Out of the box, a Linux desktop is far more secure than most others.
However, this level of security is not necessarily attained through typical security-focused software or techniques. Sometimes, the easiest means to security are those that are the easiest to forget.
You might find these suggestions to be pure common sense, but maybe you'll see a means of security you never thought of before. If you're a new Linux user, these tips are a great place to start to ensure that your Linux experience is a good one.
Here are 10 steps you can take to secure a Linux desktop.
1. Locking the screen and logging out is important
Most people forget that the Linux desktop is a multi-user environment. Because of this, you can log out of your desktop and others can log in. Not only does that mean that others could be using your desktop, it also means you can, and should, log out when you're finished working.
Of course, logging out is not your only option. If you are the only user on your system, you can lock your screen instead. Locking your screen simply means that a password will be required to get back into the desktop. The difference here is that you can leave applications running and lock the desktop. When you unlock the desktop, those same programs will still be running.
2. Hiding files and folders is a quick fix
In 'Linux land', files and folders are hidden by adding a '.' before the name; so, for example, the file 'test' will appear in a file browser, whereas '.test' will not. Most people don't know that running the command 'ls-a' will show hidden files and folders.
So, if you have folders or files you don't want your co-workers to see, simply add the dot to the beginning of the file or folder name. You can do this from the command line like so: mv test .test.
3. A good password is a must
Your password on a Linux PC is your golden key. If you give that password out or if you use a weak password, your golden key could become everyone's golden key.
And if you're using a distribution like Ubuntu, that password will give users much more access than, say, Fedora. To that end, make sure your password is strong. There are many password generators you can use, such as Automated Password Generator.
4. Installing file-sharing applications is a slippery slope
I know many Linux users are prone to file-sharing. If you want to run that risk at home, that's your call. But, when at work, you not only open yourself, or your company, up to lawsuits, you open your desktop machine up to other users who might have access to sensitive data on your work PC. So, as a rule, do not install file-sharing tools.
5. Updating your machine regularly is wise
Linux isn't Windows. With Windows, you get security updates when Microsoft releases them, which could be many months away. With Linux, a security update can come minutes or hours after a security flaw is detected. With both KDE and Gnome, there are update applets for the panel. I always recommend having them up and running so you know when updates are made available. Don't put off security updates. There is a reason they come out.
6. Installing virus protection is actually useful in Linux
Believe it or not, virus protection in Linux has its place. Of course, the chances of a virus causing problems on your Linux machine are slim to none. But those emails you forward to others' Windows machines could cause problems. With a good virus-protection tool, such as ClamAV, you can ensure that email going out of your machine doesn't contain anything nasty that could come back to haunt you or your company.
7. SELinux is there for a reason
SELinux (Security-Enhanced Linux) was created by the US National Security Agency. It helps lock down access control to applications, and does so very well.
Certainly, SELinux can sometimes be a pain. In some cases, it might take a hit out of your system performance, or you might find some applications a struggle to install. However, the security comfort you gain by using SELinux (or AppArmor) far outweighs the negatives. During the Fedora installation, you get the chance to enable SELinux.
8. Creating /home in a separate partition is safer
The default Linux installation places your /home directory right in the root of your system. This is fine but, firstly, it is standard, so anyone gaining access to your machine knows right where your data is; and, secondly, if your machine goes down for good, your data might be gone.
To solve this problem, you can place /home on a different hard drive or partition altogether (making it a partition in and of itself). This is not a task for the weak of heart, but it is one worth undertaking if you're very concerned about your data.
9. Using a non-standard desktop is worth its weight in gold
Not only do the alternative desktops (Enlightenment, Blackbox, Fluxbox, etc) give you a whole new look and feel for your PC, they offer simple security from prying eyes you may never have considered.
I have deployed Fluxbox on kiosk machines when I wanted a machine that could do one thing: Browse the network. This can be easily achieved. Create a single mouse menu (or desktop icon) for the application you want to use. Unless the user knows how to get back to the command line (by logging out or hitting ctrl-alt-f*, where * is a desktop other than the one you are using), they will not be able to start up any application other than the one offered.
Since most users have no idea how to move around in these desktops anyway, they aren't going to have the slightest idea how to get to your files. It is simple pseudo-security.
