This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

Celebrity advice on keeping your Linux desktop secure

By Joe Barr on January 25, 2008 (9:00:00 PM)

Share    Print    Comments   

One of the main reasons people move from Windows to Linux is the promise of greater security from malware on the Internet. Everyone knows you need to add extra security to try to keep a Windows desktop safe, but what do you have to do to accomplish the same thing on Linux? To answer that question, we asked a number of well-known Linux kernel hackers and a security expert for their thoughts on the matter.

Ted Ts'o, Linux hacker extraordinaire, and an IBM employee whose latest assignment is heading up platform strategy at the Linux Foundation, has been running Linux on his desktop without a firewall for years. He says he knows more about networking and Linux platform security than the typical user, so he feels safe even without a firewall.

Ts'o says that if you're running a modern Linux distribution, making use of the default firewall that comes with it is all that is necessary to keep it safe, albeit with a few specific related areas of concern. Adding a wireless router or an Internet appliance to the LAN to which your desktop connects can increase your vulnerability. You need to protect yourself from unauthorized entry on both. Ts'o also pointed out that OpenOffice.org has done such a fine job of mirroring Microsoft Office applications that it is possible to open a document or file and become infected as a result.

Andrew Morton, the number two man in the Linux kernel hierarchy, admits to a cavalier attitude about his own desktop security. "I'm slack. I rely upon a little Netgear router not having any bugs in it, and everything behind that router is just out-of-the-box distro code with various security features disabled when they start to irritate me."

Linus Torvalds takes a more cautious approach to his desktop security. Although he declined to offer security advice for others, he said his approach is to lock down everything, with multiple firewalls and strict rules. He runs a firewall on his DSL router and another on his desktop box. His development machines connect to the same LAN as his desktop box, and they live behind yet another router and firewall. He says:

My firewall rules are also pretty anal. I basically try to not let anything in. Not even SSH; when I'm traveling, I simply cannot log into my normal machines. And I don't listen for SMTP; I use fetchmail to get it from an external machine, and there are spam-filters in place on that external machine (and I also have them on the internal one, but that's almost incidental).

In other words, I basically try to set my machines up so that I only ever have outgoing connections, and the only incoming traffic is for connections that were literally started by me and thus expected to be fairly trusted.

What a security pro has to say

Taking Torvalds' gentle hint about asking the wrong people for advice, we asked Fyodor, creator of Nmap, perhaps the best-known network security tool of all time, for his advice on securing the Linux desktop. Here are his suggestions:

Update your software frequently. Most modern distributions make it easy to install updates (including security patches) for packages installed on your system. For example, you can type yum update on Fedora Core. Consider configuring your system to do this nightly. Make sure this includes browser updates. For example, if you installed a new version of Firefox with their tarball, your OS won't know to update it. In that case, make sure you have Firefox configured to check for updates itself. Keep in mind that Linux distributions often cease security support rather soon after newer versions of the distributions are released. For example, Fedora Core 6 was released in October 2006 and the project ceased providing updates in December 2007. So if you use such a distribution, you must regularly update releases as well as updating the included software.

Plug your computers into a cheap broadband router, then plug your net connection (e.g. cable/DSL modem) into that. Make sure your computers have a private address (such as 192.168.*.*) to ensure that you are protected by network address translation. A few applications might not work right off the bat through the NAT device. If you mess with the port-forwarding rules to support those applications, be careful to add only well-targeted rules. Telling the router to forward every single port to your desktop computer defeats the primary security advantage of the system.

Watch out for email scams. Linux users are sometimes smug because most worms are Windows-specific and don't affect them. But email and Web site attacks are often cross-platform. Linux users are just as vulnerable to phishing attacks and advance fee fraud (419 scams) as Windows users. So be very careful before clicking on email links, or posting private data to Web sites. Also, consider screening your email with SpamAssassin and ClamAV.

In conclusion, it's obvious that different users have different ideas of what is necessary to maintain good security on your Linux desktop, but there is a single thread of thought that's worth noting: Linux is not bulletproof, and your desktop is not safe simply because it runs Linux. Let good sense be your guide. For most of us, that means running the desktop behind a firewall and regularly applying security patches. For others, additional defensive measures may be in order.

