Celebrity advice on keeping your Linux desktop secure
Posted by: Anonymous
on February 03, 2008 07:20 PM
Know your software -- some software has a really bad reputation for security, and yet despite this, for some incomprehensible reason, various distro's continued to ship that software enabled by default. I hesitate to mention names, but the infamy of BIND is well known. First thing I do with a new box is to remove/disable everything I don't need and replace everything I don't trust with an alternative that does have a good reputation such as myDNS. When I hear sysadmins bitch and moan about how insecure ~Linux~ is, I ask them what software they are running and they tell me with some indignation that they use what the *nameless* distro came with BIND + (unpatched version of ) ~Some~ Mail + *nameless* FTP. Now, fact is, it takes all of about ten minutes of poking around to find out that all 3 of those programs had horrible and well known security flaws. With all of the many excellent alternatives available it sure is a mystery why certain distro's insisted on shipping such an insecure system, no wonder his server got cracked and that he blamed it on Linux. But the failure is still upon the sysadmin for not doing the minimal amount of diligence needed. Simply replace those programs with secure ones and your system will be rock solid -- oh and by the way, it's not Linux that was insecure, it was those specific programs that were insecure, and those programs were easily replaced (or turned off) -- unlike the monolithic approach that MS takes in which everything is part of the OS and pretty much has to be enabled in order for anything to work.
I've seen official estimates and experienced first-hand, that an unprotected MS Windows computer will only last about 15 minutes before it is zapped by an internet worm. This is how high the level of attacks actually are, the internet is saturated with this type of traffic, some internet locations (address groups) are much worse than others. Fundamentally the problem is architectural. MS Windows requires that zillions of ports be open in order for it to function. When you try to turn off all of these services things start to break. With Linux on the other hand, there are no ports at all that have to be open, you can pick and choose what you decide to turn on. You should only turn on the things that you need and then pick your software carefully.
However the only way to properly protect an MS Windows computer, because you are stuck with having all of those open ports, is to put it behind a hardware firewall. A little known but ironic fact is that most of those so-called 'hardware firewalls' are really just dedicated low cost Linux computers, that's right! Most of those DSL boxes and Firewall boxes etc that are used to protect MS Windows from the ~Big Bad Internet~ have Linux Inside! :-) codeslinger (compsalot.com)