Sunday, November 22, 2009

Learn about Linux security

Learn about Linux security

General overview of security issues that face the administrator of Linux systems.

Although linux-based operating systems are considerably safer when compared to Windows and Mac OSX, there are still steps that you can take to ensure that your linux box stays safe and protected. In this post I will illustrate a few techniques you can use to keep your machine locked down tight.

1. Firewalls are your guardian angels.

First of all, keep a software firewall active on your system, and restrict access to ports that allow remote access into your system, a good idea is to allow only a few select hosts access to ports used by services such as ssh (port 22) or telnet (port 23). Keeping a firewall in place ensures that you alone dictate who gets to access remote services on your computer and who doesn’t. To set up a firewall in linux, you can use the iptables program which comes standard with most linux distributions. However, iptables is quite difficult and complicated to set up correctly, and you will need to spend some time fiddling with the command line, but it is very flexible and powerful once configured correctly.

If messing about with iptables dosen’t appeal to you, there are frontends to iptables that you can use to set up effective firewalls. One such frontend is ufw (uncomplicated firewall) this program comes standard on ubuntu and is quite simple to set up, to use it you first have to enable it by typing in ’sudo enable ufw’ in the terminal, once the ufw service is active, adding rules is as simple as ’sudo allow 22/tcp’ > this statement allows all tcp traffic on port 22, swap allow for deny and you have the ssh service blocked, Its that simple, much easier than mucking about with iptables.

Of course, there are many people who do not like the idea of using command-line programs and like all their apps to be graphical. If you prefer a GUI configured firewall, then firestarter is the choice for you. Firestarter is a breeze to use, and has good documentation available on the firestarter website.

2. Passwords are for your protection, choose them well

Choose good user passwords, especially for root. One way to choose a secure password is to take a sentence, reduce it to an acronym and then replace some letters of the acronym with symbols and add some numbers to it. this mixing of alphabets, numbers and symbols, along with its long length will be a strong password.

Never use actual words that have meaning as passwords. These types of passwords are weak and can be cracked using dictionary attacks. Also along those lines: Never use words that hold personal significance with you.. i.e don’t use passwords that people who know you will be inclined to think that you would use, like a favorite pet’s name.. etc.

And for god’s sake, don’t use the word ‘password’ as a password…. ( don’t laugh… thats one of the most common passwords .. )

3. Use antivirus

Yeaps you read right.. antivirus. Antivirus on linux you say? Yes, linux has antivirus suites as well , but this is more for cleaning off your thumbdrives that you may have used in an infected windows machine than for killing linux viruses, as the system of user permissions for executing files makes linux a very inhospitable place for computer viruses to live. clamAV is a good antivirus choice, with a GUI version available for most major distros.

4. Be careful what scripts you get off the net


Getting bash scripts off the net is convenient, but be careful what scripts you run on your system, and make sure you check them out first. If you suspect that a script you got has some nasty intentions behind it, but you do not have the expertise in bash scripting to be sure, post the script in text form on linux support forums and the community will help you out. Unfortunatly, there are idiots out there who write destructive shell scripts and release them into the wilds of the internet, in this case intuition is your best defence.

5. Encrypt sensitive data that you may have.

The concept behind encryption is relatively simple, make the data to be encrypted unreadable to anybody besides authorised users.
My favourite program for encrypting data on linux AND windows would have to be truecrypt. Truecrypt works by creating a virtual volume which you can then set a passphrase or security key to. When you mount the virtual volume, you can then add files to it, which will be totally encrypted and unviewable once unmounted. The only way to mount the drive is to supply the passphrase or key.

6. Keep your BIOS set to boot from your harddrive and then add a password to your bios.

This is to keep people from booting off from live CDs and cracking your password from them. Although it is relatively easy to reset the BIOS password, this should be at least a minor detterance to those who may try this cracking method.

Well, there you go.. hopefully you wil use these tips and make your system a safer box to work on.

For more information regarding iptables check out this site

Do you have questions, comments, or suggestions? Feel free to post a comment!

 
Powered by Blogger