digg

Facebook Connect Join Digg About

10 Tips for Securing Linux Desktops

resources.zdnet.co.uk You might find these suggestions to be pure common sense, but maybe you'll see a means of security you never thought of before. If you're a new Linux user, these tips are a great place to start to ensure that your Linux experience is a good one.

Who dugg this? Made popular Jul 7, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

52 Comments

show profanity settings
expand all
  • PhillAholic, on 07/07/2008, -1/+50Locking your screen? Are you serious? This list is terrible.
  • colonelxc, on 07/06/2008, -0/+34Security through obfuscation is not security!

    Some good ones on there, but don't think you gain security from putting a dot in front of your files. If you need files hidden, put them on a hidden truecrypt partition.
  • danjwray, on 07/07/2008, -0/+29Yeah this is stupid.

    "Most people don't know that running the command 'ls-a' will show hidden files and folders."

    Actually, it won't. 'ls -a' will, but I think most people (or at least most cli users) know that.
  • wiifm69, on 07/07/2008, -1/+25"So, as a rule, do not install file-sharing tools." - how about a can of get *****. Buried
  • sltribune, on 07/06/2008, -3/+27Common sense is usually forgot, so it's better from time to time to be pointed out :)
  • inactive, on 08/11/2008, -0/+18Most of these tips can be applied to any OS, and even then it's common-sense stuff. This list fails.
  • TheShad0w, on 07/07/2008, -1/+17I'd have to agree... this isn't any kind of security improvement.
    1) Locking your screen
    - Oh come on you did this in windows... its the same here... geeze man...
    2) Hiding files
    - Security through Obfuscation isn't security! (Thanks Colonetxc)
    3) A good password is a must.
    - Umm when has this ever NOT been the case?
    4) Installing file-sharring applications is a slippery slope.
    - Its always a risk but it also depends on the applications you're using. Though at work this should be a no-duh
    5) Updating your maching is wise
    - You have got to be kidding me. See my response to #1
    6) Install Anti-virus software
    - Ok... first since this person has been talking in context of a employers network. Installing AV on every machine to protect the windows machines is just plain stupid. Install it on the mail server and strip it out before it even hits the client. Come on people.
    7) SELinux is there for a reason
    - That it is. What reason that is I'm not entirely sure about. I'm a little paranoid about anything that comes out from the US Govt. I'll stick to the BSDs if I want insane amounts of security.
    8) Creating your /home directory on a separate partition.
    - Ok this one makes sense but for the other reasons. I do it so I can update the OS and the User space separately. Or if the user space gets corrupt I don't have to reinstall the whole system.
    9) Using a non-standard desktop is worth its weight in gold
    - see #2
    10) Stopping services is best
    - Kinda holds some merit... mostly doesn't. I run SSHd for the same reasons that Windows users run Remote Desktop. I happen to do web development and find it more convenient to run a local web server. (But I'm also sitting behind a firewall) Look if you don't need the services just uninstall them. A better reason is that they are sucking up resources for no reason.

    How the heck did this make front page?

    Buried as inaccurate. (Wish I could also bury it for being lame).
  • MWeather, on 07/07/2008, -0/+10Buried for security through obscurity.
  • Myztry, on 07/07/2008, -2/+12But it slows down small children and the police...
  • elementop, on 07/07/2008, -0/+9Yikes! Not exactly an earth-shaking list. Point by point:
    1) Logging out, yes. Locking the screen? Don't fool yourself. If you aren't using something like GDM to start your X-Windows automatically, then locking your screen is a false sense of security. Alt-Ctrl-Backspace will end your X-Windows session, unless X has been configured otherwise, and ending your X-Windows session will drop you back to the CLI if you run "startx" or equivalent to, well, start X. Not much security there.

