Cymraeg

Safe Linux Use

This page provides advice on some of the most important activities that are particularly relevant for protecting Linux workstations. It includes advice for people running individual Linux workstations (for example, home or small business users).

Most modern Linux distributions provide some basic security features (automatic software/service updates, event logging, access control and firewall functions), which are often enabled by default as part of the Linux build. Individuals setting up a Linux workstation should have a basic understanding of the operating system, and if necessary obtain further guidance (such as from the official Linux distribution website, official online Linux forums or security mailing lists for the particular Linux distribution used).

The risks

Behaviour risks

  • Many risks such as fraud, phishing, spam and identity theft apply to Linux users as much as users of other operating systems.
  • Poor user choices, such as weak or no passwords, failing to monitor event logs and not configuring Linux software correctly.

Technology risks

  • Risks to Linux workstations can increase due to running unnecessary services and leaving vulnerable network ports open.
  • Failing to patch Linux software and services quickly or at all, especially with published vulnerabilities.
  • Running inherently insecure services, such as using a system designed for use on a local area network over the internet.

Exploitation risks

  • Social engineering, information theft.
  • Spam, Trojans, botnets, back doors, viruses, rootkits.
  • Denial of service attacks.
  • Unauthorised Privilege escalation.

Protecting your information and workstation

Getting started

  1. Acquire the Linux operating system software (including binaries, setup files and patches) from trusted, reliable and reputable sources, such as an official Linux distribution CD/DVD or legitimate  Linux distribution website.
  2. Configure the Linux workstation file systems with multiple partitions (for example using fdisk (or equivalent) to create a separate root partition, swap space, binary files and users file space).
  3. Check the authenticity of all Linux operating system software before installing (for example by validating their digital signatures and/or checksum values).
  4. Avoid logging in as a privileged user such as root. Instead, log in as a non-privileged user account and use the su command to perform administrative tasks.
  5. Disable the autorun feature (or equivalent) to prevent media being mounted automatically.
  6. Configure user accounts to lock the session after a pre-defined period of inactivity (for example 15 minutes).
  7. Maintain an up-to-date Linux build (for example by regularly checking for updates and patches for the operating system and all applications).

Configuring services and users

  1. Disable or restrict all unnecessary services and unnecessary start-up scripts (including those associated with Bluetooth, USB, wireless networking and infrared).
  2. Avoid using insecure administration programs such as rlogin, telnet, tftp, ftp, rsh and rexec, and instead use secure remote login, file transfer and shell programs, such as sftp, scp and ssh.
  3. Remove unnecessary user accounts (for example, guest) and groups, and ensure all user accounts are required to authenticate (for example, using a password) before being granted access to the Linux workstation.
  4. Use strong passwords for all user accounts on the Linux workstation (for example, minimum eight characters, mix of uppercase, lowercase, alphanumeric and special characters).
  5. Protecting Linux workstations requires a range of activities, many of which are relevant to all computers regardless of operating system software used, including Microsoft Windows and Apple Mac OS X (for example, protecting the boot sequence, setting the permissions of files, configuring event logging, establishing backups and monitoring for suspicious files or activity).
  6. Individuals requiring more detailed advice for protecting Linux workstations (including firewalls, virus protection, disk and file encryption, email protection, web browser configuration, and backup software) should consult specialist advice from an individual or organisations that specialise in Linux and Linux security.

In partnership with

Jargon Buster

A Glossary of terms used in this article:

Bluetooth

A type of short-range wireless connection between devices like mobile phones, headsets and computers.

Encrypted

The process of converting data into cipher text (a type of code) to prevent it from being understood by an unauthorised party.

Identity theft

The crime of impersonating someone – by using their private information – for financial gain.

Linux

An open-source, freely-available operating system.

Social engineering

Use of deceit offline to gain access to secure systems or personal information, for example impersonating a technical support agent.

Spam

Unsolicited commercial e-mail. Also known as junk e-mail.

USB

Universal Serial Bus: a means of physically connecting computers and peripherals such as external storage, keyboards and MP3 players.