Share    Print    Comments   

Comments

on Celebrity advice on keeping your Linux desktop secure

Note: Comments are owned by the poster. We are not responsible for their content.

Celebrity advice?

Posted by: Anonymous [ip: 74.139.253.139] on January 25, 2008 10:14 PM
Where's the advice from George Clooney and Tara Reid?

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Joe Barr on January 25, 2008 10:22 PM
On C|Net, where it belongs. ;)

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 62.49.242.3] on January 26, 2008 12:12 AM
paris hilton says:

mount any writeable areas for desktop users as noexec - home dirs, temp var/temp and so on..

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 76.102.223.142] on January 26, 2008 12:34 AM
Very cool article, make it a series :-)

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 210.0.106.26] on January 26, 2008 02:07 AM
I thought Linus' advice was very good - don't even allow SSH access. If you think you might want to access your computer when you're on the road, consider setting up an IRC bot with a limited number of commands, running on an unprivileged user, that requires you to /msg it a password. Not as useful, but much more secure, and with the proper functions it can do much of what you'd want it to do.

#

SSH OK, but...

Posted by: Anonymous [ip: 63.251.108.100] on January 26, 2008 02:19 AM
I think SSH access is OK, but disabling SSH login by password is a good idea. Permit authentication by key pair only (and of course, don't use a key pair with no password <g>) for your remote SSH access. Granted, this leaves you vulnerable if someone does all of the following:

A) Steals your laptop
B) Coerces your SSH key passphrase from you by force/threat of force (you're not storing the key unencrypted on your notebook, right?)
C) Knows your home domain or IP address

However, the risk of all three of those happening is sufficiently low for me or most ordinary people that this level of security is more than good enough. But if for any reasons that's not, even if you're just paranoid (but are you paranoid enough?), then add port-knocking to the mix.

That level of security is more than enough to defeat any automated attacks run by bots. Those are just looking for low-hanging fruit to turn into spam bots. Mostly, they are looking for Windows machines, too. For the few people able to even take a shot at defeating a system using key-based SSH authentication or port-knocking (that doesn't mean succeed, it just means make the attempt), most of them are unlikely to bother unless they already know you have something they want. No one just looking to build a botnet or spread malware will bother with you if you have really tight security. The people who might bother with really tight security are typically more interested in higher-profile or higher-profit targets than a home user with a very well-secured machine.

#

Re: SSH OK, but...

Posted by: Anonymous [ip: 57.67.164.37] on January 28, 2008 11:29 AM
To add a best practice: I enabled ssh access, but for sftp only. Apart from all the low-hanging fruit as described above, I added some more restrictions but still fulfilling my demand. Interactive ssh access is not allowed. I also have set-up a chroot jail for the _only_ user allowed to login via ssh (key authentication only). As I am the only person logging in remotely, I am running the server on some arbitrary selected port number. This saves the system from automated login attempts from all over the world when it would have been running at port 22.

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Jerry Clement on January 26, 2008 08:40 AM
An excellent article for newbies like me. Thanks.

#

Don't forget to turn off UPnP on router, and to set up passwords too!

Posted by: Anonymous [ip: 75.69.85.120] on January 26, 2008 01:15 PM
There is drive by web page that can set up your router to go thru another Proxy. So - change the
password from admin (or whatever the default is) to something that meets all password rules (8 or more A@9a_etc).

Then go into the web interface, and TURN OFF UPnp (as there is a Flash or other capable thingy out there on the internet that can take over the router using this, and then you are again, maybe being altered thu someone else's proxy first)!

OR - Get one of those Linksys routers, and put the Linux replacement on it!
Or - get Smoothwall, and do that too!
Otherwise, follow LINUS's suggestions for security too (note that he talks at lenght about his security ideas for his code projects during a video of when he spoke at Google... search for it, it is a great learning video).

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 89.34.99.191] on January 26, 2008 05:11 PM
Install OpenBSD if you want secure :)

#

Re: Celebrity advice on keeping your Linux desktop secure

Posted by: Joe Barr on January 26, 2008 05:59 PM
But what if you want more on the system than teh telnet and teh finger? ;)

#

Re(1): Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 201.68.190.241] on January 26, 2008 08:20 PM
Then you just install OpenBSD and stop talking about stuff you don't know.

