Linux

10 ways to secure your Linux desktop

Out of the box, a Linux desktop is highly secure -- but this level of security doesn't necessarily involve specialized software or techniques. Sometimes, the easiest means to security are those measures that are the easiest to forget. Jack Wallen looks at 10 things you can do to secure your Linux desktop.

Out of the box, a Linux desktop is far more secure than most others. But this level of security doesn't necessarily involve typical security-focused software or techniques. Sometimes, the easiest means to security are those measures that are the easiest to forget. Let's take a look at 10 things you can do to secure a Linux desktop.Note that we're talking about the desktop, not a server. Linux server security is another beast all together -- one that would confuse the average desktop user.

This information is also available as a PDF download.

#1: Locking the screen and logging out is important

Most people forget that the Linux desktop is a multi-user environment. Because of this, you can log out of your desktop and others can log in. Not only does that mean that others could be using your desktop, it also means you can (and should) log out when you're finished working. Of course, logging out is not your only option. If you are the only user on your system, you can lock your screen instead. Locking your screen simply means that a password will be required to get back into the desktop. The difference here is that you can leave applications running and lock the desktop. When you unlock the desktop, those same programs will still be running. Safe and secure.

#2: Hiding files and folders is a quick fix

In Linux-land, files and folders are hidden by adding a "." before the name. So the file test will appear in a file browser, whereas .test will not. Most people don't know that running the command ls -a will show hidden files and folders. So if you have folders or files you don't want your co-workers to see, simply add the dot to the beginning of the file or folder name. You can do this from the command line like so: mv test .test.

#3: A good password is a must

Your password on a Linux PC is your golden key. If you give that password out, or if you use a weak password, your golden key could become everyone's golden key. And if you're using a distribution like Ubuntu, that password will give users much more access than, say, on Fedora. To that end, make sure your password is strong. There are many password generators you can use (such as Automated Password Generator.

#4: Installing file-sharing applications is a slippery slope

I know many Linux users are prone to file sharing. If you want to run that risk at home, that's your call. But when at work, you not only open yourself (or your company) up to lawsuits, you open your desktop machine up to other users who might have access to sensitive data on your work PC. So as a rule, do not install file-sharing tools.

#5: Updating your machine regularly is a smart thing

Linux isn't Windows. With Windows, you get security updates when Microsoft releases them (which could be many months away). With Linux, a security update can come minutes or hours after the security flaw is detected. With both KDE and GNOME, there are update applets for the Panel. I always recommend having them up and running so you know when updates are made available. Don't put off security updates. There is a reason they come out.

#6: Installing virus protection is actually useful in Linux

Believe it or not, virus protection in Linux has its place. Of course, the chances of a virus causing problems on YOUR Linux machine are slim to none. But those e-mails you forward to others' Windows machines could cause problems. With a good virus protection (like ClamAV), you can ensure that e-mail going out of your machine doesn't contain anything nasty that could come back to haunt you (or your company).

#7: SELinux is there for a reason

SELinux (Security-Enhanced Linux) was created by NSA. 'Nuf said? What SELinux does is help lock down access control to applications. And it does it very well. Sure, SELinux can sometimes be a pain. In some cases, it might take a hit out of your system performance. Or you might find some applications a struggle to install. But the security comfort you gain using SELinux (or Apparmor) far outweighs the negatives. During the Fedora installation, you get the chance to enable SELinux.

#8: Creating /home in a separate partition is safer

The default Linux installation places your /home directory right in the root of your system. Sure, this is fine, but 1) it's standard, so anyone gaining access to your machine knows right where your data is and 2) if your machine goes down for good, your data might be gone. To solve this problem, you can place /home on a different hard drive or partition all together (making it a partition in and of itself). This is not a task for the weak of heart, but it is one worth employing if you're uber-concerned about your data.

#9: Using a nonstandard desktop is worth its weight in gold

Not only do the alternative desktops (Enlightenment, Blackbox, Fluxbox, etc.) give you a whole new look and feel for your PC, they offer simple security from prying eyes you may never have thought of. I have deployed Fluxbox on kiosk machines when I wanted a machine that could do one thing: Browse the network. How do you do that? Simple. Create a single mouse menu (or desktop icon) for the application you want to use. Unless the user knows how to get back to the command line (by logging out or hitting Ctrl-Alt-F*, where * is a desktop other than the one you are using), they will not be able to start up any application other than the one offered. Since most users have no idea how to move around in these desktops anyway, they aren't going to have the slightest idea how to get to your files. Simple pseudo-security.

#10: Stopping services is best

This is a desktop machine. It's not a server. So why are you running services like httpd, ftpd, and sshd? You shouldn't need them and they only pose a security risk (unless you know how to lock them down.) So don't run them. Check your /etc/inetd.conf file and make sure that all unnecessary services are commented out.