    2) Security through obscurity is no security at all. Don't hide your files and folders; chmod -R x00 where "x" is 6 or 7 as appropriate. You can hide them also if you want, but hiding them with a leading "." while leaving "group" and "other" permissions to "read" and/or "write" is just stupid. And the author is a moron for thinking that "most people don't know to use 'ls -a'" (spelling corrected). Even *if* most people don't know the '-a' option (which I doubt), there are a number of ways this won't help you. What if your home directories are shared via Samba (as on a corporate file server running Linux)? Windows machines browsing the share will display files that are "hidden" with a leading ".". What about the Windows Explorer equivalents in Linux (such as Nautilus)? They can be configured to show "hidden" files.

    3) Well, yeah. Not news.

    4) P2P in a corporate environment == bad news. Again, not news. At home? It *can* be a security risk, but so can an Internet connection. Doesn't mean you shouldn't use it.

    5) Again, not news.

    6) Ummm...I thought this was for the Desktop, not for servers. ClamAV does not scan files as they are accessed -- it is usually run from Cron to check everything on your filesystem daily. About the best use for Clam (or any other A/V) on Linux is on a mail server, which is pretty much what the author's tip was describing. Unfortunately, the article was geared for Linux n00bs on a desktop machine, and if you follow tip #10, you really shouldn't be running a mail server on your desktop, which in turn makes this point moot.

    7) Again, I thought this was a n00b's guide to Linux on the desktop? SELinux is a royal PITA. Unless you are using Linux in a corporate environment with IT staff to set up the desktop for you or if you work at NSA or a bank or somewhere that security is a top priority, SELinux is more hassle than it is worth on your desktop. For everyone else, don't bother with SELinux on your desktop.

    8) Wow, I actually agree with this one. It's not a huge security issue, but it's much better to fill up /home on a separate partition than to fill up / (including /home) on a single partition. Linux gracefully handles full filesystems (unlike the AS/400 I used to use in a previous job which would turn itself off if the disk storage reached 100%), but it's not a good thing to run out of storage space, especially if /home and /var/log are on the same partition (then your system can't write to log files anymore, which totally defeats accountability). Put /home and /var (or at least /var/log) on a separate partition and you will still have log files if one of your users fills up /home. Even better, put /home and /var on separate partitions *and* turn on user quotas.

    9) Security through obscurity again. I use blackbox at home, but that's because it is really lightweight and therefore really fast, especially compared to KDE. However, if you want a desktop that the average Windows user can use without much cross-training, stick to Gnome (my preference) or KDE.

    10) Absolutely, but again, not really news. You probably don't need a web server, FTP server or TFTP server running on your desktop, but SSHD can be very useful, especially if you have IT staff to help support the desktop (in a corporate environment, of course). Having said that, yes, turn off any services you aren't using.

    Things that weren't mentioned but, IMHO, should have been (this is an off-the-top-of-my-head list; there's probably lots of other things you can/should do as well):

    1) sudo. This was mentioned obliquely in #3 (Ubuntu vs. Fedora -- Ubuntu comes with some sudo privileges set up, which is why a weak password in Ubuntu is a bigger deal than a weak password in Fedora). Configure sudo, give sudo privileges very sparingly and stay out of root except when absolutely necessary (and if sudo is set up properly, you should almost never need root).

    2) iptables. Learn to set up firewall rules, especially if you are going to use services like SSH on your desktop. Basic iptables isn't very difficult, and will go a long ways towards securing your machine.

    3) monitor log files. You log things for a reason. Pay attention to your logs and you will notice when things aren't normal.

    4) check for rootkits periodically. Learn to use tools like rkhunter or chkrootkit to make sure no one has done anything nasty on your machine.