#

Re(2): Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 58.69.64.120] on January 27, 2008 05:32 AM
Then go to an OpenBSD webste and stop talking here.

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 87.217.105.79] on January 26, 2008 06:31 PM
"My firewall rules are also pretty **anal**"
Errr,I don't think so.

#

Re: My firewall rules are also pretty anal

Posted by: Anonymous [ip: 58.179.212.219] on January 27, 2008 05:42 AM
"My firewall rules are also pretty **anal**"

Nothing can go in, but anything can come out!

(Turning off UPnP is a suggestion that I second, unless you enjoy having your firewall's rules to be changed to anything without your permission)

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 91.125.158.174] on January 28, 2008 08:02 PM
I have been distro hopping for about a year and none of my four boxes has been affected by anything so far and if one goes down then it will make room for another one... :) Hugh

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 71.234.236.21] on January 29, 2008 12:52 PM
I thought this article was about real celebrities.

#

Firestarter linux firewall configurator rocks - elcheapo routers blow

Posted by: Anonymous [ip: 24.83.195.63] on January 30, 2008 08:18 AM
I know there are several linux firewalls out there, or rather programs that configure iptables for you, but I've found Firestarter useful as it shows whats going on in your log file. The program does crash occasionally I've found, but it handily shows a red systemtray icon when it detects an unsolicited packet or connection.

WRT elcheapo routers/firewalls... My lan is behind a consumer firewall. I have a specific machine for internet p2p inside the firewall and have noticed, from using Firestarter, that my desktop and all my other machines get hammered by unsolicited packets when I'm p2ping. I've not yet figured out how packets from random ports make it through my router when I've been careful with the firewall configuration... (I've changed the WAN MAC, the WAN MTU and the default remote admin port, and kept it disabled). I'm considering ditching the firewall in preference to a linux box for firewall/NAT - I've had unwelcome visitors inside my lan with 3 brands of consumer firewalls and suspect that the black hats are getting good at reading firewall firmware. If you p2p I would recommend you check your logs regularly.

#

Rather use an IRC bot???

Posted by: Anonymous [ip: 87.102.29.98] on January 30, 2008 02:24 PM
The advice about using an IRC bot is surely a joke? You don't trust SSH for an encrypted and authenticated login, but you'll happily /msg passwords to a bot? Jeebus!

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 75.165.41.202] on February 03, 2008 04:15 PM
UPnP is an abomination and should be disabled everywhere. Microsoft has been warned for years that it was yet another truly stooupid idea just ripe for abuse. Now somebody has finally figured out how to abuse it in a big way.

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 75.165.41.202] on February 03, 2008 04:52 PM
p2p uses UDP, once a UDP connection has been established through the firewall with one computer, any other computer can use that same connection. This is the secret of how p2p accomplishes it's magic. I use the word connection advisedly since uber geeks will tell you, it's not really a connection since UDP is stateless. But looking at it from the point of view of the firewall, it is for all intents and purposes a connection, but one which lacks ownership. Thus you have this huge gaping hole that you yourself have created by initiating the p2p. The traffic that you see is a normal consequence of the ~sharing~ and may not necessarily be a bad thing, it's just other people trying to p2p with you which is how the system is supposed to work.

There are only two ways you can protect yourself, the first way is simply 'not to play'... (how about a nice game of chess?) the second way is to dedicate a computer to the p2p function. make sure there is nothing else at all on that computer except for what you intend, and furthermore make sure that you don't trust that computer to be able to access any of your other computers. Your other computers can talk to it (remote control or file shares -- sshfs is good), but it can't talk to them. Now you create two LANs, the first LAN is connected directly to your DSL and contains a connection to your DMZ p2p computer plus a connection to a NAT box. Now put the rest of your computers behind the NAT box. this is basically what Linus has described above. And for crimminy sakes, don't run p2p from any but the DMZ computer. otherwise you just wasted your time/money on the NAT because you will create a hole in it as well. also don't trust anything that you get from p2p it is a major source of trojanhorse spambot viruses -- codeslinger (compsalot)

