What’s that you say? You don’t need to do anything about security on your Linux box because it’s Linux? Think again. Linux is an operating system that begs to be online, so it wants to be secure. Sure it’s fairly secure out of the box, but NO operating system is 100% secure if it’s, well, turned on. Here are five crucial Linux security tips.
1: Take advantage of the keyring
To many, this is an annoyance. You log in to your machine, your machine requests a connection to a network (or LDAP server, etc.), and you have to enter your keyring password. The temptation is to disable this feature by giving it an empty password and dismissing the warning that you’ll be transmitting unencrypted information (including passwords). This is not a good idea. Although you might think it a hassle, this feature/functionality is there for a reason — to encrypt sensitive passwords when they are sent over the wire.
2: Enforce user password update
If you run a multi-user environment (as Linux is wont to do), you should make sure that your users change their passwords every so often. To do this you use the chage command. You can check the expiration with the command
sudo change -l USERNAME
(where USERNAME is the name of the user you want to check). Let’s say you want to expire a user’s password and make him change it upon next login. To do this, you could issue the command
sudo chage -E EXPLICIT_EXPIRATION_DATE -m MINIMUM_AGE -M MAXIMUM_AGE -I INACTIVITY_PERIOD -W DAYS_BEFORE_EXPIRATION
(where all options in CAPS are user defined). For more information on this command, see the man page (issue the command man change).
3: Don’t blindly disable SELinux
Similar to the keyring, SELinux is there for a reason. SE stands for Security Enhanced and it provides the mechanism that controls access to applications. I have read of a number of “solutions” to problems that involved disabling SELinux. If this is seen as a solution, it will only lead to more, uglier problems. If a particular program isn’t running properly, look into modifying an SELinux policy to fit your needs rather than disabling SELinux. If you don’t want to do this via the command line, you might want to check out a GUI tool called polgengui.
4: Don’t log in as root
It may sound as if I’m a broken record with this one, with good reason. I can’t stress enough that Linux users should NOT be logging in as the root user. If you need to do administration on a machine, log in as your regular user and either su to the root user or take advantage of sudo. When you log in as the root user, you effectively bypass a major security hurdle and allow access to systems and subsystems that normally wouldn’t be accessible when logged in as a standard user. Do not do this. Log in with your regular account. Period.
5: Install security updates quickly
There is a HUGE difference between the way Linux and Windows handle updates. Where Windows typically does an infrequent massive update, Linux does frequent smaller updates. Ignoring these updates can be disastrous if the right security hole is not patched on your system. You have to remember, some of those updates are in fact security patches and need to be applied immediately. Never ignore that icon indicating updates are available. And if you are using a GUI-less server, make sure you set up a cron job to check for updates or check them manually either daily or weekly. Stay up to date and you stay more secure.
Do you and your Linux box already feel more secure? You should. With these five tips alone you have taken your Linux box to a new level of security. Mind you, this isn’t a complete to-do list. It’s just the start. The security of a networked computer is ongoing and ever-changing. But with tips like these, you’ll be better prepared to meet that elusive goal.