7 Steps To Securing Your Linux PC
In a stroke of what I can only describe as pure genius, I installed a utility to remember all my passwords and passphrases with just one master passphrase (which I could remember just fine). Where had I installed that utility? In my /home filesystem, of course.
This episode proved two things to me (three, if you include the revelation that I can be dumb sometimes). First, I was using some pretty serious encryption to protect things that didn’t warrant protection: it turned out that even I wasn’t bothered about the files I’d lost. I’d be confident a spy, thief or Government agent would still be less excited.
Second, in this case, I got the security trade-off wrong. Security is normally a balance between ease of use and protecting your data, and I’d managed to stomp all over my ease of use for the sake of some data that neither I nor anyone else really cared about.
I’d also forgotten the obvious point that if someone wanted to get at my data, all they needed to do was either a) get hold of the computer whilst it was running and the drive already mounted or b) get hold of me and threaten to break my legs unless I told them the passphrase (I promise you I would have cracked very quickly).
When it comes to your security, that is important. There are countless tools out there, but you need to figure out how much security hassle you want in your life, what threats you’re aiming to protect yourself against, and what you’ve got that’s worth protecting from prying eyes. Otherwise, it’s possible that the person whose password is “123456” could find themselves in a much better place than the person with double encryption and a laptop that self-destructs after five incorrect passwords are entered.
With that in mind, here are a few simple ways to boost your desktop Linux security.
1. Pick a password you don’t have to write down
Traditionally, we’re told about the importance of picking a long, complex password, but there’s something to that. Specifically, it makes it a lot harder for anyone trying to break into your computer using a brute force attack or someone who’s somehow gotten hold of your hashed password file and is running cracking software against it.
But that’s unlikely to be what you have to worry about (honestly – criminals have much easier ways to steal valuable data than attacking individual PCs).
The threat you most likely face is someone trying to snoop on your data casually or a work colleague thinking it would be a real laugh to send an inappropriate email, tweet or Facebook post from your account. The best way to protect against that is to have a password you keep to yourself; you don’t need to write it anywhere.
Oh – and do remember to leave the screen locked when you’re away from the computer.
2. Use a BIOS password
So you’ve picked a devilishly complex password for your Linux login, including lower and upper case numbers and symbols. Shame then that the person who wants to access your files has physical access to your computer and can boot off external media, bypassing your password completely.
Having encrypted partitions is one way to avoid this. However, a simpler way, which still puts a significant barrier in the way of an attacker, is to enable a BIOS password that has to be entered on bootup.
3. Disable unused services
Check which services you’re running on your computer and disable the ones you don’t need. If you’re not running a web server, you really shouldn’t have httpd. If you’re not acting as a secure shell server, sshd should be disabled. Not only will it free up resources on your computer, but it’ll protect you should a security exploit emerge in one of those services (as they do on a fairly regular basis).
Unfortunately, although disabling services at startup is simple on Windows, it’s annoyingly complex for non-technical users on Linux and varies between distros. You need to look in /etc/init.d (having fired up a terminal and got root access) or install a graphical manager like the oh-so-amusingly named BUM (Boot-up manager).
4. Apply patches regularly
New software patches always come out for Linux software – it’s normally good practice to keep your computer up to date. Ensure your distro is configured to let you know when patches are available so you can install them.
5. Don’t trust your local network
If you’re relaxed about people being able to access your local network, that’s no problem. Quite possibly, you are.
But don’t assume your network is secure. Wireless network security remains relatively trivial to crack with a host of freely available tools, and it’s much harder for a company IT department to lock down a network now everyone wants to connect not only with their work computer but with their numerous mobile devices, only some of which carry serious malware.
If you share a folder with the world on your local network, assuming the globe might get hold of it is best.
6. Explore the privacy settings on your distro
Just as web browsers allow you to clear your history and cache and enter private browsing mode (to access your internet bank, naturally), Linux will enable you to specify how much your computer wants to remember what you’re getting up to. Remember that if someone were to break into the computer, you’d like to use the logs to see what they got up to, so the privacy settings work both ways.
For example, on Ubuntu 12.10 and above, you click on the top right icon on the desktop and select System Settings, then Privacy. This allows, among other things, you to stop getting Amazon purchase suggestions on the Dash, delete your recent history, and configure Ubuntu so that you do not record your activities on either certain applications or types of files. It will also tell you when you last used each application and how frequently you use it – if you go to the Applications tab and click +.
7. Explore encryption
Through a range of applications and services, it’s possible to encrypt everything from specific services (e.g. HTTPs, secure shell) to your entire data stream, from files and folders to emails to whole partitions. Just don’t make the same mistake I did!
