Bob's Tech Site


Previous | RSS | Next

Make Linux secure

Yes, believe it or not, this article will tell you how to secure Linux. "Why are you saying this?" you say, "Surely you're telling an old woman how to suck eggs? Linux is like ULTRA secure, isn't it?". You know, in the first instance, I would agree with you. Considering Windows has several hundred thousand threats, while Linux only has a couple of hundred, and that Windows controls 96% of the market where Linux only covers 0.2%, that not only is it safe, but it's undesirable to hackers. I will put some cold water on that perception shortly.

But why am I telling you all this? I will now ask you to type 'Linux Anti-Virus' into a Google search bar. Read the first result. For the benefit of those who are reading this later or can't be bothered - it's an article entitled "Note to Newcomers::No Antivirus Needed" - on none other than I go to this place for good advice and sensible talking, this article has simply slipped my notice and as it's been archived there's no chance of telling 'Linux Newcomers' that no Anti-Virus protection is a very bad idea on any system - let alone Linux. I think what the writer was aiming was to tell Linux newcomers that they needn't be suckered into the kind of anti-virus protection that you get on Windows - you fork out an annual license with a direct debit, get charged for renewal before the said period expires, and a drastic drop in system performance as a result. It then goes on to assure people that Linux is so much more secure as you run as a standard user and need root permissions to do anything fancy, and that file permissions are generally more secure. I agree with him. However, what I don't agree with is the general tone of the article, which essentially says to Linux newcomers, "Don't worry about security (or even the sort of caution you exercise on a Windows or Mac machine), Linux has all that covered". My reply to that is simply, "Not necessarily".

Linux is just as easy to hack, compromise or indeed infect as any other operating system - the reason it's left reasonably unscathed is because it isn't as well-known - and it tends to be the hacker's OS of choice in the first place, as Linux distros such as 'Operator' (used for penetration testing) can be used maliciously. The first things you should install (if they are not already installed on a distro) are ClamAV (in the Ubuntu repositories, this is called 'Virus Scanner' - it has to be used manually though... I'll link to an automated one shortly) and the default 'firewall' from your repository. Again, this won't be automatic, but at least you have a pair of security tools you can use when you surf the web or check a file you've downloaded.

However, knowing that this sort of thing is just not something most users bother with (they tend to prefer automated solutions), I will link to some software packages of interest at the bottom of this article. I will now explain why Linux is not as secure as it initially seems...

Is Linux Secure?

I'm not saying that Linux is any less secure than Windows or Mac. Macs certainly give Linux a run for it's money (and FreeBSD just downright beats it), and Windows is the most insecure OS in history. I'm just getting that out-of-the-way before I get bombarded with flame emails (though they make good reading, they take a while to download to a mail client...!!!). What I'm saying is that Linux users should not become complacent about the level of security in their favored OS. The key reason it has as few vulnerabilities as it has is because it's gone largely unnoticed. This may change...


More recently, Windows Server pricing has gone through the roof. With limited budgets, IT departments from all areas of business are looking at cheaper alternatives when they come to upgrade their network infrastructure. Linux often seems to offer the solution. Businesses are flocking to the likes of Red Hat and various other enterprise solutions. Even government departments (though they tend to be mostly European) are making the move to Linux. If business (with it's wealth of valuable information) continue to use Linux servers to house important information, then it is inevitable that hackers and virus writers will target the OS.

However, it's not just the public and enterprise sectors that are increasing the risk. With new desktop Linux distros such as Ubuntu, Fedora, Suse and Mandriva which any idiot could install (unless they are trying to do a dual-boot or have proprietary hardware) all appearing on peoples' PCs (and Dell actually selling Ubuntu pre-installed on several of it's models), Linux is making it's way into the consumer market. Not only that, the advent of the Asus Eee PC is being hailed as the start of the 'Linux Desktop Revolution' - it's sales have gone through the roof and made worldwide news. Linux is getting noticed and taken seriously by casual users and small businesses for the first time as a real alternative to Windows. This is fantastic. However, it means that malicious users have also noticed it - and every aspect of Linux's source code is available to all and sundry (again, not a bad thing in terms of development and collaboration, but not so good in terms of security - even if the patch necessary is released within hours, it would be a while until it made it's way into update repositories and into everyone's system). The argument of safety through apathy is no longer valid unless you run FreeBSD, PCBSD, OpenSolaris, Syllable, Haiku, Apollo...

