ProperGander

Security for the masses

Basics

The quick and obvious

Some quick and obvious things you can do to secure your Linux desktop.

  • Use a strong password.
  • Lock the screen when you are away from your machine.
  • Update your machine regularly.
  • Install virus protection.
  • Install rootkit detection
  • Stop unnecessary services.

Linux updates

Unlike Windows where one can wait months or even years for a fix to a security problem, a security update to Linux can come within hours of the flaw being found. KDE and Gnome both have applets to manage system updates. These applets, with a default install, are normally started with the desktop environment. You will be notified when updaes are available. Don't ignore these prompts, install immediately. Should a restart be required to implement the update, you will have to option to restart the system at a later time.

Stopping services

On a desktop machine there are certain services that are not needed and may pose a security risk; ftp, httpd, sshd etc. Although most Linux desktop distributions do a pretty good job of only running services that are needed for the desktop environment, you can take measures to ensure that any service that you don't need are not run at start up. Check yout /etc/inetd.conf file and comment out those services that are not required.

Rootkit detection

The Linux rootkit is a dangerous piece of malware, it will allow an attacker backdoor access at root level to your system. There are programs to protect against this kind of malware, Rkhunter and Chkrootkit being the two most common. They will scan your system looking for suspicious files, and warn you if any are detected. Both of these program will need updating regularly so they can detect the latest rootkit code. Neither of these programs will remove rootkit code, they will only inform you of the filename and location. It is left to you to research the threat and determine what actions need to be taken. They can be installed via the package manager or apt.

Advanced

Firewalling

The default firewall rules for most Linux distributions allow all incoming and outgoing connections by default. Security can be increased by restricting which ports, services, ip addresses your syste is allowed to connect to or receive connections from Linux firewalls are configured using iptables, iptables take thier instructions or firewall rules from the command line. There are some user friendly interfaces to configure iptables such as Firestarter, FWBuilder to name but two. It is prudent to set up firewall rules to deny all access to or from the network first and then allow only those connections that are needed. Firewall rules are always a compromise between security and functionality. As this site develops I will include instruction on how to use iptables to secure your system.

Passwording the bootloader

Linux will allow the changing of the root password without entering a password. This is called single-user mode. This feature can be password protected. Follow the steps below to password protect the GRUB loader

  • Open a terminal and at the prompt enter: grub
  • At the grub prompt enter: md5crypt
    • this creates a md5 hash of the password you enter instead of a plain text one.
  • At the prompt enter the password for single-user mode.
  • don't close this window you will need the md5crypt output for the next stage.
  • Edit the grub configuration file by opening another terminal window.
  • Enter the following command in the new window: sudo cp /boot/grub/menu.lst /boot/grub/menu.lst.backup
    • this makes a backup of the configuration file
  • Enter the follwing command: sudo gedit /boot/grub/menu.lst
    • this opens the grub configuration file.
  • Locate the line in the file that reads: "BEGIN AUTOMAGIC KERNELS LIST" immediately below this line enter the following "password –md5 <password hash from other terminal window>"

LiLo does not allow for encrypted passwords, so if you are using a lilo loader you will need to edit /etc/lilo.conf. Look for the password section and create a plain text password there.