CIS Home > Security > Workstation/Server Security > Linux

Linux@WHOI: Security

[LOCK] Before you get into using Linux on your computer, you should do some serious thinking about security. When you operate a Linux system (or any other system) on WHOInet and the Internet, you are personally legally responsible to ensure that your machine is as secure as you can make it. This is because a single security breach on a networked computer can serve as a staging area for more and worse attacks on other computers on the same network.

This page is intended to give you a basic overview of some security principles. For a more in-depth discussion of secure computing practices for Linux workstations, you might want to take a look at Karl Krueger's paper Your /home is your castle, or check out the CIS Security Page.

Security Principles

  • Know what software you are running. If you don't know what your system is supposed to be doing with its time, it's very hard to tell when it stops doing the right thing, or when someone has broken into it and made it run things it shouldn't be. In addition, you should keep track of changes made to your system. Packages such as tripwire can alert you if your system configuration has been changed, possibly by a break-in.
  • Don't run any software you don't need to run. Most Linux (and Unix) distributions come with a whole slew of network server software (daemons) that you don't necessarily need. (Do you really need your own IMAP mail server, or AppleTalk, or DNS name daemon?) Every one of these daemons is a potential avenue by which a cracker can compromise your system. Uninstall, or disable in inetd.conf, daemons you don't need.
  • Use encrypted protocols. Any time you log in to a system using telnet, rlogin, or the like, you are sending your password in cleartext over the network. This is a bad idea, as it can be packet-sniffed by anyone in between you and the remote host. Install and use ssh (Secure Shell) -- and disable your telnet daemon. (If ssh is not available with your OS distribution, you can get it from OpenSSH.) Similarly, if you need to pass confidential information over the Web, make sure you're using SSL (https).
  • Keep your software up to date. Very little software is perfectly secure as released, and security holes are often found in network software -- software which you may have installed. Anyone -- both friendly sysadmins and hostile crackers -- can find out about these security holes, on security-related mailing lists or Web sites. Because WHOI is constantly being scanned by malicious persons for security holes, running out-of-date network software here is tantamount to posting a sign on your computer saying "HACK ME, PLEASE!" Your OS distributor most likely operates mailing lists carrying announcements of software upgrades. Subscribe to these lists. Read them.
  • Keep backups. Your backups are your guarantee that no matter what happens to your system, you will always be able to restore it to a certain point. As such, they are your last line of defense against data loss caused by security compromises -- or by hardware failure, natural disaster, or even operator error. In addition, backups of log files and system state can serve as evidence if your system is compromised.