You've just set up your Linux desktop. Naturally you want it to be as secure as possible. You've heard the rumors that, out of the box, Linux has outstanding security. Is it true? Do you really want to take a chance with that? Most likely not. But what can you do? There are tons of firewall tools you can use (take a look at my article "Build a custom firewall with fwbuilder" for an example). But outside of setting up a firewall on your machine, what can you do to boost the security on your desktop?
In this article you will learn some very simple steps you can take to help make your Linux desktop a bit more secure than "out of the box". These steps can be done by any level of user, so don't think you will be doing any recompiling or creating iptables chains.
No auto login
When you first install many distros, you will be asked if you want your user to auto login. This is a bad idea if you are in an environment you can't fully trust. If there are other users around, you do not want them using your account. To help avoid this disable auto login. On the GNOME desktop go to System >Administration > Login Screen. When the Login Screen Settings window opens follow these steps:
Now when you are done using your desktop log out. The only way to get back in will be to log in.
Encrypt your ~/ directory
During installation many distributions give you the option of encrypting your ~/ directory. This will give you an added means of security - especially if your machine is stolen. With the ~/ directory being encrypted, even when the thief can not log into your user account, they will not be able to read your encrypted directory without the decryption key. That makes for some fairly safe data.
Don't run unnecessary services
There are certain services you may not need on your machine. Some services can lead to a less-than-secure environment. Instead of allowing these services to continue running, stop them at boot time. Each distribution handles this differently. You can see how different distributions handle this in my article "Starting services at boot in Linux". Shut down those unwanted services and gain a bit more security.
Run a simple firewall
Don't bother getting too complicated with your desktop firewall. But if you are really paranoid, employ a simple tool like ufw (Uncomplicated Fire Wall). In Ubuntu ufw is installed by default. You can start it like so (from the command line):
sudo ufw enable
You can disable it like so:
sudo ufw disable
Root kits are a danger to any operating system. You will want to install a tool to check for root kits the minute your operating system is up and running. The best (and easiest) root kit tool is rkhunter. For information on installing and using rkhunter, read my article "Check for root kits with rkhunter".
Shut down that P2P
I use P2P tools. But when I am done searching (and/or downloading) I shut that tool down. Why? Unwanted access. There is no real reason to leave your machine open to unknown users. So instead of leaving that P2P tool open for business, shut it down.
Careful with 666 and 777
When you chmod a file (or directory) use caution when given them either 666 or 777 file permissions (rw-rw-rw- and rwxrwxrwx respectively). This is especially true on a file (or directory) containing sensitive data. For those files either only allow read access to group and other or encrypt the file so only those with the encryption key have access. Using either 666 and/or 777 without careful thought is reckless on a Linux machine and can lead to security issues.
There are so many more tips you can go through - some of which might seem common sense to many - that can lead to a more secure environment. But the most important tip I can give to you is to think before you execute. Don't just randomly do something without knowing the end results first. In the case of security the old Benjamin Franklin quote "An ounce of prevention is worth a pound of cure." holds very true.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.