Help File Library: Securely Installing Linux

It's important to be aware that when you're installing Linux, you're installing a powerful server operating system. As a home user, you probably won't use much of what's installed by default, and anything you don't use is a security risk you don't have to take. This means that most of the install procedure for a user like you or I actually involves not installing things, and then configuring the remaining elements as securely as possible. I can't stress enough that security is an important and ongoing concern, one that starts with installing and configuring your system as a stand alone box (so that it can't get hacked before you harden it), continues with constant attention to security holes and fixes, and then never ends.

Hopefully that doesn't scare anyone off! Installed with any sort of care, Linux is no less secure than Windows, and is in many ways moreso. Someone has to want to crack your Linux box, as opposed to just sending out an email macro virus. Unfortunately, there are a lot of people out there that would do you harm, and with the increasing popularity of cable modems, dsl, and home networks, you really need to give security a lot of attention during the install, and later by staying abreast of the current security patches.

The very first step is to undertake your install while not connected to other computers. This is a simple criteria to meet if you're going to have a stand alone box with only dial-up connectivity to the internet, but it's something to be aware of if you plan to be part of a network. After the install, you're going to go back and tighten the security on your Linux box (known as hardening), so you don't want anyone to get a chance at you while you're still installing. This probably sounds exceedingly cautious, but paranoia is the best approach to security so you may as well get started right away. Some people go as far as to download all the patches they need from another box and write them to cds for install on their new machine, but not everyone has the resources to be quite this careful.

Package installation is the next area where you can really impact the future security level of your Linux box. It's very important that you choose to select packages individually, as every distribution I've seen installs a lot of software by default that you won't use. It can be very hard to decide what you want installed if you're unfamiliar with Linux in general, but remember that you can go back later and install any package that you missed the first time.

The best place to start cutting packages is in the communications area. You probably don't need an anonymous ftp server, or a telnet server, but they'll be installed if you're not careful. You probably won't need to provide DHCP or DNS services, either, or run a SQL server. Sendmail and Apache are great programs, but if you'll be using an ISP for mail and web hosting, they're just big security holes. You'll find Linux installs include a lot of other mail transfer packages by default as well, such as fetchmail, mutt, and elm, and a number of newsreaders such as rn, trn, and xrn. Maybe you'll use one of them, but certainly not all, so you should find one that sounds good and leave the other ones out. The same goes for editors, graphics viewers, and mp3 players, which is where you should start cutting after you've worked on communications.

Once you've installed the packages you need, you'll have to go back and configure the services that your Linux system will provide. You should start by checking the /etc/inetd.conf file, and disabling any services you don't need by adding a # to the beginning of the line. You can then check for remaining services by grepping for lines that don't start with #, using 'grep -v "^#" /etc/inetd.conf'. Afterwards you should run 'killall -HUP inetd' to put your changes into effect right away. You should also check your startup scripts for services you don't mean to run by executing the command '/usr/sbin/setup'. This assumes you're using Mandrake or Redhat, as I don't know whether other distributions have this program available. You'll be able to see which scripts start up by default, and by hitting you can find out what they each do.

Passwords and accounts are the last area I'll cover. You should always maintain a strong root password, and be sure to use the root account only for administration. Making a non-root account for your general use and 'su-ing' to root when you need to fix something is a good policy, and will also minimize the chances of a chance typo doing major damage to your system. A strong password should have at least 8 characters, and contain a mixture of letters and numbers. Feel free to mix in upper and lower case letters, and don't use any dictionary words. Use the md5 password program, which allows longer passwords, and the shadow password program as well, which hide the encrypted password file from everyone but root.

After you've secured all of your own accounts properly, check the /etc/password file for unnecessary system accounts, such as news and mail, and delete them. Some processes are allowed to perform as if they were root, even if started by a non-root user. These are called suid processes, and you should check them out as well with 'find / -type f -perm +6000 -exec ls -l {} \; > suidprocesses'. Read the output file 'suidprocesses' to see which are being run, and disable any that aren't necessary. You might also want to restrict where accounts can log in from if you've enabled telnet access. It's a good idea to restrict root logins to the local machine and only let unprivileged users come in from the outside. You can also prevent anyone from logging in from the outside by adding an 'ALL: ALL' line to /etc/hosts.deny.

There are of course many other ways to secure your Linux box, but the above precautions will provide you with a machine you can feel comfortable using on the internet. Nothing will stop a determined individual from causing problems for your system, but you're not asking for trouble the way a default install will.