Linux Server Security
ABOUT THE COURSE
A few minutes after a server goes online, it starts getting scanned. Not by hackers — by bots. They don’t care what’s running or who owns it. They’re just looking for open ports, default passwords, known vulnerabilities.
Most people don’t think about this. They set it up, it works, good enough. Until one day something goes wrong.
This course is about not finding out that way.
104 lessons, 12 blocks — from your first day with Linux to centralized monitoring with Grafana and Loki. Every tool is explained not just as “type this command” but why this command, what happens if you skip it, and how to verify it’s actually working.
WHO THIS IS FOR
For people who know how to get a server running — but aren’t sure how secure it actually is.
You work with Linux. You know the basic commands. You’ve configured SSH. But if someone asks “have you looked at pg_hba.conf?” or “is nftables set up?” — there’s that small uncomfortable pause. Sound familiar? That’s exactly what this course addresses. Not random Stack Overflow articles, but a systematic understanding of how everything fits together and why.
Complete beginner? That’s fine too. Block 0 starts from scratch, and the difficulty builds gradually. Nobody throws you in the deep end without explanation.
WHAT’S INSIDE
Each block builds on the previous one — by the end you don’t have a collection of tools, you have a complete picture.
We start with Linux fundamentals: filesystem, users, permissions, processes, networking, SSH. Sounds basic — but this is where understanding forms. Without it, everything else is just magic spells you copy from the internet.
Then — who’s actually allowed to do what on the server. sudo, PAM, SELinux, AppArmor. Why root appearing in your SSH logs isn’t just a log entry, it’s a reason to stop and investigate.
Most people know systemd as “systemctl start/stop.” But it can isolate a service so thoroughly that even if nginx gets compromised — it can’t read /etc/passwd, write files outside its own directory, or spawn new processes. There’s a whole block on this.
The kernel. sysctl parameters aren’t magic lines you paste from tutorials without reading. Each one does something specific: closes an attack vector, limits information leakage, changes how the network stack behaves under load.
Certificates. “Just install Let’s Encrypt” and “actually understanding how it works” are very different things. We cover chains of trust, building your own CA, mTLS, disk and file encryption. After this block, OpenSSL stops being scary.
Firewall with nftables — not iptables with its 1990s syntax, but a proper modern tool. We build a default-deny policy, protect against DDoS and port scanning, and learn to debug rules when something stops working.
nginx — not just “serving files.” Proper HTTPS, security headers, rate limiting, reverse proxy. And how to actually read logs so you see attacks, not just numbers.
The database lives in a private network, behind double isolation, with mTLS and minimal privileges. Because “PostgreSQL listening on 0.0.0.0” isn’t a configuration — it’s an open door.
fail2ban automatically blocks by log analysis. We look at how it works under the hood, write custom filters, integrate with nftables — and figure out why it sometimes stays silent when it should be blocking.
Cloudflare — CDN, WAF, DDoS protection, Tunnel, Zero Trust. How to properly integrate it into your stack without losing real client IPs along the way.
Auditing and monitoring: auditd, file integrity checking, traffic analysis, CIS Benchmarks, CVE tracking, automatic updates. How to know what’s happening on your server — not only when things are already on fire.
The final block is logging and troubleshooting. How Linux logging is structured, how to analyze it, and how to diagnose real problems: nginx returning 502, fail2ban not blocking, a systemd service refusing to start, TLS complaining about a certificate. Grafana and Loki for those who want everything in one place.
WHAT CHANGES
You take a clean server and configure it for production yourself.
SSH with keys, no root, restricted by IP. A firewall that’s closed by default. nginx with proper HTTPS and security headers. The database in a private network. Automatic attack blocking. Logs you actually know how to read. Monitoring that catches problems before a client calls.
And — most importantly — you understand why it’s done this way. When something goes wrong in production, and sooner or later it will, you’ll know where to look.
