Wednesday, September 17, 2008

10 Tips to keep your Tux more secure

Linux itself is secure.. but, here is the caution for keeping it more secure :)

1. Locking the screen and logging out is important
Most people forget that the Linux desktop is a multi-user environment. Because of this, you can log out of your desktop and others can log in. Not only does that mean that others could be using your desktop, it also means you can, and should, log out when you're finished working.

If you are the only user on your system, you can lock your screen instead. Locking your screen simply means that a password will be required to get back into the desktop. The difference here is that you can leave applications running and lock the desktop. When you unlock the desktop, those same programs will still be running.

2. Hiding files and folders is a quick fix
In 'Linux land', files and folders are hidden by adding a '.' before the name; so, for example, the file 'test' will appear in a file browser, whereas '.test' will not. Most people don't know that running the command 'ls-a' will show hidden files and folders.

So, if you have folders or files you don't want your co-workers to see, simply add the dot to the beginning of the file or folder name. You can do this from the command line like so: mv test .test.

3. A good password is a must
Your password on a Linux PC is your golden key. If you give that password out or if you use a weak password, your golden key could become everyone's golden key.

And if you're using a distribution like Ubuntu, that password will give users much more access than, say, Fedora. To that end, make sure your password is strong. There are many password generators you can use, such as Automated Password Generator.

4. Installing file-sharing applications is a slippery slope
I know many Linux users are prone to file-sharing. If you want to run that risk at home, that's your call. But, when at work, you not only open yourself, or your company, up to lawsuits, you open your desktop machine up to other users who might have access to sensitive data on your work PC. So, as a rule, do not install file-sharing tools.

5. Updating your machine regularly is wise
Linux isn't Windows. With Windows, you get security updates when Microsoft releases them, which could be many months away. With Linux, a security update can come minutes or hours after a security flaw is detected. With both KDE and Gnome, there are update applets for the panel. I always recommend having them up and running so you know when updates are made available. Don't put off security updates. There is a reason they come out.

6. Installing virus protection is actually useful in Linux
Believe it or not, virus protection in Linux has its place. Of course, the chances of a virus causing problems on your Linux machine are slim to none. But those emails you forward to others' Windows machines could cause problems. With a good virus-protection tool, such as ClamAV, you can ensure that email going out of your machine doesn't contain anything nasty that could come back to haunt you or your company.

7. SELinux is there for a reason
SELinux (Security-Enhanced Linux) was created by the US National Security Agency. It helps lock down access control to applications, and does so very well.

Certainly, SELinux can sometimes be a pain. In some cases, it might take a hit out of your system performance, or you might find some applications a struggle to install. However, the security comfort you gain by using SELinux (or AppArmor) far outweighs the negatives. During the Fedora installation, you get the chance to enable SELinux.

8. Creating /home in a separate partition is safer
The default Linux installation places your /home directory right in the root of your system. This is fine but, firstly, it is standard, so anyone gaining access to your machine knows right where your data is; and, secondly, if your machine goes down for good, your data might be gone.

To solve this problem, you can place /home on a different hard drive or partition altogether (making it a partition in and of itself). This is not a task for the weak of heart, but it is one worth undertaking if you're very concerned about your data.

9. Using a non-standard desktop is worth its weight in gold
Not only do the alternative desktops (Enlightenment, Blackbox, Fluxbox, etc) give you a whole new look and feel for your PC, they offer simple security from prying eyes you may never have considered.

I have deployed Fluxbox on kiosk machines when I wanted a machine that could do one thing: Browse the network. This can be easily achieved. Create a single mouse menu (or desktop icon) for the application you want to use. Unless the user knows how to get back to the command line (by logging out or hitting ctrl-alt-f*, where * is a desktop other than the one you are using), they will not be able to start up any application other than the one offered.

Since most users have no idea how to move around in these desktops anyway, they aren't going to have the slightest idea how to get to your files. It is simple pseudo-security.

10. Stopping services is best
This is a desktop machine. It's not a server. So why are you running services like httpd, ftpd, and sshd? You shouldn't need them and they only pose a security risk, unless you know how to lock them down. So don't run them. Check your /etc/inetd.conf file and make sure that all unnecessary services are commented out. It is a simple but effective method.