10. Stopping services is best
This is a desktop machine. It's not a server. So why are you running services like httpd, ftpd, and sshd? You shouldn't need them and they only pose a security risk, unless you know how to lock them down. So don't run them. Check your /etc/inetd.conf file and make sure that all unnecessary services are commented out. It is a simple but effective method.
Talkback
Wouldn't installing file-sharing applications in a VM (Virtual Machine) be a safe way to share files ?
Acer Aspire 5315-2153, $348 Walmart Special,Mandriva Linux 2008.1 Spring Edition. The fist Linux distro where everything worked, on this laptop, the first time !
if you put /home on its own partition doesnt remove any threats and in actuality, the only reason why /home should be on its own partition is to prevent any personal data from being corrupt from any system crash. that is the only reason why /home should be on its own partition. now, /home SHOULD have its umask set to 0002. this would prevent other users from `cd`ing into other peoples home directories.
/tmp should be on its own partition AND mounted as noexec, this will prevent arbitrary code from being executed from the tmp directory. the only problem to this is, if you want to install third party bin packages, you will need to remount the tmp directory with exec rights. but, afterwards, just remount it noexec and everything is back to normal.
setting up /tmp in the first place would require one to not be scared of modifying /etc/fstab and also to remount it when needed, the user should be comfortable with the command line and reading man pages (which is always a good practice).
also to note on #2, putting a "." in front of the folder/file name in a file manager will not make it hidden, this must be done in a command line. to do that, just use the mv command.
mv foo .foo
that will make it hidden. when you rename a file in a graphical file browser, it would be the same as doing...
mv foo \.foo
which would make it think that the "." is supposed to be at the beginning of the file name and not hidden.
for #3, complex passwords arent the way to go anymore. instead, passphrases are what users should be using now. the longer the phrase, doesnt matter if its all alphabet characters, it will still take MUCH longer to crack than if some special characters were put in a smaller password.
for #9, that is more of a security through obscurity practice and does not work. security through obscurity is a proven failed method of security. especially with the growing number of linux users, most linux users will know that if the desktop environment doesnt give them a terminal, that ctrl-alt-f1-5 will, of course, they will still need to know the username and password to get on, but that is another issue of security.
How long Microsoft grant one use of Linux? 30,60,73 days? After reading <a href="http://www.promotinglinux.com/truth/">The Truth about Linux</a> I'm very scared of the Linuxes OS. I don't want all I do with my computers to be owned by Microsoft as Linuxes probably has many of the Microsoft Intelectual Property inside. I don't see a sticker on it like 'Intel Inside". But it uses Internet Explore and Windows technologies. It must. How can it not? The Linuxes must log to IE to download the internets from the pipes. The Linuxes must have Windows alogorithms to read the spinner. If I reboot it after 30 days, am I still libel for infringment and accessory? Will they come after me? I don't want to get sued. I don't have enought money to pay for defense. I just want to see the internets.
Its been my experience that anonymity is key. Remain anonymous to the sites you visit and they cant harm you. Good privacy services like www.Ultimate-Anonymity.com are crucial in todays society.
I totally agree with sakuramboo. #9 at the very least should be called security by obscurity. But as he/she pointed out that this has failed many times.
I also feel that while putting a "." in front of a file/directory hides the resulting file/directory this is also security by obscurity. If you're running Linux to begin with it doesn't take that much effort to do a "ls -a" from the command line or turn the "View hidden files" feature in a window manager to see the hidden files/directories.
Having the home directory on a separate partition only helps when doing a data backup. This doesn't help with security.
I have to admit that I never thought of an antivirus on Linux. At least I haven't thought of any good uses. But I do see your point on using it to help filter email.
You don't have to ask m$ for permission to use Linux. If you think Linux contains M$ IP, then don't use it. But, Linux is derived from UNIX, which was in use long before M$ was even around. Odds are M$ contains UNIX IP, but it is a closed, proprietary system so no one knows. With Linux you have the source code to look at, while with M$ you have to take their word, and actually believe they never lie. I will take Linux over M$ any day of the week and twice on Sunday. Linux is more stable, faster, more secure, and just as easy to use, now.
err, "the truth about Linux" is a joke website. The claims there are humor/fake/made up/intentionally wrong.
And you call your self an IT Manager, sheesh.
If you cant recognise technical humor when it's in your face you can't understand the technology issues.
You disgrace ALL of us in the profession.