How to properly secure a Linux computer

Obviously, there are different methods for securing based on home versus professional computers. My questions generally pertains to securing home desktops, but professional protection is definitely welcome :) Knowledge is power.

Ever since moving to the wonderful world of Linux a couple years ago, I never even really thought about security. Seeing as most low-life scum make viruses for Windows machines seeing as they're more abundant.

But how do I know if I'm safe/secure from anyone who want's to get at me or my stuff. I know that anyone who is determined enough to get in will, there's no question about that. But what steps can I take to ensure I'm protected from things like rogue root shells and automatic attacks? Also, is there a sort of built-in firewall/antivirus in more Linux distros?

I know this question is quite broad seeing as there are tons of ways someone could compromise your system, but maybe you could share what you did to make sure you were safe.

EDIT: I decided to not allow root login via ssh and to change the port is listens on to something random. Hopefully this a step in the right direction. Currently looking at iptables and shutting down services. Hopefully this question will get a lot of quality responses (it's already got 3) and it'll help other paranoids :)

EDIT 2: Got some iptables issues, but it's proving to be a good tool

EDIT 3: As of yet, no one has touched on the issue of hard drive encryption. Is this worth it? I've never used it before so I'm unaware of how it all works. How easy is this to accomplish?

One more edit: in terms of services that should be running on your system, which ones should or should be running? Which ports should be open on your box? Of course this depends on what you use, but what's opened by default and what is dangerous?

n0pe

Posted 2011-04-21T22:58:04.810

Reputation: 14 506

9Don't connect to the Internet. – Wuffers – 2011-04-21T23:00:22.283

There isn't a way to completely secure anything, there's always going to be a hole to get into your system somewhere – Sandeep Bansal – 2011-04-21T23:04:35.340

I mentioned that in my question above, also the question was changed from "completely" to "properly" – n0pe – 2011-04-21T23:10:00.470

Properly? Oh, in that case, don't connect it to anything. (This question deserves a lot of votes!) – Randolf Richardson – 2011-04-21T23:17:25.627

Yeah not connecting to anything would be the obvious one. Along with putting the computer in a box, not connected to power either (in case the hacker surges the power to your house) :) – n0pe – 2011-04-21T23:22:03.847

3If the threat can't get there through the internet, it can get there via sneakernet. That said, you work to address the most common vulnerabilities unique to your operating situation, rather than lapse into paranoia by attempting to mitigate any and all possible threats. – music2myear – 2011-04-22T18:45:56.327

I like that philosophy @music2myear. It makes a lot of sense, thanks. – n0pe – 2011-04-22T18:55:17.477

You're welcome. I know it isn't an answer, but given the possible permutations of what may be a correct answer to this question, it helps cut through some of the noise to know what "secure" means for you. – music2myear – 2011-04-22T19:05:39.640

Answers

You can get very tricky with iptables. Take a look at the man page and you'll see just how complex this piece of software is. Aside from not connecting to the net as mentioned above, this is probably about as good as you can do.

If you're using ssh be sure to not use passwords but instead use public keys.

Only install software from the distribution's trusted repos. There are various measures in place that help to maintain the integrity of the packages found said repos.

Keep your system up to date.

Don't run as root - elevate privileges only when you must.

When browsing the web use things like FlashBlock/AdBlock/NoScript.

Don't panic.

boehj

Posted 2011-04-21T22:58:04.810

Reputation: 1 042

Don't read the man pages for iptables instead read https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

– cybernard – 2017-11-09T01:45:17.693

2+1 for the Hitchhicker's reference! err.... in 34 min (vote cap -_-) – n0pe – 2011-04-21T23:26:02.067

3I like UFW for making iptables accessible to mere mortals ;) – Andrew Lambert – 2011-04-22T00:27:54.847

Haha... ah yes, thanks for that. Agreed that UPW is worth looking at. – boehj – 2011-04-22T06:12:03.333

That's UFW, sorry. Had a bad typo day yesterday. :) – boehj – 2011-04-23T06:26:13.463

You'll be fine with an out of the box linux installation, just disable any services you don't use. If it's a home PC then you have nothing major to worry about.

I have been running Ubuntu on my desktop for years with just a few services being disabled, like bluetooth and folder sharing and then use the OS. You can install an antivirus if you want but it's not really needed.

Sandeep Bansal

Posted 2011-04-21T22:58:04.810

Reputation: 6 168

Thanks, I'll be taking a look through my services later today when I get the chance. – n0pe – 2011-04-21T23:22:43.257

It very strongly depends on what you're using it for, and what ports are open. For example, if you have lots of services exposed to the internet, and they are things that are often misused, fail2ban is awesome - i use it to block random ssh exploits for example.

Not using your root account is also common sense. The ubuntu way of not HAVING a root account actually has some merit as well as your common brute force attacks would try to guess usernames AND passwords.

Finally, as mentioned before, lower your threat exposure - shutdown any services not in use, and any ports that arn't immediately needed.

Journeyman Geek

Posted 2011-04-21T22:58:04.810

Reputation: 119 122

Ubuntu doesn't have a root account? I used that before OpenSuse and always used the sudo command. Does that mean that sudo "virtualizes" a root user or something? – n0pe – 2011-04-21T23:58:41.147

2there is a 'root' account without a password, actually. sudo temporarily elevates your privileges to root, but you can't actually log in as root without sudo su – Journeyman Geek – 2011-04-22T00:00:38.510

very cool, didn't know that – n0pe – 2011-04-22T00:01:19.087

If you give root a password with sudo passwd root then you can login as root... not that you'd need to. – Stacey Richards – 2011-04-23T23:31:09.050

Have a look at the NSA guide to securing Red Hat Linux. It's a good starter guide for locking down a basic system. You might not be using Red Hat, but it gives you a good idea of what to look at. Of course, if you provide any services on your system, then you'll need to look at the risks from those services.

Xenoactive

Posted 2011-04-21T22:58:04.810

Reputation: 992

Hard drive encryption is relatively simple and straight-forward to set up. Some distros (notably Ubuntu) offer to encrypt your home directory for you at installation time.

Whether it is worth it or not? Well, it won't protect your data against someone from the internet breaking in - once the computer is booted and the filesystems are mounted (encrypted or not) the computer can read the data - and hence the attacker can read the data.

What it does protect you against is someone physically breaking in to your house and stealing your computer. It stops them being able to get at your data. Not that many house-breakers want the data; they just want to sell the computer on for a quick buck so they can go score some more drugs.

You're better off individually encrypting your sensitive files so only you can get at them with a key / pass-phrase. That will prevent them being easily read by an attacker.

Majenko

Posted 2011-04-21T22:58:04.810

Reputation: 29 007