Inherently Secure?

I would be the first to admit that keeping root and user separate is an excellent idea. Ubuntu has even found a way of working which requires as little root access as possible while keeping things relatively secure. However, root isn't foolproof. If a malicious hacker cracks your user password, opens up the list of sudoers in a terminal (using an app such as vim, nano, gedit or kedit) and starts making changes, things can be relatively trivial. If you have no firewall, you can't block the hacker's packets being pinged in and out at a huge rate (or, indeed, notice that the hacker is doing it), and with no anti-virus, you can't check for any rootkits, spyware or keyloggers which have been installed to send the hacker in question plenty of useful information - and again, you won't even know it's there. Linux is inherently secure for as long as your password remains secure. Once that's gone, you're relying on your distro's in-built security systems, which are often surprisingly whimsical.

"Ok, You've Convinced Me - All Someone Needs is a Penetration-Testing Kit with Password Cracker and I'm Screwed. What Can I Do About it?"

Simple: SOFTWARE. If you're really paranoid, you can download Operator and penetration test your home network for vulnerabilities (check the laws in your country before you even consider this option though - in the UK, you're OK so long as you get permission from the relevant people and don't exploit the system you've compromised during the testing). However, this isn't for everyone. Here are some steps to getting yourself secure:

Password-Protect EVERY user of your workstation

This sounds really obvious, but you'd be surprised how many people forget to password-protect the 'root' user (especially in Ubuntu) or create a 'visitor' user which doesn't need a password.

Also, make sure your password is **HARD TO GUESS**. If you can still remember it then unless you're very clever about it then it's probably not hard enough. However, there are ways and means of doing this. For example:

  • password (absolutely pathetic)
  • Password (bonus points for using a capital, but really not much better)
  • Pa55w0rd (well done for using numbers, but this won't be hard to guess)
  • Ge0rg3 (if this happens to be your name, then this is scarcely better than before)
  • $Ge0rg3 (this will be a little harder to crack, but if it's your name it should still only take a matter of minutes)
  • $5slatfatf5$ (very nice - using interesting characters - memorable as used name of book 'So Long, And Thanks For All The Fish'. but if you're a renowned Douglas Adams fan, someone will probably work this out - also, should use another character at end rather than another '$')
  • $2bat4mePls@6£ (not bad at all - remembered as "America - Two Breakfasts At Tiffany's For Me PLeaSe @ £6″ - it has plenty of characters and it's reasonably memorable)
  • %Grsj48F$K;RE324& (incredibly poor - though hard to crack, you'd need an excellent memory to remember that)
Enable ALL security settings on your router & use WPA encryption

Following on from the above, CHANGE THE ROUTER PASSWORD. Some ISPs may give you a unique passphrase for your SSID if it's bundled with a package, but to be on the safe side, you MUST change it from the default - otherwise, you're a hacker's dream. Any security alterations on your router would be rendered entirely pointless

It is also recommended you change the password encryption to WPA (ideally WPA2). WPA-PSK is crack-able, but it takes several days, and only a dedicated hacker will hang around that long. WEP and WPS are ridiculously easy to crack - it takes mere minutes to hack the hardest password (and seconds for the easiest)

Also disable SSID broadcast (but make sure you remember it so you can connect later) and enable IP masking; Though this will only keep out entry-level hackers, this means your network is inherently a lot more secure. See Note 1

You should ensure you update the software on your router regularly, as this will ensure that your router is covered against known exploits. Most routers running Samba will also run a small version of Linux which you can access remotely to do this.

Enable (an important point) and configure your router's internal firewall. It's not great, but it's a first-line defence

Install a Decent Firewall Package

Even if you've set up your router's internal firewall, that not usually that great - it'll have very few features and will usually only check inbound traffic. It's important to get a firewall running on every PC (even if you have a dedicated PC running as a firewall it's a good idea). Because...

Not only do you do an additional check on the traffic heading into your PC (the more checks you do, the fewer malicious packets get through), you also check other traffic coming from other areas of your network and can also check outbound traffic (which can protect other PCs in your network again, and also prevent information being sent back by malicious software which may have installed.

A firewall, all-in-all, is an absolutely excellent. If you run a different firewall on each machine, then you are even more protected - and if they're running different OS's, then even better (up to a point). See Note 2.