    5) baseline your system. Learn to use top, df, du and netstat and learn to interpret the output of these commands. Then, you will know how to tell when things aren't quite right. Also, use nmap and/or nessus to make sure that you know what services are running on your machine, and that they have been properly secured.
  • jrattner1, on 07/07/2008, -0/+8I still prefer a nicely formated ls -hal
  • darkfus, on 07/07/2008, -1/+8Hey man it's ZDNet, the same people that employ John C. Dvorak.
  • robz0rz, on 07/06/2008, -1/+7The only useful tip was the last one, and maybe the first one if you can't trust the people around your pc.
  • Thoku, on 07/06/2008, -2/+7Not a bad article but I don't like the comment abount tty's. Presuming a malicious person is ignorant is just asking for trouble in my opinion.
  • inactive, on 07/07/2008, -0/+4You don't need sshd on a desktop computer, sshd is my most used tool at work. If i'm across campus and need something off my computer, scp is my most valuable tool.
  • wigren, on 07/07/2008, -0/+4A lot of things you probably shouldn't do are "easy" on Windows. But, if you really feel the need: usermod -d /path/to/new/homedir/ username
  • koan, on 07/07/2008, -0/+4This is more damaging than saying nothing. It expresses common sense and obscurity tactics as security practices, which will leave the unsuspecting thinking they have actually done something to enhance their security by following the guide.

    Fail. Bury.
  • skidzilla, on 07/07/2008, -2/+5http://en.wikipedia.org/wiki/Linux_Viruses#Threats
    ^ Versus around 2 million or more for Windows.
  • feignNU, on 07/07/2008, -0/+3Indeed. Woulda been a lot more interesting if the author had taken the time to explain why he thinks it's a problem and how one might secure their system beyond just not installing file-sharers and turning off various daemons.
  • inactive, on 07/07/2008, -0/+3That attitude is why Linux has a .000000001 percent market share. If you want Linux to grow into a viable Windows alternative you have to embrace and educate new users. What is obvious to you is a mystery to the thousands of people who went to Wal-Mart and bought a computer for $200 that came pre-loaded with Linux. I swear, it's the elitist 'I'm smarter than you 'cuz I know Linux command line stuff" attitude that pisses most people off. Grow up, realize that your Linux skill, while admirable, still leaves you exactly equal to the people who don't know a friggin' thing about computers but may be smart in other areas. You are NOT smarter or better than other people, and the attitudes of people on this thread show a distinct lack of maturity.
  • GTanaka, on 07/07/2008, -0/+3Sure, this is security...if you happen to be handicapped when it comes to linux and you're in a public place. buried.
  • known, on 07/07/2008, -0/+3$ ufw enable
  • takatoo, on 07/07/2008, -0/+3"Most people don't know that running the command 'ls-a' will show hidden files and folders"
    WTF? That's one of the basic commands in linux.
    If you're talking about non-linux user just place your porn in any folder and %chmod 000 porn.
  • ScottyDelicious, on 07/07/2008, -0/+2I can't believe he didn't mention Thermite!
    http://digg.com/comedy/Kevin_Rose_blowing_a_hard_d ...
  • skidzilla, on 07/07/2008, -1/+3Or buy a Mac and triple boot Linux, Windows, and OS X and stop being elitist.
  • TRScheel, on 07/07/2008, -1/+2As a relative newcomer to the Linux world I think they were all fairly good points. A few of them were 'duh' points (AV) but if there were omitted people would have bitched that it was an incomplete list lacking x, y, and z.
  • elementop, on 07/07/2008, -1/+2No, he's right. Most people don't know the 'ls -a' command -- in fact, even the author botched it (it's 'ls -a' rather than 'ls-a'). Most *nix users, however, do know the command ;)

