Linux security basics

LinuxWorld |  Operating Systems

The best advice is also the most pedestrian (no pun intended). Most security violations are not perpetrated by hackers, competitors after your corporate secrets, or nefarious government agencies -- they are caused by (often well-meaning) employees who simply don't follow the rules. They pick bad passwords, take secure laptops and put them on insecure networks at home and at conferences, and so on. Make sure that all staff members understand your policies and the risks associated with violating them. Even when no harm directly results from a violation, it still increases risk, which is the exact opposite of what we're trying to do.

Wearing a seatbelt also implies a certain balancing of risks: friends constantly tell me about some person who would certainly have been killed if he or she had been wearing a seatbelt, but was instead thrown to safety. While at least some of those stories are undoubtedly true, they are the exception, not the rule; the prudent driver or passenger knows that, at the end of the day, seatbelts save lives. Similarly, implementing some computer security may make you a more challenging or juicier target for hackers in some other respect. The question is always, "Overall, does this measure increase or decrease my security?"

Stay out of harm's way

A good automobile is designed to eliminate as much wind resistance as possible. The equivalent of wind resistance on the Internet is the constant stream of low-level scans and probes that hackers use to find systems to break into. The best way to avoid harm is to keep a low profile. Most Linux distributions turn on many more services than are necessary on the average workstation. I've seen dozens of machines hacked through outdated copies of BIND installed on systems where local name service wasn't even being used. If named hadn't been running, the systems would have been safe. Turn off any services you don't need, and remove the software entirely if possible.

Many risky programs run from inetd; you can turn them off by commenting out the relevant lines in /etc/inetd.conf. Some systems, such as Red Hat 7.0, use xinetd as a replacement. xinetd configuration files are fairly easy to use, and it should be easy to turn off services there. Other risky services run from startup scripts in (depending on your distribution) /etc/rc[1-5].d, /etc/init.d/rc[1-5].d, or /sbin/rc[1-5].d. (See Resources for a link), but it's best to limit what they can run to the bare minimum.

Finally, protect your data as it travels over the network. Programs like Telnet and FTP transmit all passwords and data over the network in cleartext, which can be read by anyone with a network sniffer. Try replacing those packages with OpenSSH (see Resources for a link) and other software that protects your data using cryptography.

Keep your eyes on the road

Join us:






Answers - Powered by ITworld

Ask a Question