Simple but effective

You might find these suggestions to be pure common sense -- but maybe you'll see a means of security you never thought of before. And if you're a new Linux user, these tips are a great place to start to ensure that your Linux experience is a good one.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

25 comments
michelechoina
michelechoina

i have a huge problem  i have a 20 year old special child ... adult already, who's very into linux debian and has no self control to leave his computer and take care of life responsibilities.   i need to find out how to lock him off the computer and he agrees, but keeps blabbing about one thing or another and i need a straight answer please.  thanks.

derekmelber
derekmelber

Jack nails it again! The only thing I would add, for both Unix and Windows, is to implement least privilege! BEyondTrust has both products for least privilege. PowerBroker is just awesome! www.beyondtrust.com Derek Melber, MVP

Penguin_me
Penguin_me

There is another alternative to SELinux and Apparmor - Bastille (link: http://bastille-linux.sourceforge.net/ ) - it's another "secure your system" program, but it's an interactive one. It asks the user if they want to do an action (say turning off services) - but it explains what they are, what it does, implications, and offers a default option (with an explanation on why it's a good option). I recommend it over most others, simply because you actually *learn* what it's doing and why, rather than finding that it's done everything for you with no explanation. http://bastille-linux.sourceforge.net/screenshot.htm That's a small screenshot of one of the Bastille options - at the top it has the question ("do you want to enable kernel-based stack execution prevention") which can be daunting, but below it it gives you a description of what that option is, what it does, and what disabling it does, and how to undo it.

Gis Bun
Gis Bun

You mean Linux isn't secure? I thought it was the most secure OS on the planet!

Illeg
Illeg

"#1: Locking the screen and logging out is important" OK, well I considered that to be a no-brainer, but its as well to state it expicitly. "#2: Hiding files and folders is a quick fix" Yes, but not really a very good one. This will only defeat someone who has more than an introductory level of knowledge althoug it might get someone who has only 30 seconds to find gold. it might be worth doing, but only in combination with other things. "#3: A good password is a must" This is where I have a big problem with what you have, or more precisely haven't, written. Where is the mention of the root password? I know some of the more user friendly distros don't have a separate root password, but given dektop user's habits of just ignoring the root account, they could easily forget about a strong root password. "#8: Creating /home in a separate partition is safer" Probably true, but: "1) it???s standard, so anyone gaining access to your machine knows right where your data...To solve this problem, you can place /home on a different hard drive or partition all together (making it a partition in and of itself)" Is a complete non-sequitur. When you put home on a separate partition, it still looks and feels exactly as home were in the 'standard' place (you have to look at mtab, fstab or use mount to detect that its in action), so it does nothing to deter the would-be hacker. "This is not a task for the weak of heart..." Come on, if done at install time this almost trivial. I always do this for other reasons and its doesn't really slow me down at all. It would be a different matter on an existing installation, when it might take a whole 5 minutes, or so.

Neon Samurai
Neon Samurai

1. absolutely. Locking your screen and logging out is a must even for the Windwos world (crtl+alt+del -> k = lockscreen). Obfuscation is hiding something and hoping that no one will find it. Security is being able to leave that thing in plain view and know that no one is able to compromise it in a reasonable amount of time. 2. This is obfuscation not security. You hide your files and "hope" that your co-workers and boss don't find them. This is a good tip keeping files from accidental deletion or keeping your directory clean by keeping non-user related files out of default view. I wouldn't include this as a security item with any confidence though. 3. Good password are hard to come by but something like Keepass/KeepassX helps a great deal and has a nifty generater built in. 4. gnutella does well as a file sharing client but if this list is for the work place, users shouldn't be able to install it anyhow. 5. updates are great; daily even. In the FOSS world, updates are an indication of continued activity in the project and further evolution of the program. The GUI package managers make it easy or a single command at the cli makes it even easier. 6. AV is always a must for my installs for the very reason you mention; My machines play with the Windows machiens in the schoolyard and I don't want them passing on anything they may pickup from a Windows kid. 7. I haven't isntalled SELinux so my experience is limited but if your going to install a SELinux strapped distro then use the thing. Don't be an average user and disable all your security because it's not convenient for you to configure it on your system. 8. Partitions; Always. At minimum, a root / and a /home. More ideally, a root /, /var, /home, /tmp. If you want to get fancy, also include a /boot, /var/www, /var/ftp, /var/log (but now I'm just going overboard). But, at minimum, seporate your /home from your root /.. you'll have the freedom to install your OS without killing your user config and data any time. 9. This I've considered but have never had reason to do yet. If your DE config is part of your restrictions enforcement then there is a whole range of highly configurable window managers to choose from. 10. This applies to any computer; if you don't need the program installed, why is it there? If you have to install the program but don't actually need it, why is it running? On *nix platforms, if you are going to run deamons then also make use of hosts.deny and hosts.allow or your equivalent along with the recommended inetd.conf changes. But that's just my two cents..

The 'G-Man.'
The 'G-Man.'

We have been lead to believe that it is secure and unhackable without any work by some. I have read countless posts on this very site. I don't need a firewall I don't need a virus scanner I'm totally safe beacusae I run..... Perhaps these peiople would care to add something now....

rajgopalhg
rajgopalhg

Who uses Linux desktop any way??