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 75.165.41.202] on February 03, 2008 05:31 PM
The advice to enable automatic daily updates of software is a horribly bad idea -- that (in)security model does not work for MS Windows, why does anybody think it will work any better for Linux distro's? There are two fundamental problems with that model, number one biggest problem is the tendency of some distro's (cough cough *RPM*) to release updates with broken dependencies. In fact one of my earliest experiences with leased servers was to one day get locked out of ssh access because of auto-updates that created a version mismatch; here I thought I had escaped that madness by switching to Linux. When this happens your Linux box will get hosed almost as bad as when MS does it, the only difference is that MS does it a lot more frequently (constantly?), whereas the QC for Linux distro's is usually higher. Also it is *much* easier to fix the Linux box -- just copy a couple of files, with MS doze you often need a full reinstall.

The second reason to avoid blindly updating your software is because of the the potential for the updates to get hijacked. It's a very attractive target and sometimes mirrors do get cracked. Thus with one fell swoop you have compromised any computer which uses that mirror for auto-updates. Happily it usually gets discovered pretty quick. So my rule of thumb is to always delay the update until it's been vetted. If you manage a bunch of computers, then sure go ahead and do the auto-updates, but point them to an internal mirror that you maintain and only place fully vetted software on it and make sure you have sufficient access controls. It's easy to set up your own mirror with Linux, but if you aren't a 500 company forget doing it with MS. -- codeslinger (compsalot)

#

Celebrity advice on keeping your Linux desktop secure

Posted by: Anonymous [ip: 75.165.41.202] on February 03, 2008 07:20 PM
Know your software -- some software has a really bad reputation for security, and yet despite this, for some incomprehensible reason, various distro's continued to ship that software enabled by default. I hesitate to mention names, but the infamy of BIND is well known. First thing I do with a new box is to remove/disable everything I don't need and replace everything I don't trust with an alternative that does have a good reputation such as myDNS. When I hear sysadmins bitch and moan about how insecure ~Linux~ is, I ask them what software they are running and they tell me with some indignation that they use what the *nameless* distro came with BIND + (unpatched version of ) ~Some~ Mail + *nameless* FTP. Now, fact is, it takes all of about ten minutes of poking around to find out that all 3 of those programs had horrible and well known security flaws. With all of the many excellent alternatives available it sure is a mystery why certain distro's insisted on shipping such an insecure system, no wonder his server got cracked and that he blamed it on Linux. But the failure is still upon the sysadmin for not doing the minimal amount of diligence needed. Simply replace those programs with secure ones and your system will be rock solid -- oh and by the way, it's not Linux that was insecure, it was those specific programs that were insecure, and those programs were easily replaced (or turned off) -- unlike the monolithic approach that MS takes in which everything is part of the OS and pretty much has to be enabled in order for anything to work.

I've seen official estimates and experienced first-hand, that an unprotected MS Windows computer will only last about 15 minutes before it is zapped by an internet worm. This is how high the level of attacks actually are, the internet is saturated with this type of traffic, some internet locations (address groups) are much worse than others. Fundamentally the problem is architectural. MS Windows requires that zillions of ports be open in order for it to function. When you try to turn off all of these services things start to break. With Linux on the other hand, there are no ports at all that have to be open, you can pick and choose what you decide to turn on. You should only turn on the things that you need and then pick your software carefully.

However the only way to properly protect an MS Windows computer, because you are stuck with having all of those open ports, is to put it behind a hardware firewall. A little known but ironic fact is that most of those so-called 'hardware firewalls' are really just dedicated low cost Linux computers, that's right! Most of those DSL boxes and Firewall boxes etc that are used to protect MS Windows from the ~Big Bad Internet~ have Linux Inside! :-) codeslinger (compsalot.com)

#

re: codeslinger

Posted by: Anonymous [ip: 71.253.206.17] on February 12, 2008 04:19 PM
My, you are a pistol!
My wife is going to kill me when she finds out I was on her 'puter all day again instead of tending to business. The reason I am replying is you have piqued my curiosity on taking a linksys router (which I have) and installing linux on it.
I really hate being a "newbee" as it makes me feel like an idiot when I think of how little I actually know about computers. Thanks to you all for helping me become more knowledgeable as I listen and learn. btw, we are all "celebrities" in our own special way - does not have to be for the masses out there!
thanks for all the brainfood. Chris

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya