Basic Security

[Rob]

Basic Security

Fortunately, Linux has a lot of built in security that it inherits from its Unix forebears. User accounts are clearly separate from each other. It's easy to configure a Linux system so that normal users have zero rights outside their own user space. The administrator or 'root' account is virtually untouchable if one doesn't have physical access to the machine and proper password and login policies are in place.


User Account Security

Root is the number one user on the system. Fortunately, root's privileges can only be shared explicitly through the use of programs like 'sudo'. Other than that, there's no way a normal user under normal circumstances can do what root can. But user accounts can also be a source of compromise and they need to be made secure. We can start by making sure that user directories are accessible only to the owner of the account. To do this, directories should be created with read, write and execute permissions only for the user:

drwx------ 101 bsmith bsmith 8192 Nov 9 17:53 bsmith

In the event that somebody was able to get a password for a user account, this would make it extremely difficult to browse other users' files for possible information like passwords. It will also keep legitimate users from poking around in other people's directories. Of course, one user account may be all that's needed in order to gain root privileges. This can be done by exploiting known bugs. Remember, we're trying to make it more difficult, but 100% secure is never possible.

If It Isn't Permitted, It's Prohibited

Running a Linux system should never be compared with a democracy. The root user is the dictator. What he or she permits, is allowed. What isn't allowed doesn't come up for debate. It's prohibited. If you're the root user and you've just set up a system, the first thing you should do is go over to /etc and open up the hosts.deny file. Place the following line in it, if it isn't in there already. This should probably be the only line in the file, apart from comments:

ALL : ALL

This establishes from the outset that nobody can do anything. That is, we're denying ALL to ALL. Now we can start to give access to certain hosts and users via hosts.allow

Giving access to services in hosts.allow can be service based, host/ip based or both. For example, if you wanted to permit logins to pickup mail via IMAP, you could add this to your hosts.allow:

imapd: ALL

Since you may have roaming users, it would be impossible to know where they might be at any given moment. They may be getting their connection from a hotel or an public wireless point at an airport, for example. This would let anybody from anywhere login (or at least try to login) to the IMAP daemon. Since mail passwords are often sent in the clear, this is potentially a security breach if your users had the same password for mail pickup as they do for their accounts. Their password could be sniffed and an attacker could gain a foothold in the system via a user account. This, of course, doesn't have to happen. We could, for example, set up a mail system that uses virtual accounts instead of real ones, keeping the user accounts and the mail accounts separate. Virtual mail accounts would also keep you from having to give user accounts on the system altogether. A mail system with virtual accounts can be very useful and is something we'll deal with in a separate section of this advanced course.

There are also measures that we can take in the hosts.allow file itself that would slow at attacker down. We could limit access by hostname or IP to other services by adding the following lines to your hosts.allow.

# acmeisp.com = Bob's ISP
# 333.444.555.666 = Janet's home IP
# 987.654.321.001 = Dave the outside consultant
ALL : 192.168., .acmeisp.com, 333.444.555.666, 987.654.321.001

I always find it a good idea to add little comments about who belongs to these IPs and hosts. If you ended up up, say, ending your contract with Dave, the outside consultant, you don't really want him having access to the machine anymore. With these comments you can more easily keep track of what people should be accessing and who should be removed. Sure, it's a little bit more work, but security is only as good as the work you put into it. Believe me, attackers have more time on their hands than you, so any extra work is worth the trouble.

We've secured our machine as best we can with the default tools and files available, but it still isn't good enough. What we can do now, other than un-plugging our machine when we're not using it, is to set up a top-notch firewall.

 

[Trenix25]

Does su still ignore the wheel group?
It did years ago in the version of Linux that I was using. This made it possible for anyone knowing the root password to become root, and without using a securetty. So I used chown root:wheel su, and chmod 4110 su to fix this.

 

[Pratham]

In linux, an external anti-virus software can stop attack of virus or other malwares ?

Or

Linux in-built security is enough for them ?

 

[atanere]

In linux, an external anti-virus software can stop attack of virus or other malwares ?

