Linux Security – a Few Useful, Tactical Tips

I’ve bored the readers of my personal website to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I haven’t yet discussed even a single program that you can use on your Linux machine to gauge your security. For my inaugural article for OSAlert, I’ll leave the conceptual stuff behind, and focus on specific vectors of security, within the world of reason and moderation that I’ve created and show you how you can bolster a healthy strategy with some tactical polish, namely software.

Teaser

Do not expect wonders or detailed guides how to setup this or that NIDS. That’s not the idea.
The idea is to help you understand the core elements of security, focus on identifying your
needs and leverage them with a flexible and transparent solution. The choice of software will
reflect your needs.

Let us begin.

Linux security as a concept

Linux security revolves around minimizing exposure to malicious code by using digitally
signed repositories, minimizing accidental or automated damage by using a non-root account,
default file permissions, with diversity of software as a reserve.

Now, some of the suggested repertoire might need some small tweaking.

Keep the system up to date

This is a very simple, very important piece of the puzzle. Make sure the software
repositories are configured and that you have an automated update mechanism in place. Having
your system fully patched is always a good idea.

Security updates

Firewall

Firewalls sound like an interesting concept. Basically, a firewall is a tool that controls
the traffic flow in and out of your machine. Firewalls are configured to permit traffic you
initiated and asked for and blocked traffic that was sent without invitation (unsolicited).
This holds true for firewalls on all operating systems.

To work with one, you do need some basic understanding of networking. Luckily for you, most
distributions ship with a firewall enabled, with default rules that permit a reasonable level
of comfortable use, without any special changes required. In a few cases, you may need to
create manual rules to allow additional functionality, like Samba sharing.

Some distributions ship with a graphical management console for the firewall, which
simplifies the usage. Others stick to the command line, making them less suitable for new
users.

Here are a few examples:

Firewall in Fedora 12:

Firewall in Fedora

Ubuntu, on the other hand, ships
with the firewall disabled, because there are no network-aware services running, hence no
need for a firewall. Hence, no management console for the firewall. However, you can very
easily restore the missing bits with additional software like gufw:

gufw

openSUSE:

openSUSE firewall

Scanning for malware

This is so 90s, when you think about it, still some people have this dire need for scanners.
In that case, you may want to consider using either the rkhunter or chkrootkit scanners, both
of which will probe your system for nefarious changes. Both are command-line only.

chkrootkit

rkhunter

Using these scanners implies a deeper understanding of the Linux system. Then, there’s the
question of what to do if you encounter a problem. Can you really trust a subverted machine?
How do you recover? You should definitely read my previous article for
that.

Anti-virus (not needed, but read on)

You do not need one.
Seriously. Honestly. It’s not required. It’s useless. In the worst case, if you can’t let go
of your Windows demons, go for a free solution, so you need not waste your money on something
that is redundant by concept.

There’s ClamAV (including Klam for KDE), as well as a
number of commercial products that have started shipping solution for Linux. Then, most
anti-virus rescue CDs are based on Linux. Clam-based versions can be found in the
repositories.

Setup

Main

ClamAV

As a security measure, anti-virus products are problematic, due to the signature-based
nature, which is always competing against malware creators and always lagging behind. The
only sensible reason to use anti-virus on Linux is to scan files that you receive from your
friends running a flavor of Windows before forwarding them to other Windows users. That way,
you may break the chain of accidental malware spreading. You may not notice or care, but your
clueless friends could. The best solution is to have no friends, but most people fail at
this.

On that note, please consider reading my whitelist vs. blackisting
article.

Still, you need not have a resident program running on the system. You can go for a web
solution, like Jotti or VirusTotal, both of which use multiple scanners to detect
malicious content. Upload a file and it will be diagnosed by a host of dedicated anti-malware
software.

Jotti

You can also consider using dedicated security distributions for offline, in-depth system
scanning and analysis. A forensics distribution like BackTrack sound like a very good
idea.

BackTrack

You may also sin the sin of using a Linux-friendly Windows-based preinstalled environment
(PE) like BartPE or UBCD4WIN, which also come with scanner
utilities for Linux, too.

UBCD4WIN

Startup applications and services

If you’re in the mood, go through the list of applications and services configured to run on
your machine. You may discover undesired processes running, hogging resources and possibly
exposing your machine to threats, as well as plain doing things that you do not want. While
this can take the form of system optimization, it can also have security implications.

As an analogy to Windows, think of these as the msconfig and services.msc utilities.

Startup

Services

System awareness

System awareness goes beyond malware. It’s about controlling your system and knowing what’s
running when, where and why. There are tons of tools available, many already installed and
waiting for you.

If you’ve read my Linux cool hacks, both parts one and two, you’ve learned about
a few useful system tools that provide a better visibility of what’s happening inside your
system.

I’m going to mention a few, just briefly. Some of these will have their own dedicated
article, with numerous examples and screenshots.

/var/log/messages

This is the system log. Almost everything goes in there. Reading the log will give you an
indication of possible system issues, including software errors, as well as possible
security-related items. You do need some knowledge to read the file properly.

/var/log/secure

You can configure your machine to log ssh and sudo attempts to a separate file, like
/var/log/secure. Then, you can examine the log for any privilege escalation attempts or
remote connection attempts.