Neon Samurai
Neon Samurai

Last time I was looking at it for Mandriva 2007.0, it was supporting Mandriva 2006 or 2005. I almost switched to Debian purely to have the more current Bastille support. I've not checked recently for the most current supported distributions list.

Penguin_me
Penguin_me

Just because something is more secure / the most secure, doesn't mean (by any stretch of the imagination) that it is totally secure... The only way to make a PC totally secure is to never connect it to the 'net, keep it in a locked room, with a very long password, make sure nobody else can touch it, let alone use it, and never install any 3rd party programs. Even then, you have to hope nobody breaks into the "secure room" to compromise it. In short, nothing is totally secure. (I realise you're probably joking, but it's a point worth making).

pgit
pgit

No doubt the BSDs are more secure than Linux by default. BTW I don't trust SELinux, for some inexplicable reason. I use Linux desktop as well, have exclusively for almost a decade now. I have a lot of clients that use it, too. Most of those wonder why they labored with windows for so long. One item that should have been in the top 10: run a shorewall-variety firewall. Windows "firewalls" are 'shorewall' types, i.e. running in/on the same machine you intend to protect. There's numerous firewalls for Linux, most basically manipulating iptables. You can either customize an iptables config, or use one of the GUI apps for the task. Let's see, there's guard dog, firestarter, shorewall, nufw, ...I'm probably forgetting more than I'm remembering here. Lots of choice. I use shorewall on other's desktops.

Neon Samurai
Neon Samurai

And most die-hard fans (of any thing) demonstrait that by ignoring reality. You'll also notice that those same discussions usually include many long time Linux and BSD users pointing out that no OS is bulletproof and no software is bug free. Granted, in the Unix world, a breach is more often due to misconfiguration versus other systems where the majority of breaches are through software flaws. Now, on average the posix inspired systems do present a higher potential for security and higher default security. Each distribution is a different OS that should be considered seporately though as there are examples of good and bad just like good and bad examples of indavidual programs exist. As for the three bragging rights starters you provide: I don't need a [third party] firewall ... because the built in one is locked by default and is designed with security in mind from the ground up. (anyone saying they don't need a firewall on any network connected OS should be considered suspect) I don't need a virus scanner ... Well, that's just silly and anyone preaching as much as an advantage needs to reconsider. Mind you, the AV is 99% there to protect any Windows machines which I may be sending email or other data too. (If all one cared about was there own machine then there is currently a very low threat for a Linux/BSD based system without AV. I don't gamble on it but other's are free too.) I'm totally safe because I run ... This one I haven't seen. People claiming that there OS makes them bulletproof usually go into more technical detail about what makes it so rather than just talking in general; excluding the Cult of Apple who are bulletproof purely for owning Apple products of course. ;) But it was nice of you to take the opertunity too try and bash people for having different preferences.

speculatrix
speculatrix

the article was almost completely devoid of useful information, most of it was pointless, wrong or misleading information. About the only worthwhile one was to use a decent password!

Redsheep
Redsheep

Yes, that's how long I have been using it in a Windows shop.

Neon Samurai
Neon Samurai

dayjob = Windows, but it's not my choice and I need Excel supported functions home = rarely Windows and only for gaming these days, the rest of the time, all routers, servers and workstations run non-Windows. contract = not windows but it's network, server and security related and is my choice There are more using non-Windows/non-Apple desktops than you might think. If you meant "at work" then that list is likely much shorter depending on the industry.

stanton.chris.m
stanton.chris.m

Lowes home improvement warehouses? However, most people who work there never even heard of Linux anyway.

Penguin_me
Penguin_me

It appears that the last release was September, with another due soon. I have to admit, I normally use Debian, so I don't suffer that problem :P.

rkuhn040172
rkuhn040172

Was #2 and #9. More security through obscurity than real security.

Alan Henderson
Alan Henderson

If you're intent on being, at best, destructive or at worst, offensive, some elaboration of the reasons for your outrage would be useful to to the rest of us - unenlightened ignoramuses though we may be.

Neon Samurai
Neon Samurai

Heck, if I had the knowledge or time to learn it, I'd write the damn Mandriva 2008.1 profile sheet for Bastille myself. Too many other projects, hopefully Tripwire keeps the gaurd up until I get back around to a Bastille box. (maybe I'll do a Deb vm on the weekend so I can finally play with Bastille now that I think about it..)

Neon Samurai
Neon Samurai

2. hiding files and folders as a quick fix 9. Use a nonstandard desktop True. Pure obfuscation. In the first case, it's great for managing files and folders but "ls -a" is around the second command most people learn so they can find tehre .config files. In the case of #9, If a different UI allows one to work more efficiently with there machine they great; not security but improved interaction is good too. The real value is using something like Afterstep where it is easy to code a user's program menu in a single config file. Don't allow a cli terminal to be run from the UI menus or key commands and make sure crtl-alt-back dumps you back to the login rather than a cli. On there own and relying on obfuscation; these are both nothing more than stage magic tricks. Most people responding did point out those two though so I'm not going to hold one writters talking points against the greater community.