Curriculum
- 12 Sections
- 111 Lessons
- Lifetime
- BLOCK 0: Introduction to Linux | Beginner10
- 1.1LESSON 1. What is Linux — history, distributions and system security
- 1.2LESSON 2. The Linux Filesystem — structure and where everything lives
- 1.3LESSON 3. Surviving the Terminal — commands you need every day
- 1.4LESSON 4. Users and groups — the first line of defence
- 1.5LESSON 5. File permissions — chmod, chown and why 777 is a disaster
- 1.6LESSON 6. Processes and services — what is happening on the system right now
- 1.7LESSON 7. Networking in Linux — diagnosing, analysing and controlling connections
- 1.8LESSON 8. Package manager — installing, updating and protecting against vulnerabilities
- 1.9LESSON 9. Text editors on a server — nano, vim and first steps
- 1.10LESSON 10. SSH — first connection and basic security
- BLOCK 1: Access Control and Privileges | Junior — Middle5
- 2.1LESSON 1. sudo — secure configuration, command restrictions and auditing
- 2.2LESSON 2. PAM — authentication, password policies and account lockout
- 2.3LESSON 3. SELinux — mandatory access control, modes and contexts
- 2.4LESSON 4. AppArmor — security profiles, modes and managing exceptions
- 2.5LESSON 5. Linux Access Model in Depth: ACL, Capabilities and Diagnosing Failures
- BLOCK 2: systemd Security | Junior11
- 3.1LESSON 1. systemd — the heart of a Linux server: architecture, PID 1 and how it all works
- 3.2LESSON 2. Unit files: how systemd reads instructions for each service
- 3.3LESSON 3. systemctl: the administrator’s main tool — from starting services to blocking dangerous processes
- 3.4LESSON 4. What is running on your server — service audit and attack surface cleanup
- 3.5LESSON 5. A sandbox for every service — isolating processes through security directives
- 3.6LESSON 6. The last line of defense — SystemCallFilter and CapabilityBoundingSet against kernel-level attacks
- 3.7LESSON 7. cgroups through systemd — keeping one service from taking down the whole server
- 3.8LESSON 8. systemd-analyze — an X-ray for your server: boot speed and security score
- 3.9LESSON 9. journald — collecting and analyzing security logs
- 3.10LESSON 10. systemd timers — running scheduled tasks without security holes
- 3.11LESSON 11. systemd-resolved: secure DNS with DNS over TLS and DNSSEC support
- BLOCK 3: Kernel Hardening | Junior4
- BLOCK 4: Encryption and Certificates | Junior10
- 5.1LESSON 1. How Certificates Work — CA, Chain of Trust, x.509
- 5.2LESSON 2. Let’s Encrypt + Certbot — Free Certificates
- 5.3LESSON 3. Self-Signed Certificates — for Internal Services
- 5.4LESSON 4. Your Own CA — Building an Internal Certificate Authority
- 5.5LESSON 5. Cloudflare Origin Certificate — the Certificate Between Cloudflare and Your Server
- 5.6LESSON 6. Wildcard Certificates — One Certificate for All Subdomains
- 5.7LESSON 7. mTLS — Mutual Authentication Between Client and Server
- 5.8LESSON 8. Certificate Monitoring — Storage, Rotation, Expiry
- 5.9LESSON 9. LUKS — Disk Encryption
- 5.10LESSON 10. GPG — File Encryption and Digital Signatures
- BLOCK 5: nftables Security | Junior — Middle8
- 6.1LESSON 1. Introduction to nftables — why iptables is becoming a thing of the past
- 6.2LESSON 2. Tables, chains, rules — the basic structure of nftables
- 6.3LESSON 3. Basic firewall — default deny policy
- 6.4LESSON 4. Filtering incoming and outgoing traffic — detailed configuration
- 6.5LESSON 5. NAT and port forwarding with nftables
- 6.6LESSON 6. Sets and maps — efficient rule management in nftables
- 6.7LESSON 7. DDoS and port scan protection with nftables
- 6.8LESSON 8. Logging and debugging nftables rules
- BLOCK 6: nginx Security | Middle10
- 7.1LESSON 1. Introduction to nginx — Architecture and Configuration
- 7.2LESSON 2. Secure baseline configuration for nginx
- 7.3LESSON 3. TLS/SSL — configuring HTTPS, certificates
