:

  1. Firewall - UFW, firewalld, iptables
  2. User management - Create/remove users
  3. File permissions - Set proper permissions
  4. Encryption - Disk encryption
  5. SSH security - Secure SSH
  6. Updates - Keep system updated
  7. Best practices - Security tips

Key Takeaways:

  • Enable firewall
  • Use strong passwords
  • Limit sudo access
  • Keep system updated
  • Encrypt sensitive data
  • Secure SSH

Next Steps

This guide is based on the ArchWiki. For the most up-to-date information, always refer to the official ArchWiki.

Clone this wiki locally