Install a Decent Anti-Virus Package

Configure your anti-virus to scan at the very least every time you start up. I know it slows things down, but rather that surely than getting infected with viruses and malware? Better still is setting your anti-virus to continuously monitor for malicious activity, and to do a full scan every few hours

Install a Decent Rootkit Package

This is vitally important - Firewalls and Anti-Virus software are all well and good, but if a rootkit or keylogger has managed to install itself and pass itself off as a driver, kernel module or anything legitimate, then there's no detection of it. Indeed, it won't be seen as a virus, and any outbound information it sends will go unchecked by a firewall. These are hard to detect because they tend to be tailored to the particular hack - but if you get a decent spyware/rootkit/keylogger checker and remover, then you will at least be protected against the better known threats

UYSS ("Update Your Software, Stupid!")

Your security software is only as good as it's last update. If you don't update frequently (i.e. virus definitions, patches, or even entire new versions) then you're only protected against the threats around when you last did. If you last updated 6 months ago, then your security software is about as useful as a fly-swat against a beehive - and this is one small fly-swat.


Extra things you can do is actively probe your network to check that all is as it seems (it seems unlikely, but a visual inspection can sometimes detect things that software can't - as a general rule of thumb, if you don't know what it is, then scan it, check for a manual (and read it if there is one), and if you're still unsure (and you don't think it's vital to the system), take a backup and try deleting it.

Also, keeping up with the latest security news can be an absolute godsend. Did you know that the Java Platform is used by many through web browsers to hack a machine directly? Did you know that through a Mozilla Firefox plugin you could (until recently) download royalty-free programs without DRM from BBC's iPlayer? Forewarned is fore-armed.

Keep your distro up-to-date - often, upgrades don't just provide new features, they patch vulnerabilities (Not only that, if you store your data externally, wipe the hard disk THEN install the latest upgrade from fresh, then if there is anything installed that shouldn't be, then it is completely eradicated - one of the reasons a fresh install is preferable to an upgrade - but not so good if you have proprietary hardware you've only just got working...). Keeping your distro (and any software) up-to-date is imperative. Make sure you've enabled at least the security updates repository for your distro - even if you don't want to update anything else.

If you know how - check some of your firewall/anti-virus/OS log files. They may look daunting, but there are apps out there which will sift through that information for you and give you more meaningful results. Or you could write your own.

Also, backup Backup BACKUP!!! If your system is compromised, the first thing you'll want to do is quarantine all the infected machines (i.e. remove all network and internet access to or from them), wipe their hard disks and then start again. If you don't have a backup of your data, consider it lost, as the virus/vulnerability will have infected them already (and sent most of their contents elsewhere, too). If you have a backup, you can restore from when all was OK, then investigate what happened, and how it can be avoided next time.

Make sure EVERYTHING is OK before reconnecting your network.


So, if you follow this guide, you should have no troubles at all - and it took me a while to write, so please take note!!! Let me know how you get on, and I've posted a list of good security packages for Windows and Linux in my blog area. As I've said in the blog area, you can also use AIDE or Tripwire if you're a Linux user - I will cover this in a future article!

Note 1

Your System is inherently more secure, as not only would you have WPA (ideally WPA2) encryption (which takes days - even weeks to crack - WPA2 is not cracked, yet...), but you are also preventing amateur hackers entry or at the very least deterring a lot of them (but amateurs are incidentally the majority of hackers). The goal here with your router is to make your router very difficult to hack - this means that (in the instance that a hacker does stumble across it), then if it comes to a choice between your network and another one, then you might just have saved your own skin.

A seasoned hacker won't attack a network unless they know they can cover their tracks and there is something worth stealing. If you follow this guide then you will at least present a challenge. Using penetration testing distros such as Operator, BackTrack 3 and/or Metasploit will help to make your system almost invinsibly secure - but once again, check where you stand legally, as it can be illegal in some countries to even download these packages - and read up on penetration testing first before you dive into it, as you will be temporarily compromising your network while testing!

Jump back

Note 2

This can have benefits in that some vulnerabilities are not OS specific - but Linux can still act as a carrier of Windows viruses, much like Windows can act as a carrier of Linux viruses (though that is much less common). Make sure your Linux distro has very good security software, and likewise for Windows - and make sure that if you're using a variety of OS's that your firewalls all check network traffic as well as that from the internet.

Jump back