One of the many reasons people choose Linux on the desktop and the server is security. Linux has a reasonably good track record when it comes to security, but it’s not enough to simply take that for granted. If you’re new to using, administering or developing for Linux, you need to know a few things about security.
You don’t need to be a security expert to use or work with Linux, but it is important and it’s something everybody needs to be aware of. Whether you use Linux for work or play (or both), some basic security principles apply. If you’ve been using Linux for a while professionally or even as a hobby, you’re probably aware already — but lots of new users pick up Linux every day with a bunch of misconceptions about security, or without thinking about it at all.
Linux is Not Immune to Everything
A Linux distribution is more secure than Windows out of the box. Not because all the software on a Linux system is free of security vulnerabilities, but because you’ll find fewer exploits for those vulnerabilities. You will find lots of security reports that claim Windows or Linux are “more secure” because of the number of reported vulnerabilities. You can interpret the numbers pretty much any way you want to come up with the conclusion that either OS is “more secure.”
What isn’t disputable, however, is that you’ll find fewer exploits like Conficker targeting Linux. But fewer, is not none. One of the mistakes often made by new Linux enthusiasts and junior admins is to think that Linux is immune to security exploits. That’s just not so.
The difference is in where the weak spots are, how exploits are deployed, and what kind of attacks you should be concerned about.
Desktop users are still vulnerable to some browser-based exploits, for example. Lots of Linux servers are compromised by root kits (applications designed to give the attacker full control of a system), delivered in a variety of ways. Even if a system isn’t rooted, services can be disrupted. Worms like Santy can deface sites and use a server as a springboard to attack other sites.
The bottom line is that it’s vitally important to realize that Linux systems can be vulnerable to attack, and that you need to think about system security whether you’re a desktop user or administering servers.
But You Don’t Need an Antivirus
If you’re just coming off of Windows, you might wonder where the antivirus programs are for Linux. Relax; you don’t need one. This might sound like it contradicts with the previous point, but it only means that Linux doesn’t need things like McAfee Antivirus or Norton Antivirus. A lot of users are surprised by the lack of AV products for Linux, but Linux doesn’t have problems with the same kind of viruses and malware that Windows does.
You can install one if you want, and if you’re looking I’d recommend ClamAV. But most likely you’d find nothing that is a threat to your system. ClamAV will scan for known trojans, viruses, etc. that largely affect Windows systems. It might help you find an infected file that would harm a Windows system, but odds are you’re not going to be finding any Linux viruses that come in via email or documents today.
What kind of threats do Linux users face? Typically attacks via network services, like worms and Cross-site scripting attacks that work on any browser on any OS.
And social engineering works on any platform. Phishing attempts, that is attempts to get users to supply personal and financial information, rely on a user being fooled by an email or Web site. While Firefox, Google Chrome, and other applications have some anti-phishing features, common sense is the only real protection for those attacks.
Prevention is Better than Cure
I’d much rather spend 15 to 45 minutes a week tending to security than two days recovering from a security breach. Being proactive is remarkably easy, and I strongly recommend that any user or admin get into a few habits very quickly.
First, subscribe to your vendor’s security list. You should be notified of known problems quickly and potential fixes. You’ll see quite a few emails on this list if the project or vendor is doing its job. This also goes for third-party software that you run on top of Linux but don’t get through the distribution’s repositories. Any third party software of significance should have a security list of some sort or a channel that it uses to announce security updates. Note that security updates come through distributions a bit more slowly than through the upstream vendors at times. For instance, a security update for Firefox may go directly to users who get Firefox from Mozilla a few days before the updates show up in packages for major Linux distributions.
Second, run updates regularly. Daily if possible, weekly at a minimum. Make sure you’re running your updates regularly, and updating third-party software that isn’t patched through your update tools.
Understand User Permissions and Encryption
Part of prevention is making sure your system is locked down. Ubuntu and openSUSE feature AppArmor for users who want to enhance system security and lock down services. Fedora uses SELinux. Familiarize yourself with those tools and try to ensure that system services are locked down, or not running at all if they’re not necessary.
Make sure you understand the permissions system for Linux and that files are not more accessible than necessary. This is particularly important on multi-user systems. If you’re running services on a shared hosting service, this is really important.
Running Linux on your home PC, netbook or laptop? Think about encrypting your home partition. If someone has physical access to your machine they don’t need to know your root or user passwords to get at your data when it’s not encrypted.
Audit and Use Intrusion Detection
Finally, consider very strongly taking the time to install intrusion detection on any server that you’re administering, and using tools like chkrootkit to verify that your system is not compromised.
It’s not at all unusual for a system to be compromised without any obvious signs. Some attackers deface Web sites or use an exploited system to launch attacks on other systems. Others quietly collect passwords or data without ever making too much noise, or run services like IRC bots or use infected systems to send spam.
If you’re administering a server, look into installing and using Tripwire and Snort for intrusion detection.
And, I hope this goes without saying, keep backups. No, backups aren’t necessarily part of a security regime, but they’re part of recovery if you are unfortunate enough to suffer a successful attack. As far as I know, no one has ever regretted taking the time to do good backups, but the reverse is not true.
The most important thing is to be aware that security is not a feature; it’s a process. More than that, it’s a process that requires user participation. If you want a secure system, picking Linux is a good first step, but not the end of the line. Follow the general guidelines here, and you’ll be on your way to more informed and secure computing.
Since security is deeply important, in the weeks to come we’ll feature more tutorials on using tools like AppArmor or setting up intrusion detection to keep your systems safe. If there’s a particular topic you’d like to see covered, be sure to tell us about it in the comments!