10 simple ways to make your Linux box more secure
In depth: Most articles on security for Linux are firmly rooted in the guidance of tried-and-tested Unix usage. This means that they dust off the same dry points on keeping the network locked away, minimising the risk by locking down the system and only giving access to the people who really need it, then draw a conclusion that boils down to a form of the old adage 'it's better to be safe than sorry'.
That's not to say those techniques aren't useful, but they often aren't particularly applicable to the average installation. We want to rejuvenate this age-old advice with a checklist that's relevant to everyone's installation. If you follow each tip, your system usage will many times safer than most. But even if you don't do absolutely everything, changing just one bad habit can still make a big difference.
1. Enable your firewall
Five years ago, it was considered foolish to go online without a firewall, but now some distros (such as Ubuntu) don't even enable one by default. Why? Well, all a firewall does is block internet access to insecure services on your computer.
Broadband routers tend to include one by default, while Ubuntu has no internet-facing services running in a standard installation, which renders a firewall unnecessary. But it doesn't take much to change a configuration or install something that is vulnerable. Windows file sharing with Samba, for example, is considered a risk, and the ports that the protocol uses on the LAN shouldn't be accessible from the internet. This is where a firewall is necessary.
Fortunately, installation is usually only a couple of clicks away. The Linux kernel has the functionality by default, so all you're really adding is a graphical front-end. Our favourite is called ufw. It's a command-line utility that's installed, but not enabled, on Ubuntu systems.
Type sudo ufw enable then sudo ufw default deny to start the firewall and block all incoming connections. Now add excep tions for services you need. If you run an SSH server, for example, type sudo ufw allow ssh to enable connections to port 22 (the default). And you can make configuration easier by using the Gufw GUI. Effectiveness: 7/10
There are many firewall front-ends, but we recommend using either Gufw or Firestarter for their ease of use.
2. Enable WPA on your router
These days, most of us run a wireless network. But the standard security that's been around for a few years, known as WEP, can now be easily compromised.
As long as enough data is being transmitted, any modern machine will be able to discern the keys being used on a wireless network using WEP within an hour or so. This might not be an issue when you live deep in the Cairngorms of Scotland, but it is if you live in an overpopulated city.
The higher the number of people within range of your access point, the more likely it is that one of them will to try to crack your security. They can do this with almost complete anonymity, and you'll never be able to trace their location.
Even short-term fixes, such as turning off the access point name being broadcast or locking access to MAC addresses, won't help you - a snooper can still derive this information from the data. The only complete protection is to switch encryption methods on your router, so if your router doesn't support anything better than WEP, consider getting a new one.
You should look for a model that supports WPA, or ideally, WPA2 - either of these should make your connection a lot more secure than WEP. Most modern routers support WPA2, but you'll need to change your client's hardware to WPA as well. The only device we can think of that doesn't have WPA support is the Nintendo DS. Effectiveness: 8/10
3. Keep your system up to date
Security is mostly common sense, so it's easy to think that keeping your system up to date couldn't be more obvious. However, it's also an easy task to neglect if you don't understand why you should keep your system current.
The problem is that the average installation includes hundreds of separate tools and applications, each of which is open to error. If the fault is in a critical area, it can be exploited by a hacker and used to create a way into your system.
It's for this reason that you need to download the fixed versions of any of these compromised applications as soon as possible, which is why nearly every serious Linux distribution includes an update tool to download the fixes quickly, and why a distribution has a life-cycle that ends when the developers can no longer continue to offer fixes.
Ubuntu 8.10 will get fixes until 2010, for example, while the long-term support versions get an extra year. Mandriva, Fedora and OpenSUSE have similar support periods and automatic update tools to make the whole process as painless as possible. Click on yours now. Effectiveness: 9/10
Updates for your distro rarely include feature enhancements. They're intended for perfunctory fixes to keep your system as secure as possible.
4. Don't use root for everything
One of the defining characteristics that differentiates Linux from Windows is that standard user accounts can't destroy the integrity of the operating system - you have to be running as the system administrator to do that.
Even though you may routinely use the root account for system administration tasks, it's important that those tasks are kept separate from day-to-day monotony and desktop management.
Some users find the constant stream of password requests that accompany any system administration task annoying, and decide to continually connect as root. This practice is a little like disabling the earth connection in electronic music equipment to stop any ground-loop hum being heard: it will certainly fix the problem, but you could die.
The more time you spend as root, the more likely it becomes that you're going to make a mistake, and the same is true as always being root on the command line. The only solution is not to be tempted to run as root for everything. Effectiveness: 6/10
5. Check for unused accounts
If you've been using your current installation for some time, the chances are you've created more than one user account. This could have been to accommodate other people who use your machine, but it could also be to satisfy installation requirements for applications.
The SqueezeCenter media streaming tool, for instance, needs to be run from its own user account. This is both good and bad. It ensures that applications such as SqueezeCenter have complete control over their own files and processes and, if the worst happens, those processes can only ever damage their own files. However, it becomes easy to lose track of how many users you have, and each of those accounts has some kind of access to your system.
If you're running an SSH server, for example, it may be possible for a hacker to connect to SqueezeCenter's account without your knowledge. Most distributions include their own user management tool.