Or

Linux in-built security is enough for them ?

Some people have different views on this, but most folks I know do not use any anti-virus programs on Linux. Most viruses are written specifically for Windows, and those cannot infect Linux. If you run your own email server, or Samba file server, you might be more likely to use an anti-virus app to identify those Windows viruses that might pass through your system.

If you are really paranoid about this, one of the safest ways to surf the web is to boot up a Linux live DVD and run from that. The DVD is "closed" after burning, so nothing can infect it (don't mount any physical hard drives or they could be exposed).

If you want to run anti-virus on an installed Linux, then ClamAV is probably a pretty good choice. You might consider RKHunter also to protect against root kits.

Cheers

 

[Pratham]

Some people have different views on this, but most folks I know do not use any anti-virus programs on Linux. Most viruses are written specifically for Windows, and those cannot infect Linux. If you run your own email server, or Samba file server, you might be more likely to use an anti-virus app to identify those Windows viruses that might pass through your system.

If you are really paranoid about this, one of the safest ways to surf the web is to boot up a Linux live DVD and run from that. The DVD is "closed" after burning, so nothing can infect it (don't mount any physical hard drives or they could be exposed).

If you want to run anti-virus on an installed Linux, then ClamAV is probably a pretty good choice. You might consider RKHunter also to protect against root kits.

Cheers

OK , boss !!!!

 

[FrankDev]

Some people have different views on this, but most folks I know do not use any anti-virus programs on Linux. Most viruses are written specifically for Windows, and those cannot infect Linux. If you run your own email server, or Samba file server, you might be more likely to use an anti-virus app to identify those Windows viruses that might pass through your system.

If you are really paranoid about this, one of the safest ways to surf the web is to boot up a Linux live DVD and run from that. The DVD is "closed" after burning, so nothing can infect it (don't mount any physical hard drives or they could be exposed).

If you want to run anti-virus on an installed Linux, then ClamAV is probably a pretty good choice. You might consider RKHunter also to protect against root kits.

Cheers

Nice answer!

 

[SlowCoder]

I've noticed in Mint and Ubuntu personal distros that user home directories are granted drwxr-xr-x by default. I guess the builders think everyone at home should be able to see everyone else's data. This does not follow the Linux Principal of Least Privilege.

I believe this can be easily remedied by issuing the command

chmod -R go-rwx $HOME

Disclaimer: Someone once told me this could cause problems with authentication, (maybe XAuthority?), but I don't remember having any problems.

 

[bob466]

I just enable the Firewall...never had any problems because Linux isn't windwoes.

 

[SlowCoder]

I just enable the Firewall...never had any problems because Linux isn't windwoes.

That works for remote client systems with no servers. But once you start adding services, like sshd, things get more complicated. A firewall also doesn't account for physical access.

 

[bob466]

Linux is very secure as I've found, but it also depends on the user too.

 

[MikeWalsh]

Linux is very secure as I've found, but it also depends on the user too.

@bob466 :-

Ah, too bloody right, Bob..!

The old saying is as true today as it's ever been:- "The most vulnerable part of any computing session is what's sitting between the keyboard and the chair back..."

Never changes, mate. And it never, ever will. Still, it doesn't hurt to practice basic, sensible, "safe" web-browsing; even the firewall isn't an all-in answer to everything. And your browsing sessions are where crap is most likely to enter your system.....indeed, the same can be said for any activity which involves internet-facing software of some kind.


Mike.

 

[bob466]

@bob466 :-

Ah, too bloody right, Bob..!

The old saying is as true today as it's ever been:- "The most vulnerable part of any computing session is what's sitting between the keyboard and the chair back..."

Never changes, mate. And it never, ever will. Still, it doesn't hurt to practice basic, sensible, "safe" web-browsing; even the firewall isn't an all-in answer to everything. And your browsing sessions are where crap is most likely to enter your system.....indeed, the same can be said for any activity which involves internet-facing software of some kind.


Mike.

