Bill Detwiler: As its advocates will remind you again and again, Linux is a very secure operating system. But that doesn't mean you should get complacent and ignore fundamental security measures.
I'm Bill Detwiler, and during this episode of TR Dojo, I'll go over five tips to improve your Linux system's security.
First, just because you trust your OS, don't give in to the temptation to bypass basic security features by disabling them.
For example, the keyring feature encrypts sensitive passwords and other information being sent over the Internet. Even though you might think it's a hassle to provide your keyring password when connecting to a network, it is a best practice to always use it.
Second, don't disable SELinux or Security-Enhanced Linux. SELinux isn't a distribution. It's a set of kernel modifications that can improve security by enforcing mandatory access control policies
If a particular program isn't running properly, look into modifying one of your SELinux policies instead of just disabling SELinux all together. If you don't want to make your modifications via the command line, check out a GUI tool called polgengui.
Third, if you run a multi-user environment, it's generally accepted that you should require users to change their passwords on a regular basis -- just not too frequently. And this is when the change (or chage) command comes in handy.
You can check the expiration with the command: sudo chage -l USERNAME (where USERNAME is the name of the user you want to check).
Let's say you want to expire a user's password and make him change it upon next login.
To do this, you could use a sudo change command like the one shown here. You'll want to modify the option values to fit your needs.
For example, the value after the -E is the explicit expiration date, the value after the - lower-case m is the minimum password age, the value after the - upper-case M specifies the maximum password age, the value after the - upper-case I is the allowed period of inactivity in days, the value after the - upper-case W is the number of days before the password expires, and username is just that.
The fourth tip is one that you've probably heard numerous times, but it bears repeating: Linux users should NOT be logging in as the root user. If you need to administer a machine, log in as your regular user and either su to the root user or take advantage of sudo.
When you log in as the root user, you effectively bypass a major security hurdle and allow access to systems and subsystems that normally wouldn't be accessible when logged in as a standard user. Do not do this. Log in with your regular account. Period.
Lastly, you should install updates in a timely fashion. There is a big difference between the way Linux and Windows handle updates. Where Windows typically does an infrequent massive update, Linux does frequent smaller updates.
Ignoring these updates can be disastrous if the right security hole is not patched on your system. You have to remember, some of those updates are in fact security patches and need to be applied immediately. And if you are using a GUI-less server, make sure you set up a cron job to check for updates or check them manually either daily or weekly. The bottom line is that by staying up to date, you stay more secure.
Just by sticking to the basics, you can make your Linux system pretty airtight. For additional Linux tips and tricks check out our Linux and Open Source blog or subscribe to the companion newsletter.
And as always, for more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.
Thanks for visiting the TR Dojo.