    FWIW, I prefer 'ls -A' to 'ls -a' since I generally assume that '.' and '..' will be present.
  • eldridgea, on 07/07/2008, -1/+2"Security through Obscurity" is never a good idea.
    (Unless it's just there to complement real security)
  • feignNU, on 07/07/2008, -0/+1dugg for knowing the -h option.
  • feignNU, on 07/07/2008, -0/+1What wigren said is right, but you should remember also that your home "directoty" isn't really the same as the "My Documents" folder in XP. My guess is that if you didn't already know how to change your home directory, you probably don't need to.
  • jcwuerfl, on 07/07/2008, -0/+1If your using linux and don't know this already, stop using linux and buy a mac. buried
  • cantormath, on 07/08/2008, -0/+1Should have been called common sense, not much to do with security in the tradition sense.
  • known, on 07/07/2008, -2/+3Open source software is secure by design.
    Closed close software is insecure by design.
  • veruus, on 07/07/2008, -0/+1Pessulus lets you edit somewhere around 23 settings. It's kind of useless.
  • ScottyDelicious, on 07/07/2008, -0/+1Doesn't really make a difference if someone takes your drive and mounts it as root in another box.
  • Eezyville, on 07/08/2008, -0/+1the police you say.... *thinking*
  • csteele, on 07/07/2008, -0/+1no mention of backups or firewalling? wtf? rookie.
  • inactive, on 07/07/2008, -0/+1This is not a good article, putting it lightly. It generalizes about security and seems to be aimed at the less technical, but doesn't explain in a simple fashion how to disable services. References to /etc/inetd.conf are also outdated as it pertains to most linux distros. Even ubuntu which uses it doesn't have anything enabled by default in it. The tips about putting things in dot folders should be ignored. That has nothing to do with security. Don't bring up Selinux unless you are going to explain to people how to use it. Simply enabling it will not help unless the applications they are installing are compliant with the shipped policies. Most people out of laziness will just turn it off if their applications don't work with the default policies. Most linux distros that ship with it have it enabled by default. Putting /home in a separate partition also has absolutely nothing to do with security. The security of /home is based on its file system permissions and those permissions will be the same regardless of mount-point. Using a non standard desktop is actually a very bad idea for many reasons. I could pick apart this article all day long. Rather than wasting my time, I will summarize by saying that nobody should be following anything in this document other than the common sense things like locking the desktop when you step away. Even that isn't so much security as it is annoying coworker mitigation. Even if you have full disk encryption, many people on this thread can access all your data if you leave your machine accessible and unattended more than once.
  • ScottyDelicious, on 07/08/2008, -0/+1No problem Watson. You're welcome, and I accept your apology.
  • jay019, on 07/08/2008, -0/+1Common sense is not really that common.
    Not just in computing, but life in general.
  • Myztry, on 07/09/2008, -0/+1It's actually a 'in joke' regarding an old friend who had his Amiga BBS confiscated by the Police. The computer was jammed packed full of every imaginable warez.
    They returned it intact, no charges laid because they didn't have a clue what to do with a non Windows computer. Much like the Microsoft Police Toolkit would be useless against anyone but their own customers.
  • Alexrrr, on 07/07/2008, -0/+0While i agree that this is a terrible article i would like to add something:

    One useful tip i would love to spread is using Pessulus to lock down gnome. I have about 50 machines with ubuntu and it helps me keep things uniform in all of them. I must keep things very spartan so people will actual work around here.

    OOOOOOOO! OOOOOO! (300 type scream)
  • hoopy22, on 07/08/2008, -0/+0Next article, Water is Wet and the Sky is Blue.
  • Vegiemaster, on 07/07/2008, -1/+1Doesn't everyone read their man files? ; )
    I have a couple ls variations as aliases, myself.
  • rfcompte, on 07/08/2008, -0/+0This list is incredibly naive
  • feignNU, on 07/07/2008, -0/+0To be fair he did refer at least one of the obfuscation tips as "pseudo-security"...
  • h1web, on 07/07/2008, -0/+0They tell you to add a dot to hide your folders, but don't even mention chmod ..
  • Rudegar, on 07/07/2008, -3/+2Buried because the writer was root when writing the article! :P
  • h1web, on 07/07/2008, -1/+0thanks sherlock, what i meant though was that chmodding your files to be readable only by yourself is much more effective then hiding it with a dot in front of the name, which is about as effective as using a "non-standard desktop".
  • masfenix, on 07/07/2008, -4/+2I dont think so. Closed software is as secure as open source. Look at windows 2008 server. Its security is through the roof. Please don't say that "linux is more secure therefore more servers use it". Right and when was the last time you had to pay for linux. Thats the only difference. Price.

    open source has its downsides too. Look at php, 1500+ developers, still no 100% OOP support. Look at .net now. Closed source, however, we are up to technology like Dynamic Data, LINQ, and other other goodies.
  • Fetching more discussions...
    Show 51 - 52 of 52 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.