Secure Linux System

Follow these six tips to get a safer computer the easy way

1. Keep up with security updates


All mainstream Linux desktop distros (such as Debian, Ubuntu, Fedora, etc) have security teams that work with the package teams to make sure you stay on top of any security vulnerabilities. Generally these teams work with each other to make sure that security patches are available as soon as a vulnerability is discovered.
Your distro will have a repository solely dedicated to security updates. All you have to do is make sure the security specific repository is enabled (chances are it will be, by default), and choose whether you'd like to install the updates automatically or manually at the press of a button.
For example, under Ubuntu, head over to System > Administration > Software Sources. Here, under the Updates tab, specify how frequently the distro should ping the security repository for updates, and whether you'd like to install them without confirmation, or just be notified about the updates.
The latter is a better option, because it lets you review the updates before installing them. But chances are they'll be fine, and you can save yourself some time by having your distro install them automatically.
In addition to the updates, distros also have a security mailing list to announce vulnerabilities, and also share packages to fix them. It's generally a good idea to keep an eye on the security list for your distro, and look out for any security updates to packages that are critical to you.
There's a small lag between the announcement and the package being pushed to the repository; the security mailing lists guide the impatient on how to grab and install the updates manually.
2. Disable unnecessary services



3. Restrict root access


Most distros these days don't allow you to login as root at boot time, which is good. When you have to execute a task that requires super user privileges you'll be prompted for a password. It might be a little irritating but it goes a long way to making sure that admin tasks are isolated from the user.
You can restrict access privileges for a user from under System > Administration > Users and Groups. Here you can broadly categorise a user as a desktop user or a system administrator or customise access privileges manually. By default, users are created as with 'Desktop user' permissions and can't install software or change settings that affect other users.
On the command line, the su command (on Fedora, and the like) lets normal users switch to the root account, while the sudo command (on Debian, Ubuntu, etc) grants more privileges to the user. The usage of these commands can be limited to a particular group, which prevents any user from administering the system. sudo is also the more secure of the two, and it keeps an access log under /var/log/auth.log.
Make a habit of regularly scanning the log for failed and successful sudo attempts.
4. Don't auto-mount devices


If you're really concerned about security, you need to lean on the customisation feature of the Users And Groups settings. One of the areas to look at is auto-mounting devices.
Most distros auto-mount USB drives and CDs as soon as they are inserted. It's convenient, but allows anybody to just walk up to your machine, plug in a USB disk and copy all your data. To avoid such a situation, go to to System > Administration > Users and Groups, select your user and head to the Advanced Settings > User Privileges tab.
Make sure you uncheck the boxes corresponding to the Access External Storage Devices Automatically option, the Mount Userspace Filesystems, and Use CD-ROM Drives option. When unchecked, these options will prompt the user for a password before giving them access to these devices.
You might also want to disable sharing files on the network, as well as require the user to enter a password before connecting to the Ethernet and wireless devices. By disabling access to configure printers you prevent important data from being printed.
5. Don't stay on the bleeding edge

Packages included in a desktop Linux distribution are updated regularly. Besides the official repositories, there are custom repositories for third-party software. While developers do take care to scan the packages for vulnerabilities before pushing them on to the repository, it's almost inevitable that some updates with defects do get through.
While it's good to keep the system updated, from a security point of view, not all updates are good for the system. Some updates conflict with existing installed package or may even pull in new dependencies that may make the system more prone to attack. All this is why you should only update packages if you have to.
Scan the updates and look for updates to packages that are critical to you. Most package managers also make it possible to check an update and display its changelog and a brief description of the changes. UI changes can safely be ignored or delayed until a package has been thoroughly tested. Instead, look out for and grab updates that offer a fix to existing issues with packages.
6. Don't upgrade every six months

Most major desktop Linux distributions make a new release every six months, but you don't have to install every last upgrade just because it's there. Debian, for example, offers three distributions to choose from based on the extent of the stability of the software available in it. After Debian 6.0, stable releases will be made every two years.
Other distros take a different approach to guarantee secure releases. Ubuntu marks certain releases as LTS (or Long Term Support). A desktop release of the LTS version is supported for three years, and a server release is supported for five years, which is a lot longer than the 18 months for a standard Ubuntu release.
Although not up to date, these releases are much more secure from a security point of view, with packages that are a lot more stable and more thoroughly tested than their latest versions. If running a secure system is your goal, you should think of sticking to one of these long-term stable releases and avoid the temptation to upgrade as soon as the latest version of your becomes available.

No comments: