Linux

This article is aimed at people running individual Linux workstations, rather than business or web servers or large networks. It assumes that anyone who sets up a Linux system is technologically sophisticated and doesn’t need a lot of hand-holding.

Most modern Linux distributions are more security-aware and will already adopt many of these points by default and include easy-to-use firewalls and update services. However, it is worth going through the tips one at a time to make sure.

Please note that this is not an exhaustive list of security advice for Linux systems. The links at the end of the article point to more detailed advice and reference material.

Risks

Behaviour risks

• All the same risks of fraud, phishing, spam etc. apply to Linux users as much as users of other operating systems. The relevant parts of this website are not OS-specific.
• Bad user choices: bad password hygiene, not monitoring logs, not patching etc.

Technology risks

• Unused services and open ports.
• Unpatched services, especially with published vulnerabilities.
• Inherently insecure services: for example using a system designed for use on a local area network over the internet.

Exploitation

• Information theft.
• Spam, Trojans, back doors, viruses.
• Denial of service.
• Privilege escalation.

Setting up Linux securely

• Create a logbook for each computer to record configuration details and changes.
• If the system allows, set up a BIOS password to stop people bypassing the normal boot up sequence or making changes to the BIOS.
• Password-protect the boot loader to stop people booting to a non-secure OS.
• Don’t attach the computer to the network until it has been fully installed and patched.
• Only download operating system setup files and patches from reliable sources, such as a manufacturer’s CD or website.
• Get the latest patch list and install any recommended security patches that are not already installed.
• Only use patches that have been verified as authentic using cryptographic digital signatures and md5 checksum.

Secure configuration

• Use strong passwords.
• Restrict or block root access, especially from external connections.
• Never use the r-utilities as root. Never create a .rhosts file for root. To be totally safe, try to avoid enabling r-utilities at all. One mistake in configuring these and all bets are off.
• Check that the configuration files for PAM are secure (although not all distributions use PAM).
• Disable any services which you do not absolutely require. Check running network services with the command netstat –a.
• Edit /etc/hosts.allow to include this entry as the first uncommented line AFTER any configuration lines allowing connections for any specific services required: ALL:ALL:deny.
• Edit /etc/hosts.deny to include this entry as the first uncommented line in the file: ALL:ALL.
• Disable any unnecessary start-up scripts.
• Remove unneeded accounts and groups.
• Secure services with TCP wrappers and xinetd or inetd.
• Disable interactive login access to system accounts and non-local logins to privileged accounts.
• Ensure that the file /etc/ftpusers contains the names of all system accounts, as well as root.
• Ensure that the host is configured against IP spoofing and attacks with kernel and firewall rules.
• All remote login and shell programs (rlogin, rsh, and telnet) should be avoided in favour of SSH.
• Implement services like FTP, finger, sendmail and so on carefully and behind a firewall.  Best not to run any services unless you need them and know how to secure them properly.
• Direct log files to a remote host, to a non-networked second machine via serial cable or write them to a write once, read many drive to ensure that they can’t be tampered with.
• Regularly check log files for unusual activity.
• Check regularly for updates and patches for both operating system and applications.

Common security tasks and applications

• Subscribe to security mailing lists for your particular distribution and to general security mailing lists, such as Bugtraq, US/CERT, Sans, and LinuxSecurity.com.
• Email: Thunderbird includes spam filtering.  Alternatively, consider using a text-only email reader, such as sylpheed or pine, which will not execute any attached viruses.
• Web browser: Opera, Firefox.
• Application suite: OpenOffice, KOffice.
• Setting up a firewall: there are graphical UI tools to configure ipchains and iptables, such as Security Level Configuration Tool or GNOME Lokkit.
• Virus protection: Clam AntiVirus, Sophos, F-Secure, Computer Associates.
• Encryption: GnuPG.
• Content filtering.
• For personal workstations, host-based intrusion detection is probably preferable to network-based systems. Some candidates: Tripwire, Linux Intrusion Detection System (LIDS).
• Backups: Computer Associates.  In addition, many Linux distributions ship with open source backup software. For an extensive list of backup software for Linux see Linux.org.
• Checking for rootkits: chkrootkit.

Hardening Linux

The Bastille Hardening System can be used to assess a Linux system’s security and, if required, build and implement a security policy.

Security-Enhanced Linux from the US government’s National Security Agency is, perhaps, an option for environments where the highest levels of security are required.

Linux Security Resources

The advice in this article is derived from the following sources. These contain MUCH more information about Linux security.

Websites

• CERT’s UNIX Security Checklist.
• Linux Security How-to.
• Red Hat Linux Security Guide.
• List of distributions.
• Linux Security.
• SANS.