Basic Linux Security for Beginners (Page 1 of 1)
Written by
Steve Lake
Posted on: Feb 25, 2009 at 02:40pm
Section:
Tutorials
Printer Friendly Version
Legacy URL
One of the first things you'll need to know as a new user to Linux is that laissez-faire security practices don't fly. This isn't the world of Windows, and it most certainly isn't a land where nothing bad ever happens.
Linux may be more secure than Windows by default, but in the hands of the wrong person, it's just as vulnerable as the next OS. That is why Security must always be first without exception. One moment of laziness, or complacency, and you're in a world of hurt.
Case in point. A member in our forums recently had his entire company brought to it's knees by one simple virus. And his is not the only one. I've been in the middle of identical virus outbreaks, on the worst end of hacks, and seen systems ravaged by spyware so badly that it turned the computer into a sniveling pile of bits.
Proper security practices are important on any system, no matter how "secure" it may be. And never, ever think that security is push button easy. There is no magic solution to keep out the bad guys. Security is a process, not a product. It doesn't "just happen". You have to make it happen, and be diligent not to let it slip.
Security Paranoia is Your Friend
I remember years ago that friends of mine at work laughed at me when they saw how obsessive I was about security. Interestingly enough, they weren't laughing a few weeks later when a virus ripped through the company and I was the only user on my row who's computer *wasn't* completely owned by the virus.
So what was my little secret? I call it "Security Paranoia", and yes, it can be your best friend. Security paranoia is a state of mind where your guard is always up, you're always watchful, and you treat everything as a threat. That might seem a bit excessive, but in the long run it's the best thing you have going for you.
Now being security obsessive doesn't mean you have to act like a germaphobe and avoid all contact with outside machines, be it over the network or via a media device such as a pendrive. What you do have to be is continually conscious of what is going in and out of your machine. It's just like I stated above, it's a process, and you always have to be mindful of it for it to be successful.
A good rule of thumb is to treat your machine as though it's as vulnerable as they come, despite how secure it may be. By doing this, you're less likely to do something monumentally stupid and get it attacked, infected, or otherwise. It'll keep you always aware of your system security and focused on keeping up to date on all security elements within the machine, especially patches or updates.
Good Passwords Are Imperative!
No, you may not auto-login, or have stupid passwords for your machine. Passwords are a key part to system security and you should never take them for granted, or try to soften them up in any way. A weak password is just an invitation for trouble. And automatic logins are the perfect way to invite the worst kind of trouble onto your system.
Always pick good, strong passwords, and don't wimp out and use generic passwords such as "12345" or "password" or anything like that. Just because using passwords, or having to login to so many things, seems like an annoyance and an unnecessary bother, it doesn't mean you can get lazy with them. The results of not taking proper care with passwords is far worse.
Think of it in this context. Would you drive a car with bad brakes? I would seriously hope not. Because that would be putting you at risk of a potentially serious accident. Same would go if you knew your wheels were about to fall off, and yet you went out onto the highway anyways.
Good passwords are like a well maintained car. It may not keep you out of every potential danger, but it'll certain minimize the risks to you.
Now, going back to automatic logins, let's use another analogy. Automatic logins are like a mansion with no locks on the doors. With no locks, a thief can just walk in anytime they so please, and take whatever they want, vandalize the place, set it on fire, etc. No person in their right mind would allow something like that. Or would they?
Automatic logins are just like that unlocked door on the mansion. While they may make your life a little simpler now, if someone breaches your system, the few seconds you would spend logging in will seem preferable to the possibly hours and days (or even months and years) you'll spend cleaning up all the mayhem left behind by an intruder.
And lastly, don't auto-save your passwords. I don't care how convenient it is. Auto-saved passwords are no better than automatic logins, as any password saved on the system is vulnerable to snooping should someone gain access to your system.
If you don't believe me, try this:
In Linux, open Firefox and navigate as follows:
Edit > Preferences > Security (Tab/Page) > Saved Passwords (Button) >Show Passwords (Button)
In Windows, open Firefox and do this instead:
Tools > Options > Security (Tab/Page) > Saved Passwords (Button) >Show Passwords (Button)
Now, what do you see in this window? Passwords, right? It wouldn't take much for someone to open this password file on your machine (not just for Firefox, but any program that stores passwords) and grab those passwords, and then have a happy old day with your secure logins.
The best idea for password security is to take your passwords, write them down on a piece of paper (or keep them in a small notebook) and then work on memorizing each of them until you no longer need the notebook or piece of paper.
Once the passwords are memorized, shred the paper (or notebook) so nobody else finds your information. This is especially true of any passwords you may have for your bank. If you don't feel comfortable doing this, lock the notebook or paper in a safe.
Root is to be feared
An admin once taught me that a healthy fear of root is vital to using it properly. Root on a Linux machine is the same thing as an Admin user in Windows. IE, it's the user with the greatest power over the system.