I remember the bad days of windwoes and being paranoid about malware...rootkits and viruses...running anti-virus software many times a week...why because microsuck is all about $$$$$...not security.

I can say...in 7 years of running Linux Mint full-time I've never had any security problems and I'm no expert either and no longer paranoid too.

I wish I had a dollar for every time a beginner says..."what anti-virus software should I use" but that's what windwoes does to people.

 

[MikeWalsh]

I run very occasional "standalone" scans with Comodo's AV4Linux.....not because it checks for Linux malware - it doesn't! - but because I interact with a fair number of Windoze users online. I think it's the responsible thing to do; why should any family member get infected due to my carelessness?


Mike.

 

[ks4ji]

Basic Security

Fortunately, Linux has a lot of built in security that it inherits from its Unix forebears. User accounts are clearly separate from each other. It's easy to configure a Linux system so that normal users have zero rights outside their own user space. The administrator or 'root' account is virtually untouchable if one doesn't have physical access to the machine and proper password and login policies are in place.


User Account Security

Root is the number one user on the system. Fortunately, root's privileges can only be shared explicitly through the use of programs like 'sudo'. Other than that, there's no way a normal user under normal circumstances can do what root can. But user accounts can also be a source of compromise and they need to be made secure. We can start by making sure that user directories are accessible only to the owner of the account. To do this, directories should be created with read, write and execute permissions only for the user:

drwx------ 101 bsmith bsmith 8192 Nov 9 17:53 bsmith

In the event that somebody was able to get a password for a user account, this would make it extremely difficult to browse other users' files for possible information like passwords. It will also keep legitimate users from poking around in other people's directories. Of course, one user account may be all that's needed in order to gain root privileges. This can be done by exploiting known bugs. Remember, we're trying to make it more difficult, but 100% secure is never possible.

If It Isn't Permitted, It's Prohibited

Running a Linux system should never be compared with a democracy. The root user is the dictator. What he or she permits, is allowed. What isn't allowed doesn't come up for debate. It's prohibited. If you're the root user and you've just set up a system, the first thing you should do is go over to /etc and open up the hosts.deny file. Place the following line in it, if it isn't in there already. This should probably be the only line in the file, apart from comments:

ALL : ALL

This establishes from the outset that nobody can do anything. That is, we're denying ALL to ALL. Now we can start to give access to certain hosts and users via hosts.allow

Giving access to services in hosts.allow can be service based, host/ip based or both. For example, if you wanted to permit logins to pickup mail via IMAP, you could add this to your hosts.allow:

imapd: ALL

Since you may have roaming users, it would be impossible to know where they might be at any given moment. They may be getting their connection from a hotel or an public wireless point at an airport, for example. This would let anybody from anywhere login (or at least try to login) to the IMAP daemon. Since mail passwords are often sent in the clear, this is potentially a security breach if your users had the same password for mail pickup as they do for their accounts. Their password could be sniffed and an attacker could gain a foothold in the system via a user account. This, of course, doesn't have to happen. We could, for example, set up a mail system that uses virtual accounts instead of real ones, keeping the user accounts and the mail accounts separate. Virtual mail accounts would also keep you from having to give user accounts on the system altogether. A mail system with virtual accounts can be very useful and is something we'll deal with in a separate section of this advanced course.

There are also measures that we can take in the hosts.allow file itself that would slow at attacker down. We could limit access by hostname or IP to other services by adding the following lines to your hosts.allow.

# acmeisp.com = Bob's ISP
# 333.444.555.666 = Janet's home IP
# 987.654.321.001 = Dave the outside consultant
ALL : 192.168., .acmeisp.com, 333.444.555.666, 987.654.321.001

I always find it a good idea to add little comments about who belongs to these IPs and hosts. If you ended up up, say, ending your contract with Dave, the outside consultant, you don't really want him having access to the machine anymore. With these comments you can more easily keep track of what people should be accessing and who should be removed. Sure, it's a little bit more work, but security is only as good as the work you put into it. Believe me, attackers have more time on their hands than you, so any extra work is worth the trouble.

