Linux Security

In my “Why Linux” post, I explained the advantages of Linux over commercial operating systems such as Microsoft Windows or Apple OS. In this post I like to point out some of the risks running Linux. The risks are by no means limited to Linux – you run the same or similar risks with all the other OS. So why bother reading this post?

Because when people think that their OS is more secure, they get sloppy.

Let’s get right to the point. Here is a list of some common misconceptions:

  • With Linux, I don’t need a strong password. Wrong! If anyone can guess your password, he/she has access to everything, and the ability to install root kits, spyware, you name it. Most modern Linux distributions use one password, the one provided by you, for login and for gaining superuser (root) access. This means that your perhaps simple password opens the door to everything.
  • No firewall needed. At any given time, hackers are out there in the Internet running port scanners on literally all IP addresses (and computers) they can access. A router will provide some barrier, but only to some extent. Many routers have been hacked (almost all of them run Linux, but their software is not updated, unless you did something about it). With this in mind, it certainly is good practice to enable the firewall, especially on a laptop that’s not stationary.
  • No backup required. Yes, ext4 is way better than NTFS in avoiding fragmentation etc. But your hard drive will fail, the same as your SSD. Why am I so sure of it – because of experience! So backup regularly.
  • Open source software is free of malware. That can proof to be wrong. First, you should only install software via the repository. Don’t add repositories that you are not familiar with. Any repository you add is a security risk. The Linux distributions usually take care that the software they offer in their repositories has been checked and is clean. But if you add a repository that isn’t offered by your or a known distribution, you open a door to malware. You should be aware of the risk.
    Linux distributions themselves have been hacked. The Linux Mint website, as an example, was hacked and temporarily hosted an ISO image that contained malware.
  • Running Windows software on Wine is great. Maybe. But be aware that Windows malware can affect your Linux OS via Wine. Cross platform software such as Java, Mono, etc. can introduce digital pests into Linux.
  • Installing ever more software and features. Linux is great in that if offers lots of free software. Just don’t overdo it. Uninstall what you don’t need, and don’t open remote access or other protocols if you don’t really need them.

So what is the best way to have a save & secure Linux installation:

  1. Strong and unique password: Don’t reuse your old and trusted and fancy password – it has already holes in it! Create a unique password that you don’t use anywhere, and a strong one too. Mix upper and lower case letters as well as symbols. Don’t even think about “1234567” or “!@#$%^&” (the same keys with shift) – you got the drift? And never ever use names, birthdays or other information that can be re-engineered via social media. Never ever use the same password anywhere else!!!
    Remember: The Ubuntu and Linux Mint forums both have been hacked and all user and password information was taken. Only this year (2017), 21 million Google Gmail accounts have been offered for sale. Yahoo, Adobe, LinkedIn and others have been similarly cracked by hackers, just to name a few.
  2. Enable the firewall: Some popular Linux distributions such as Linux Mint don’t enable the firewall by default. Enable it! Sometimes adjustments are required to make applications work, for example Transmission (bit torrent) or SSH. I use the Gufw firewall GUI – it’s pretty easy to use. (Note: The firewall is built into the Linux kernel. All you need is to enable it. The default rules are usually OK, but if needed, set some rules. This can be done using a graphical user interface such as Gufw, but there are others too.)
  3. Backup: This cannot be emphasized enough. Backup everything you do not want to loose. If downtime of your computer is an issue, backup the entire disk(s).
    It’s not enough to backup to an internal “backup” disk. What if a burglar comes and steals your fancy PC/laptop? Or you just typed the wrong command and wiped your backup instead of restoring it? Heard of the dd command? It’s powerful but used in the wrong way – oops goes your data.
    So how about a backup to your network server? If it’s in the same apartment/house – not good enough! A fire might destroy everything.
    Make a backup of everything that is important to you on an external disk(s) and store it in a different city, with a relative for example.
    I use luckyBackup as a backup program, for it’s flexibility and the fact it supports remote backup via ssh. Make sure you store the user permissions with your backup, else you can run into serious permission problems. If it’s a desktop/laptop you backup then user 1000 is always you.
    Cloud storage is a convenient way to backup your data. But be aware that hackers might find a way to get to your data. If it’s sensitive, the least you should do is encrypt it.
  4. Don’t run services you don’t use: If you don’t need to share files with other Windows computers, don’t run a SAMBA server. The same goes for RDP, SSH, FTP, and in particular HTTP.
  5. Harden your server: If you run servers such as SSH, SAMBA, FTP or others, harden it. The default config files for these servers are often too lax. Consult the documentation for your distribution to find recommendations on how to improve the default configuration. Also check the documentation of the parent distribution (e.g. Ubuntu for Linux Mint, RedHat for Fedora or CentOS).
  6. Shut down ports you don’t use: If you don’t use remote access from a Windows computer, don’t open the RDP or similar ports on your firewall.
  7. Choose repositories/PPA on a need only basis: Use the repositories that came with your distribution – don’t change a thing! Unless there is a real need. For example when the distribution repositories don’t provide a specific version that is required by your hardware or application.
  8. Never install packages from unknown sources: Software packages that you find on the Internet can contain malware. Be very cautious. Use the software that is offered via the software manager or package manager that comes with your distribution. Add a package only if there is a real need for that software and it’s not offered via the distribution, and only if you are sure the software source is legitimate and safe.
  9. Use smartmontools to monitor your hard drives S.M.A.R.T. data (Self-Monitoring, Analysis, and Reporting Technology). The data can give you an indication on when a hard drive is going to fail. GSmartControl is a GUI that allows you to run tests and inspect the drive(s) SMART attributes. See Monitoring Hard Drives Using Smartmontools for more information.
  10. Use good hardware. Don’t be a cheapskate. There was a time I would buy inexpensive hardware – I paid for it dearly. Cheap power supplies have a dormant tendency to blow up, cause fire, or simply damage your expensive motherboard and hardware – get at least a “gold” rated one. The cooling system should be up to the task, so should the case (there is a difference between “good looking” and “good” – some fit one description better than the other).
    If you plan to do VGA passthrough and/or anything serious with your PC, get yourself a X299 motherboard (or the older X99) and at least a 6-core CPU. The people over at Puget Systems have excellent benchmarks and comparisons. If you’re “only” into gaming, a 4-core CPU with a high clock rate might actually be better. Again, make sure it has good IOMMU support if you intend to run a Windows VM with VGA passthrough.

I hope the above helps to keep your Linux installation a little saver.

Leave a Reply