You can do a lot of damage to your system as root. It's also the most vulnerable when you're logged in as root, as the permissions the root user has bypasses a lot of the key security barriers used to prevent various bad things from happening on your system. You should only ever login to root, or su to root if the command you want to do can't be run through sudo, and only after you've made 100% certain it's actually something you need to do.
And once you've done that command, if you're logged into root, logout immediately. Don't stay in there any longer than you absolutely have to. And definitely don't leave yourself logged into root in the background. That's just asking for trouble.
Use Sudo Sparingly
One of the great tools given to Linux users is SUDO. It allows you to do root level commands without ever logging into root. You can configure /etc/sudoers to limit the range of permissible commands users can do with sudo, which means that, while you can do a lot of damage, you can't go quite as far as you can with root. But even so, you can still get pretty close to root level carnage.
So always remember: Use sudo sparingly. Very sparingly. If you can absolutely in any way do whatever you need to without using sudo, take that route first, and only use sudo as a last resort. This way you preserve the security of your limited access user environment.
And speaking of your limited user, just because your standard user account is restricted to a certain range of allowed operations doesn't mean you're being hindered.
If you really take a good, long look at how your system operates, you'll quickly find that, save for installing software, or configuring a little hardware, you shouldn't ever really have a need to use sudo at all.
Watch That Dialog!
Far too many people have the very bad habit of point and click computer usage. They're so eager to click through something that they rarely ever pay attention to what they're actually clicking. This can get you into such a heap of trouble that it's beyond words.
Take for example that someone sends you a program and tells you to run it. First off, if you don't know for 100% certain what it is, and most especially if you don't know who it's from, don't open it or run it!!! If you do know who it's from, and when you run it, the program asks you to enter any kind of login info, or a password, don't do it. Just escape or cancel out.
The only exception to that might be if an admin tells you to enter your password. Otherwise, don't touch that dialog, except possibly to cancel it out. Because once you give that program super user access, you've let the thief in the door and it's all downhill from there.
Be Smart About Email
First rule of thumb with email. Don't open attachments from anyone you don't know. Ever. And don't open them just because you're curious of what's inside. Curiosity killed the cat, and it can kill your PC too. Second, never give our your login info. Third, never send your login info plain text. IE, if you're not connecting over an SSL connection, then you're not using your email right.
If there is any way to connect via a secure link with your mail server, be it for sending or receiving, then you really should look into getting such a connection from your ISP, or network admins. This extra bit of security will pay off down the road.
Also, never store your password. Again, that seems like a hindrance, but it lowers the chances that an outside 3rd party of disreputable intentions might make your PC into the next spam spewing wonder should they, heaven forbid, ever get into it.
Use a Firewall
Yes, Linux is secure by nature, and is highly unlikely to ever be compromised or hacked over the network under normal conditions. But why take the chance? And I don't say this so much for the sake of Linux, because by nature Linux is nearly unhackable over the internet. However, the 3rd party programs you're using are a whole other story.
It only takes one program, be it a web browser, an instant messaging program, some social networking application, or who knows what to leave your computer completely naked and vulnerable to the world. The chances of that are low obviously, but why take the risk? Developers are human too, and it only takes one mistake to make you vulnerable. Then again, something you do might create that vulnerability as well.
So don't risk it. Use a firewall. There are plenty of great free firewall configuration tools on Linux that can get you started with a firewall in a few easy clicks. Consider using them. They'll make your life a lot easier.
Conclusion
Have I thoroughly scared you out of your wits yet? Good, I hope I have. Because security is important, and if you don't take a somewhat paranoid approach to it, you'll become lazy and eventually get compromised, regardless of what OS you're running. Just because Linux is more secure than most other OS's doesn't mean you are allowed to get lazy in regards to security. A recent run-in with a spammer brought that to very vivid reality with me recently when he tried to breach my system.
Although he didn't succeed, it was still a wakeup call. This near miss quickly refreshed and reinforced the knowledge that, if you don't stick to proper security practices all the time, and be ever mindful of them, your security will fail you when you most need it, and leave you with an aftermath to cleanup that's not going to be pretty in even the slightest measure of the word.
Other tips:
1.Laptops - encrypt your hard drive, or at least the data partition on your hard drive; (I recommend using TrueCrypt for this)
2.Keep your packages up to date - security vulnerabilities are merely incorrect software code (bugs). Subsequent versions of a package usually contain bug fixes. Fix the bugs = fix the vulnerabilities.
3.Always remember: Security is a process, not a product. There is no magic button that'll make all your security problems go away. Not on Linux, and most especially not on Windows. And while Linux is easily ten times more secure by default than Windows is, you can still do something monumentally stupid and get compromised or hacked. That's reality. Learn to live with it, and learn how to avoid it.
4.There are a lot of bad people out there on the Internet. They want to get into your machine, your private files, and your life. Don't let them. Always think about security, and practice it with a dogmatic fervor.
|
Average vistor rating: 4.2 out of 5 (6 total votes) | |
|
Latest Articles
Upcoming Shows and Cons
Announcements
There are no current announcements.
How often do you change distros?
Latest Releases
(courtesy of Distrowatch)
More
|