- 7.4LESSON 4. Security headers — HSTS, CSP, X-Frame-Options
- 7.5LESSON 5. Access restriction — rate limiting, geo blocking
- 7.6LESSON 6. Reverse proxy — secure configuration
- 7.7LESSON 7. nginx + nftables — integrated defense
- 7.8LESSON 8. nginx logs — monitoring and attack analysis
- 7.9LESSON 9. Hardening nginx — minimal privileges, checklist and final audit
- 7.10LESSON 10. API Protection with nginx — Per-Endpoint Rate Limiting, Bot Blocking, and Business Logic Abuse Defense
- BLOCK 7: Database Security | Middle10
- 8.1LESSON 1. Architecture — Why Your Database Must Never Face the Internet
- 8.2LESSON 2. Private Network — Configuring Database Network Isolation
- 8.3LESSON 3. nftables for the Database — Access Only from the Web Server IP
- 8.4LESSON 4. PostgreSQL — Configuring pg_hba.conf, Restricting Access
- 8.5LESSON 5. MySQL/MariaDB — bind-address, Restricting Access
- 8.6LESSON 6. SSL/TLS for PostgreSQL — Encrypting the Connection
- 8.7LESSON 7. SSL/TLS for MySQL/MariaDB — Encrypting the Connection
- 8.8LESSON 8. mTLS for Databases — Mutual Authentication
- 8.9LESSON 9. Database Users — Minimal Privileges
- 8.10LESSON 10. Database Audit — Logging Queries and Connections
- BLOCK 8: fail2ban Security | Middle9
- 9.1LESSON 1. fail2ban — Automatic Attack Blocking: How It Works and Its Architecture
- 9.2LESSON 2. fail2ban — Installation, First Launch, and Basic Configuration
- 9.3LESSON 3. Jails — Configuring SSH Protection
- 9.4LESSON 4. Jails — Protecting nginx from Attacks
- 9.5LESSON 5. Filters — Writing Custom Attack Detection Rules
- 9.6LESSON 6. Actions — How fail2ban Blocks Through nftables
- 9.7LESSON 7. Whitelist, ignoreip — Exceptions and Trusted IPs
- 9.8LESSON 8. Monitoring and Debugging fail2ban — Logs and Status
- 9.9LESSON 9. fail2ban + nginx + nftables — Full Integration
- BLOCK 9: Cloudflare Security | Middle — Senior10
- 10.1LESSON 1. What is Cloudflare — CDN, proxy, protection
- 10.2LESSON 2. DNS through Cloudflare — setup, proxy modes
- 10.3LESSON 3. SSL/TLS in Cloudflare — modes, Full Strict
- 10.4LESSON 4. WAF — Web Application Firewall, rules
- 10.5LESSON 5. DDoS protection — configuration, sensitivity levels
- 10.6LESSON 6. Cloudflare Rules — Page Rules, Transform Rules
- 10.7LESSON 7. Cloudflare + nginx — integration, real IP
- 10.8LESSON 8. Cloudflare + fail2ban — combined protection
- 10.9LESSON 9. Cloudflare Tunnel — secure access without open ports
- 10.10LESSON 10. Zero Trust — Cloudflare Access, fundamentals
- BLOCK 10: Auditing and Monitoring | Senior10
- 11.1LESSON 1. auditd — Security Event Auditing
- 11.2LESSON 2. AIDE — File Integrity Monitoring
- 11.3LESSON 3. logwatch — Log Analysis
- 11.4LESSON 4. WireGuard VPN — Setup
- 11.5LESSON 5. tcpdump — Traffic Analysis
- 11.6LESSON 6. nmap — Scanning Your Own Network
- 11.7LESSON 7. CIS Benchmarks — Secure Configuration Standards
- 11.8LESSON 8. Lynis — Automated Security Auditing
- 11.9LESSON 9. CVE — Tracking Vulnerabilities
- 11.10LESSON 10. Automatic Security Updates
- BLOCK 11: Logging and Troubleshooting | Junior — Senior14
- 12.1LESSON 1. Linux Logging Architecture — What Gets Written Where
- 12.2LESSON 2. journald — journalctl, filtering, analysis
- 12.3LESSON 3. rsyslog — centralized logging
- 12.4LESSON 4. logrotate — rotation, retention, compression
- 12.5LESSON 5. nginx logs — access.log, error.log, attack analysis
- 12.6LESSON 6. fail2ban logs — what is blocked and why
- 12.7LESSON 7. nftables logs — logging firewall rules
- 12.8LESSON 8. Log Analysis — grep, awk, sed
- 12.9LESSON 9. Troubleshooting nginx — Common Errors
- 12.10LESSON 10. Troubleshooting nftables — Debugging Rules
- 12.11LESSON 11. Troubleshooting fail2ban — Why It’s Not Blocking
- 12.12LESSON 12. Troubleshooting systemd — Service Won’t Start
- 12.13LESSON 13. Troubleshooting Certificates — TLS/SSL Errors
- 12.14LESSON 14. Centralized Monitoring — Grafana + Loki