March 23, 2009

Securing a Linux Workstation

There seems to be an attitude that if you want a secure computer, all you need to do is install Linux (or MacOS, which is based on Linux) and you are all set, as secure as can be. This is not entirely accurate. It is true that there are less viruses circulating that target Linux systems. However, this is because Linux workstations account for a small percentage of the Operating System landscape. The viruses and malware that do target Linux systems, however, can be extremely devastating and difficult or impossible to recover from without significant loss of data (possibly requiring a reformat of the computer).

Many people believe that in order to secure a Linux system, all you need to do is keep the applications that are installed patched and out of the root userspace, and configure the built in firewall, then you are good to go. This may be sufficient for some low-security web server situations. However, on a workstation these steps are inadequate at best. Even servers that are dealing with a high level of untrustable content (such as an FTP, SMTP or Peer-to-peer server or even chat server) should take additional precautions.

The first step is to install a strong antivirus application. Although there are less known viruses that affect Linux in circulation, there are more known Linux viruses in existance - most hackers got their start on Linux systems. And as viruses become more adaptable and the operating system landscape more varied, there will be more potential for cross-platform infections. There is already malware in circulation that specifically targets Linux systems for use in botnets, and the last line of defense is anti-virus software.

The next step is to install a strong two-way firewall. On a production workstation, the firewall built into Linux is insufficient. Although the firewall will prevent incoming connections, it does nothing to monitor outgoing traffic. This is an important step in detecting and preventing backdoor attacks.

Next, it is essential to make sure that only software and services that you will actually be using have been installed on the system. This requires going through the services list on Linux and removing anything you will not be using. Most Linux installers have gotten better at not installing extraneous packages. However, some installers still install Apache on workstations, or FTP servers on home PCs. If you won't be using it, it shouldn't be on your computer.

Finally, make sure you have enabled the automatic patch system that is part of your Linux distro. This utility will run in the background and alert you to important patches for your operating system and much of your software. These patches range from security updates to performance and stability fixes. Expect to be applying patches 1-2 times a month. With the background updater, many patches may be applied without you needing to take any action at all. Be aware, however, that the background patch utility may not handle all of the applications on your system. You may need to manually update other programs.

No comments: