Linux Security Checklist

Previous page
Table of content
Next page

While Linux offers all the tools you need to secure your computer, if you are careless someone can (and probably will) harm your system or try to steal your data. The following checklist covers a range of security measures to protect your Linux desktop or server.

  • Add users and passwords - Creating separate user accounts (each with a good password) is your first line of defense in keeping your data secure. Users are protected from each other, as well as from an outsider who takes over one user account. Setting up group accounts can extend the concept of ownership to multiple users. See Chapter 11 for more on setting up user accounts and "Using Password Protection" later in this chapter.

  • Read, write, and execute permissions - Every item in a Linux file system (including files, directories, applications, and devices) can be restricted by read, write, and execute permissions for that item's owner and group, as well as by all others. In this way, for example, you can let other users run a command or open a file, allowing them to change it. See Chapter 4 for information on setting file and directory permissions.

  • Protect root - In standard Linux systems, the root users (as well as other administrative user accounts such as apache) have special abilities to use and change your Linux system. Protect the root account's password and don't use the root account when you don't need to. An open shell or desktop owned by the root user can be a target for attack. Running system-config-* windows as a regular user (and then entering the root password as prompted) and running administrative commands using sudo can reduce exposure to attacks on your root account. See Chapter 10 for information on handling the root user account.

  • Use trusted software - While there are no guarantees with any open source software, you have a better chance of avoiding compromised software by using an established Linux distribution (such as Fedora or RHEL). Software depositories where you get add-on packages or updates should likewise be scrutinized. Using valid GPG public keys can help ensure that the software you install comes from a valid vendor. And, of course, always be sure of the source of data files you receive before opening them in a Linux application.

  • Get software updates - As vulnerabilities and bugs are discovered in software packages, every major Linux distribution (including RHEL and Fedora) offers tools for getting and installing those updates. Be sure to get those updates, especially if you are using Linux as a server. See Chapter 5 for information on using up2date, Pup, and yum to get software updates.

  • Use secure applications - Even with software that is valid and working, some applications offer better protection from attack or invasion than others. For example, if you want to log in to a computer over the Internet, the secure shell service (ssh) is considered more secure than rlogin or telnet services. Also, some services that are thought to be insecure if you expose them on the Internet (such as Samba and NFS), can be used more securely over the Internet through VPN tunnels (such as IPSec or CIPE).

  • Use restrictive firewalls - A primary job of a firewall is to accept requests for services from a network that you want to allow and turn away requests that you don't (based on port numbers requested ). A desktop system should refuse requests that come in on most ports. A server system should allow requests for a controlled set of ports. This chapter describes how to set up a firewall using iptables.

  • Enable only services you need - To offer services in Linux (such as Web, file, or mail services), a daemon process will listen on a particular port number. Don't enable services you don't need. See Chapter 12 for information on using system services.

  • Limit access to services - You can restrict access for a service you want to have on to a particular host computer, domain, or network interface. For example, a computer with interfaces to both the Internet and a local LAN might limit access to a service such as NFS to computers on the LAN, but not offer those same services to the Internet. Services may limit access in their own configuration files or using TCP/IP wrappers (described later in this chapter).

  • Check your system - Linux has tons of tools available for checking the security of your system. After you install Linux, you can check access to its ports using nmap or watch network traffic using Wireshark (formerly called Ethereal). You can also add popular security tools such as Nessus, to get a more complete view of your system security.

  • Monitor your system - You can log almost every type of activity on your Linux system. System log files, using the syslogd and klogd facilities, can be configured to track as much or as little of your system activity as you choose. The logwatch facility provides an easy way to have the potential problem messages forwarded to your administrative e-mail account. Linux logging features are described later in this chapter. You can get add-on packages such as tripwire and portsentry, to check your system for tampering and deal with someone scanning your ports, respectively.

  • Use SELinux - SELinux is an extraordinarily rich (and complex) facility for managing the access of nearly every aspect of a Linux system. It addresses the if-I-get-root-access-I-own-your-box shortcomings of Linux and UNIX systems for highly secure environments. Red Hat systems offer a useful, limited set of SELinux policies that are turned on by default in Fedora. Chapter 10 provides an overview of SELinux, along with explanations of how it is implemented in Fedora and RHEL.

This checklist should give you a good starting point with many aspects of security in Linux. Each of these topics is covered in greater depth throughout this chapter and in other chapters throughout this book that I have just referenced. However, computer security is an on-going battle, so I recommend you check out the following Web sites to get a deeper, continuing experience with Linux security:

  • CERT ( www.cert.org ) - The CERT Coordination center follows computer security issues. Check their home page for the latest vulnerability issues. The site has articles on security practices ( www.cert.org/nav/articles_reports.html ). It also has recommendations on what you should do if your computer has been compromised ( www.cert.org/tech_tips/win-UNIX-system_compromise.html ).

  • Red Hat Security Alerts ( www.redhat.com/security ) - For RHEL security issues (that typically relate to Fedora Core systems as well), you should check out the resources available from this site. From here you can look for and read about available updates. You can also get information on security training and consulting from Red Hat, Inc.

  • Red Hat Enterprise Linux 4 Security Guide - This guide provides an in-depth look at Linux security, specifically as it relates to Red Hat Enterprise Linux and Fedora Core. You can access this guide online from the following address:

    • www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/



Previous page
Table of content
Next page
Fedora 6 and Red Hat Enterprise Linux Bible
Fedora 6 and Red Hat Enterprise Linux Bible
ISBN: 047008278X
EAN: 2147483647
Year: 2007
Pages: 279
Authors: Christopher Negus
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Adobe After Effects 7.0 Studio Techniques
Documenting Software Architectures: Views and Beyond
Java for RPG Programmers, 2nd Edition
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy