ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

10 tips to lock up Linux

June 3, 1999
Web posted at: 8:12 a.m. EDT (1212 GMT)

by Michael H. Warfield

From...
LinuxWorld
linux

(IDG) -- I'll say at the outset that I feel that the title "Securing Linux" is somewhat misleading. It implies that one can somehow go through a series of steps and emerge at the end with a secure Linux system or network. That isn't true. The real intent of this two-part series is to help you improve the security of your system and to get you to think securely. One without the other is unlikely to succeed.

Security is a state of mind

Ultimately, security isn't something that is achieved as an end goal; it isn't a state. Rather, it's a way of setting up, maintaining, and running an operating system, network, or environment. Security is a process and a mind-set as well as a condition. It depends on the day-to-day actions of the system or network's users and system administrators. It also depends on the system security not being so intrusive that it encourages users and administrators alike to work around it.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  LinuxWorld's home page
  LinuxWorld free e-mail alerts
  LinuxWorld features & columns
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
   

But you have to start somewhere, and that somewhere is to improve the security of your system as much as possible while still meeting your operational needs. A system that isn't connected to any network or phone lines and is kept in a locked room is reasonably secure -- but it will meet few of your needs. From there we embark on a series of compromises between the best possible security and the least inconvenience and difficulty that will serve our purposes.

Some of these tips are specific to Linux systems, but many are very general principles that apply to all systems and networks -- not just to Unix (or Unix-like) OSs.

1.Less is more

Applying the Principle of least privilege and the Principle of minimum access ensures that you open up your system to the least amount of risk. Users are allowed only enough privilege and access to do their work, and no more. More...

2.Planning

Plan ahead and plan to distribute services. Even before you begin an installation (and, ideally, before you purchase system software solutions), make a detailed plan of your intended security defenses. On paper. More...

3.Installation

A secure system starts with a secure install.

This is one area where the various Linux distributions fail to do an adequate job. All of the distributions are guilty of making it too easy to set up insecure or misconfigured installations. Many of them enable services that the new user is unlikely to be aware of, or enable services before they are fully configured. More...

4.Secure services

Internet and network services are among the most vulnerable parts of your system. Whether you're planning a new installation or reviewing security on an existing system, your file servers, e-mail services, Web servers, FTP, and other network services should be among the first things you check for security holes. More...

5.Up and running

Once your system is set up, be sure to keep track of the services you're running. Keep a close eye on services and applications by monitoring your UDP and TCP ports. More...

6.Password and authentication security

Passwords can be the most underestimated security feature you have. Make sure that neither you nor your users are using transparent (easily guessed) passwords, and make sure that your passwords are safe from unauthorized intruders. More...

7.Security and the privileged user

Never perform routine operations as root! Do your routine work as a nonprivileged user and step up to root only when needed. This is a common mistake of most newbies to Linux (and Unix in general). When you (or a user or a program) must run as root, take the proper security precautions. More...

8.Cryptography and security

Cryptography is a good thing. It can protect our files, our e-mail, and our communications. Widespread use of cryptography will improve and change the security landscape. Take advantage of cryptography wherever its use is appropriate. More...

9.Eternal vigilance

Once you've secured your installation and checked your basic security and services, your work isn't over. In fact, the job of keeping your system secure is never over. Even if with eternal vigilance, some risk remains, and it may still be possible for someone, sometime to get in. With or without the help of any one of a number of monitoring programs, you must keep a watchful eye on what is going on in your system. More...

10.Stay informed

New security holes and bugs are discovered and exploited constantly, and new techniques, patches, and fixes are created to counter the threat they present. The only way to safeguard the system you've worked so hard to secure is to stay on top of new information as it becomes available. More...

The enemy within is ignorance

While advanced security can be difficult to implement, a great deal can be achieved by taking the simple steps of knowing what you're running and disabling services you aren't sure about. Even small sites and single Linux systems can take steps to reduce the risk and harden their security protection.

Not all of these ideas are ideal for all circumstances. You have to understand and balance your security needs, your network design, your functionality needs, and your security policy (if you have one). In any case, knowledge is your best security tool and ignorance is your worst enemy.

Mike Warfield is a senior security researcher on the Internet Security Systems X-Force. He is also a member of the Samba Development Team, a founding member of the Atlanta Linux Enthusiasts, and a long-standing guru with the Atlanta Unix Users Group. He has been involved in Unix systems for over 15 years and with computer security for over 25 years.


RELATED STORIES:
Pulling off a hat trick
June 1, 1999
At what point does the open source movement declare victory?
May 25, 1999
SGI to offer key piece of OS to Linux
May 25, 1999

RELATED IDG.net STORIES:
Linux takes flight on Northwest simulators
(Computerworld)
At what point does the open source movement declare victory?
(Linuxworld)
New Web site will match companies, open-source developers
(Computerworld)
Linux.com portal goes live
(InfoWorld)
Sun's Solaris compatible with Linux programs
(SunWorld)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
North American Cryptographic Archives
Trinux
Nessus
Psionic Software / Abacus Sentry
RootShell
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.