OpenSUSE users should look in Yast, while Mandriva users will find theirs in the Control Centre. Ubuntu hides Users and Groups in the Administration menu. Remove those you know are now redundant, but be careful not to remove those that are required by certain other services. Effectiveness: 4/10
6. Use groups and permissions
Groups and permissions are a technical aspect of the filesystem inherited from Unix systems, but they're still useful. Each user can be a member of any number of groups, and a group is just a special kind of user.
Most distros use groups to restrict access to specific hardware. It's a file, folder or device's permissions that configure how that device could be accessed. Right-click on the file in a file manager, and click on Properties to see its permissions. Then change the parameters to restrict access to key files and devices. Effectiveness: 7/10
Samba or an FTP server may let a stranger access your computer, so restrict them to specific parts of the system.
7. Run a virus checker
There are no Linux viruses in the wild that can damage your system, and even if there were, the use of users and permissions would restrict the damage they can wreak to your personal data. That's not great news if you don't have a recent backup, but it's not as bad as the virus turning your machine into a useless block of metal.
For that reason, we'd highly recommend installing a virus checker, and only using it when you're accessing or forwarding files that could corrupt lesser operating systems. ClamAV is a fantastic open source virus checking application.
Volunteers keep the viral database up to date, and ClamAV is easier to use if you install a GUI front-end to the commandline core utility. The two we'd recommend are KlamAV for KDE users, and ClamTK for everyone else. Both will let you update the virus database, and choose the files and folders you want to scan.
You can also select ZIP archives, as well as documents and images. If ClamAV finds anything suspicious, it lets you know before placing the f ile into a temporary storage area it calls Quarantine. This way, you can always get your data back if the file is important. Effectiveness: 5/10
8. Use secure passwords
We're so used to being asked for our passwords, but do we really give them enough attention? Passwords have become far more important than being simple barriers to your desktop. They're now the key to your entire online identity.
The worst offenders use the same password for casual forums and their bank. You need to separate services vital to your online health from those that are temporary and trivial. We'd recommend having a few passwords you can use for different tiers of security. At the top level, your passwords need to be strong and unique.
The best way to keep on top of this is to use a desktop password manager. These typically remember all your passwords for you, automatically fill in online forms and keep the data secure with a super password. It may seem like a bad idea, but it's only accessible by people with access to your desktop account.
Two of the most common are KWallet for KDE and Figaro's Password Manager for Gnome. For websites, we suggest using Firefox's password manager and enabling the master password via Preferences > Security page. Effectiveness: 8/10
Firefox can save your passwords for you, but enable the Master Password first so that only you can unlock the password recall function.
9. Make regular backups
If there's one thing here you really should do, it's create a backup of your data. It's too easy to be apathetic, so even if it's just putting a few files on Gmail, or dragging them to a shared storage device, it's worth doing now.
If you need an ultra-modern backup tool that appeals to the investigative geek in you, why not try TimeVault? It's being developed by Canonical and is now in beta, but it already adds a whole new dimension to backing up your data. You can roll back the state of your files and folders through a series of snapshots held on a remote storage device.
TimeVault discreetly copies marked files and folders to this device while you're working, so you don't have to worry about making scheduled backups. The only disadvantage is that the only easy way to install TimeVault is on Ubuntu.
Go to https://launchpad.net/timevault and click on the Downloads link, then click the top download. Allow the package installer to take control and click the Install Package button. Type your root password and the files will be installed. After TimeVault configures itself, you'll need to log out and back in again.
TimeVault is now in the Applications > System Tools menu. Run it and an icon is added to the panel applet section of your toolbar - right-click this and select Preferences. From this window, change the Snapshots root directory to a storage device, and add your home directory to the Include list.
You can also fine-tune how data is collected from the Expire tab, after which you can leave TimeVault running in the background - add the tasks to your session manager to start the process automatically each time you login. When the time comes to restore a backup, open the Snapshot Browser from the TimeVault icon and select items you want to restore from the specific time and date. Effectiveness: 9/10
10. Encrypt your data
Whenever you transfer data across an insecure network, there's always a possibility it could be intercepted. The answer is to encrypt your data, so that even if your files are stolen, the thief won't be able to do anything with them.
There are dozens of free encryption tools available. Most are based on the GNU Privacy Guard, or GnuPG for short. This uses a system of private and public keys for encryption, both of which can be created within the software.
You can use your own keys to encrypt and store your files, while files encrypted with other people's public keys can only be decrypted with their private key. Similarly, files encrypted with your private key can only be decrypted with your public key. This last method can be used to validate file sources, and is often used to sign emails.
The most popular Gnome front-end for GnuPG is called Seahorse, while the KDE equivalent is KGPG. Both let you create keys and integrate with email clients. They're easier than they sound.
With Seahorse, click on New followed by 'PGP Key'. Enter your name and your email address, followed by a pass phrase. After that, the key will be generated (GnuPG will also accept public keys from your trusted contacts). You can now encrypt or decrypt files from the Nautilus file manager by using the right-hand menu on the file. Effectiveness: 7/10
First published in Linux Format magazine