From the KnowledgeBase

Title:
Linux: Tips for secure and safe installation and operation
Synopsis:
Linux: Tips for secure and safe installation and operation

SOLUTION:
Before attaching a Linux computer to the campus network, itís very important to ensure that it is secure. If the proper precautions are not taken, it is very possible for a new Linux machine to get hacked within minutes of connecting to the network. The following are a set of tips for safely operating your computer. If you are an inexperienced user, OIT strongly encourages that you take the time to read about and understand the security issues involved with the Operating System before plugging into the network.

Installation
If you have purchased a factory install of Linux, it may be advisable to remove it and start fresh. You never know what may have already been installed, and you will give yourself greater control and understanding of the system by installing it from scratch. There are many different distributions of Linux available. OIT will not recommend any of these distributions over another, but RedHat is a commonly used client and this document will refer to RedHat specifics. For an outline of the available distributions, please visit:
http://www.linuxiso.org/

Keep your computer unplugged from the network while installing. Most distributions have similar install options. Please watch for the following install options:

1. What kind of security do you want on your computer?
We strongly encourage you to choose high security.

2. Do you want the network turned on when you boot your machine?
As a beginner, we recommend that you choose no. Once youíve studied and understood what is involved with networking, you will be able to enable networking on boot-up.

Software / Patches
Make sure to keep your install of Linux at the latest revision level. It is possible to get automatic updates and patches for your computer. For RedHat specific installs you can sign up for RedHat Network (RHN). To do this, run the command up2date at the command line. This works much like the Software Update feature on the Macintosh and Windows Update on PCs.

Most distributions come with TCP wrappers and IPtables installed. Make sure you are running this. For details, please see:
http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html

You should disable all nonessential daemons (i.e. NFS, Bind).

Always use ssh and scp instead of telnet and scp. This will ensure a secure connection and encryption.

If you have a /etc/inetd.conf file, edit it to comment out such things as telnet, talk and finger.

Security

These are a few pieces of software that can help you insure the security of your Linux computer:

TripWire keeps a database of your system. If you suspect something has changed, you can use this database to check your suspicions. Please see:
http://www.tripwire.org/

Sudo logs all commands executed as root user (or superuser) and allows you to control user access to root commands. Please see
http://www.courtesan.com/sudo/

Bastille-Linux is an easy to use Linux firewall. Please see:
http://www.bastille-linux.org/

Resources / News

For updated information and news on the latest Linux security issues, you may find the following web sites useful.

OIT's Unix Systems' Security page http://www.princeton.edu/~essweb/linux/linuxsecurity.html

For information on general Linux security, please visit:
http://physics.princeton.edu/www/jh/linux_security.html

General Linux information can be found at:
http://freshmeat.net/ and http://www.linuxnewbie.org/

Updated security information can be found at:
http://www.cert.org/ and http://www.theregister.co.uk/

You may also find some useful newsletters at this web site. There are Linux newsgroups that mail security tips and tricks.
http://www.itworld.com/newsletters

Last Updated:
March 15, 2012

Solution ID:
9249