Most modern Linux distributions provide some basic security features (automatic software/service updates, event logging, access control and firewall functions), which are often enabled by default as part of the Linux build. Individuals setting up a Linux workstation should have a basic understanding of the operating system, and if necessary obtain further guidance (such as from the official Linux distribution website, official online Linux forums or security mailing lists for the particular Linux distribution used).
The risks
-
Behaviour risks
- Many risks such as fraud, phishing, spam and identity theft apply to Linux users as much as users of other operating systems.
- Poor user choices, such as weak or no passwords, failing to monitor event logs and not configuring Linux software correctly.
-
Technology risks
- Risks to Linux workstations can increase due to running unnecessary services and leaving vulnerable network ports open.
- Failing to patch Linux software and services quickly or at all, especially with published vulnerabilities.
- Running inherently insecure services, such as using a system designed for use on a local area network over the internet.
-
Exploitation risks
- Social engineering, information theft.
- Spam, Trojans, botnets, back doors, viruses, rootkits.
- Denial of service attacks.
- Unauthorised Privilege escalation.
Protecting your information and workstation
Getting started
- Acquire the Linux operating system software (including binaries, setup files and patches) from trusted, reliable and reputable sources, such as an official Linux distribution CD/DVD or legitimate Linux distribution website.
- Configure the Linux workstation file systems with multiple partitions (for example using fdisk (or equivalent) to create a separate root partition, swap space, binary files and users file space).
- Check the authenticity of all Linux operating system software before installing (for example by validating their digital signatures and/or checksum values).
- Avoid logging in as a privileged user such as root. Instead, log in as a non-privileged user account and use the su command to perform administrative tasks.
- Disable the autorun feature (or equivalent) to prevent media being mounted automatically.
- Configure user accounts to lock the session after a pre-defined period of inactivity (for example 15 minutes).
- Maintain an up-to-date Linux build (for example by regularly checking for updates and patches for the operating system and all applications).
Configuring services and users
- Disable or restrict all unnecessary services and unnecessary start-up scripts (including those associated with Bluetooth, USB, wireless networking and infrared).
- Avoid using insecure administration programs such as rlogin, telnet, tftp, ftp, rsh and rexec, and instead use secure remote login, file transfer and shell programs, such as sftp, scp and ssh.
- Remove unnecessary user accounts (for example, guest) and groups, and ensure all user accounts are required to authenticate (for example, using a password) before being granted access to the Linux workstation.
- Use strong passwords for all user accounts on the Linux workstation (for example, minimum eight characters, mix of uppercase, lowercase, alphanumeric and special characters).
- Protecting Linux workstations requires a range of activities, many of which are relevant to all computers regardless of operating system software used, including Microsoft Windows and Apple Mac OS X (for example, protecting the boot sequence, setting the permissions of files, configuring event logging, establishing backups and monitoring for suspicious files or activity).
- Individuals requiring more detailed advice for protecting Linux workstations (including firewalls, virus protection, disk and file encryption, email protection, web browser configuration, and backup software) should consult specialist advice from an individual or organisations that specialise in Linux and Linux security.