We've secured our machine as best we can with the default tools and files available, but it still isn't good enough. What we can do now, other than un-plugging our machine when we're not using it, is to set up a top-notch firewall.

Thank you for the good information.

 

[ML_113]

If you are really paranoid about this, one of the safest ways to surf the web is to boot up a Linux live DVD and run from that. The DVD is "closed" after burning, so nothing can infect it (don't mount any physical hard drives or they could be exposed).

I used to run Tahr Puppy like this but get ddos attacked, or got banned by some forums and Google - they used my IP to mess with them.
It's been years ago.
Now , for my daily surfing, I use Easy, when closing the computer, I just choose 'do not save' (default) button.
It works so far, because Easy run in RAM , not only it's fast but more secure this way.

 

[ks4ji]

I used to run Tahr Puppy like this but get ddos attacked, or got banned by some forums and Google - they used my IP to mess with them.
It's been years ago.
Now , for my daily surfing, I use Easy, when closing the computer, I just choose 'do not save' (default) button.
It works so far, because Easy run in RAM , not only it's fast but more secure this way.

I use a VPN. Is that a waste?

 

[ML_113]

I use a VPN. Is that a waste?

I don't know - I'm 'marqué' , so a few dollars a month more is worth it.

 

[sphen]

I use a VPN. Is that a waste?

It depends on your "threat model". Does using the VPN mitigate (reduce or eliminate) the threat that you are concerned about?

In a normal situation, your internet connection is visible where you are. Even when the web page in your browser is encrypted, the people at your internet connection will know which websites you are visiting. At home, your ISP can see your activity. At school or work, your school authorities or employer can see your activity. While in a coffee shop or hotel, the people there will see your activity and probably associate it with you and record it for sales and marketing purposes.

A VPN (virtual private network) provides an encrypted tunnel between your location and the VPN server somewhere on the internet. Because all of your communications pass through the encrypted tunnel, the people at your location (home ISP, school, work, travel, etc.) cannot see anything but the encrypted tunnel. They know you are using a VPN and they know which VPN, but that is all.

You must trust your VPN provider in much the same way that others trust their home ISP, school, work, etc. The VPN provider can see all of your internet activity the same way. The difference is that your connection appears on the internet from far away, and (hopefully) you trust your VPN provider more than your home ISP, school, work, travel location, etc. For many, that is a valid assumption.

 

[ks4ji]

It depends on your "threat model". Does using the VPN mitigate (reduce or eliminate) the threat that you are concerned about?

In a normal situation, your internet connection is visible where you are. Even when the web page in your browser is encrypted, the people at your internet connection will know which websites you are visiting. At home, your ISP can see your activity. At school or work, your school authorities or employer can see your activity. While in a coffee shop or hotel, the people there will see your activity and probably associate it with you and record it for sales and marketing purposes.

A VPN (virtual private network) provides an encrypted tunnel between your location and the VPN server somewhere on the internet. Because all of your communications pass through the encrypted tunnel, the people at your location (home ISP, school, work, travel, etc.) cannot see anything but the encrypted tunnel. They know you are using a VPN and they know which VPN, but that is all.

You must trust your VPN provider in much the same way that others trust their home ISP, school, work, etc. The VPN provider can see all of your internet activity the same way. The difference is that your connection appears on the internet from far away, and (hopefully) you trust your VPN provider more than your home ISP, school, work, travel location, etc. For many, that is a valid assumption.

Thanks that clarifies a lot for me. I appreciate your time and information.

 

[sphen]

Adding later:

Many people use a VPN to change their apparent physical location. Instead of their actual location (home, school, work, etc.) they appear to be located where the VPN server is located. Some people use it to hide around sport blackouts so they can watch their "local" team's games by appeared to be outside the local team's blackout zone. That trick does not always work, because streaming services can sometimes identify VPN IP addresses as "data centers" and "VPN companies" that are not typical residential sports viewers.

Another reason that people use VPNs is to access blocked websites and bypass restrictions imposed by oppressive regimes. Those people may still get unwanted attention for using a VPN at all.