Linux Security Checklist

The following checklist covers a range of security measures to protect your Linux desktop or server.

 

1. Add users and passwords — Creating separate user accounts for each user (each with a good password) is your first line of defense in keeping your data secure. Users are protected from each other, as well as from an outsider who takes over one user account. Setting up group accounts can extend the concept of ownership to multiple users. 
2. Read, write, and execute permissions — Every item in a Linux file system (including files, directories, applications, and devices) can be restricted by read, write, and execute permissions for that item’s owner and group, as well as by all others.
3. Protect root — In standard Linux systems, the root users (as well as other administrative user accounts such as apache) have special abilities to use and change your Linux system. Protect the root account’s password and don’t use the root account when you don’t need to. An open shell or desktop owned by the root user can be a target for attack. Running system-config-* windows as a regular user (and then entering the root password as prompted) and running administrative commands using sudo can reduce exposure to attacks on your root account. 
4. Use trusted software — While there are no guarantees with any open source software, you have a better chance of avoiding compromised software by using an established Linux distribution (such as Fedora). Software repositories where you get add-on packages or updates should likewise be scrutinized. Using valid GPG public keys (which use signatures and encryption), you can ensure that the software you install comes from a valid vendor. And, of course, always be sure of the source of data files you receive before opening them in a Linux application. 
5. Get software updates — As vulnerabilities and bugs are discovered in software packages, every major Linux distribution offers tools for getting and installing those updates. Be sure to get those updates, especially if you are using Linux as a server. 
6. Use secure applications — Even with software that is valid and working, some applications offer better protection from attack or invasion than others. For example, if you want to log in to a computer over the Internet, the secure shell service (SSH) is considered more secure than rlogin or telnet services. Also, some services that are thought to be insecure if you expose them on the Internet (such as Samba and NFS), can be used more securely over the Internet through virtual private network (VPN) tunnels (such as IPsec or CIPE) 
7. Use restrictive firewalls — A primary job of a firewall is to accept requests for services from a network that you want to allow and turn away requests that you don’t (primarily based on port numbers requested). A desktop system should refuse requests that come in on most ports. A server system should allow requests for a controlled set of ports. 
8. Enable only services you need — To offer services in Linux (such as Web, file, or mail services), a daemon process will listen on a particular port number. Don’t enable services you don’t need. In fact, you shouldn't even install server software you don't need. For even better security, don’t install any software you don’t use, be it server software or any other kind. 
9. Limit access to services — You can restrict access for a service you want to have on to a particular host computer, domain, or network interface. For example, a computer with interfaces to both the Internet and a local area network (LAN) might limit access to a service such as NFS to computers on the LAN, but not offer those same services to the Internet. Services may limit access in their own configuration files or by using TCP/IP wrappers. 
10. Check your system — Linux has tons of tools available for checking the security of your system. After you install Linux, you can check access to its ports using nmap or watch network traffic using Wireshark (formerly called Ethereal). You can also add popular security tools such as Nessus or sectool to get a more complete view of your system security. 
11. Monitor your system — You can log almost every type of activity on your Linux system. System log files, using the rsyslogd and klogd facilities, can be configured to track as much or as little of your system activity as you choose. The logwatch facility provides an easy way to have the potential problem messages forwarded to your administrative e-mail account.  You can get add-on packages such as tripwire and portsentry, to check your system for tampering and deal with someone scanning your ports, respectively. 
12. Use SELinux — SELinux is an extraordinarily rich (and complex) facility for managing the access of nearly every aspect of a Linux system. It addresses the if-I-get-root-accessI-own-your-box shortcomings of Linux and UNIX systems for highly secure environments. Most Linux distributions offer a useful, limited set of SELinux policies that are turned on by default.