Examine logged in users

There are many ways of doing this. The most accurate one is to parse the output of the
ps command. But you can also use w and who and lastlog. Manually dumping utmp and
wtmp can also work.

Processes accounting

If you use pacct, you can write a log entry for every command
successfully completed on your machine. Then, you can dump the log and look for suspicious
entries. Automating the mechanism can provide you with a useful early warning system.

pacct

lastcomm lets you print out information about previously
executed command, sort of a head against the pacct log. Furthermore, you can enhance the
power of process accounting by using sar.

Audit files

It is possible to audit core system files. This is what audit is for, a built-in Linux kernel auditing
facility, which allows you to monitor changes to critical system files. I’m going to write a
dedicated article soon. Stay tuned.

Other tools

You also have a range of other utilities available, like netstat or nmap, which can help you examine
your machine network visibility

Geek stuff

There’s geek stuff, of course. For example, you may want to use system hardening tools like
AppArmor, by creating special, sandbox-style profiles for your applications, which are then
restricted from doing harm to your system, should an unwanted privilege escalation occur, due
to an error, a bug or a vulnerability.

AppArmor

There’s also SELinux, available in most RedHat-based distributions, like Fedora.

SELinux

Conclusion

I’ve written lots of stuff. So what do you take from this article? Well, firewall seems like
the best single solution overall. It’s useful and sometimes rather necessary. Anti-virus and
malware scanners are definitely not needed. The rest is perks. Take it or leave it. You can
run a comfortable desktop life in Linux without so much as lifting a finger, with most
distributions configured properly, including firewall enabled and running and hardening
profiles preconfigured for you.

You may want to invest time in learning how to use the logging tools and facilities, as they
offer a wealth of useful information. Properly configured and used, they will replace the
need for commercial tools that strive to do that for you.

Server security is a different matter altogether, but for home use, you’re in a really good
shape. Just make sure to keep the system patched, install software from official repositories
and run a firewall. The rest is polish.

Windows users moving to Linux often suffer from a panic surge due to the sheer lack of
security-related buzz, but it’s really simple and quite boring. There’s no need to go
overboard. You can invest your brain cycles in having fun. That would be all.

Cheers.

About the author:
Igor Ljubuncic aka Dedoimedo is the guy behind dedoimedo.com. He makes a
living out of his very hobby – Linux, and holds a bunch of certifications
that make a nice pile in the bottom drawer.

64 Comments

  1. 2010-06-21 9:56 am
  2. 2010-06-21 10:33 am
    • 2010-06-21 10:51 am
      • 2010-06-21 11:10 am
        • 2010-06-21 11:29 am
    • 2010-06-21 11:10 am
      • 2010-06-21 12:16 pm
      • 2010-06-21 3:12 pm
    • 2010-06-21 2:28 pm
      • 2010-06-21 3:24 pm
  3. 2010-06-21 12:20 pm
    • 2010-06-21 12:37 pm
      • 2010-06-21 2:04 pm
        • 2010-06-21 2:33 pm
        • 2010-06-21 3:41 pm
      • 2010-06-21 3:42 pm
        • 2010-06-21 6:39 pm
          • 2010-06-21 6:48 pm
          • 2010-06-21 7:14 pm
          • 2010-06-21 7:17 pm
          • 2010-06-22 10:20 am
          • 2010-06-22 9:10 am
          • 2010-06-22 12:17 pm
          • 2010-06-23 4:36 am
          • 2010-06-23 4:42 am
    • 2010-06-21 2:59 pm
  4. 2010-06-21 1:08 pm
  5. 2010-06-21 1:46 pm
    • 2010-06-21 2:40 pm
    • 2010-06-21 3:43 pm
      • 2010-06-21 3:50 pm
        • 2010-06-22 2:55 am
        • 2010-06-22 9:11 am
    • 2010-06-21 3:44 pm
    • 2010-06-23 4:27 am
    • 2010-06-25 2:07 pm
  6. 2010-06-21 1:50 pm
    • 2010-06-21 3:07 pm
    • 2010-06-21 3:20 pm
      • 2010-06-21 6:32 pm
        • 2010-06-21 7:07 pm
      • 2010-06-21 6:50 pm
    • 2010-06-21 5:07 pm
      • 2010-06-21 5:22 pm
        • 2010-06-21 7:58 pm
        • 2010-06-21 8:07 pm
  7. 2010-06-21 1:58 pm
    • 2010-06-21 2:03 pm
    • 2010-06-21 11:55 pm
  8. 2010-06-21 2:28 pm
    • 2010-06-21 2:42 pm
  9. 2010-06-21 2:37 pm
  10. 2010-06-21 4:19 pm
  11. 2010-06-21 4:44 pm
    • 2010-06-21 4:53 pm
      • 2010-06-21 5:08 pm
        • 2010-06-21 5:13 pm
          • 2010-06-21 5:22 pm
          • 2010-06-21 6:10 pm
    • 2010-06-22 12:03 am
      • 2010-06-22 7:42 am
  12. 2010-06-21 7:17 pm
  13. 2010-06-22 11:30 pm