Protecting a networked computer is a never-ending challenge — even in Linux. These simple measures will help protect your Linux box.
1: Take advantage of the keyring
To many, this is an annoyance. You log in to your machine, your machine requests a connection to a network (or LDAP server, etc.), and you have to enter your keyring password. The temptation is to disable this feature by giving it an empty password and dismissing the warning that you’ll be transmitting unencrypted information (including passwords). This is not a good idea. Although you might think it a hassle, this feature/functionality is there for a reason — to encrypt sensitive passwords when they are sent over the wire.
2: Enforce user password update
If you run a multi-user environment (as Linux is wont to do), you should make sure that your users change their passwords every so often. To do this you use the chage command. You can check the expiration with the command sudo chage -l USERNAME (where USERNAME is the name of the user you want to check). Let’s say you want to expire a user’s password and make him change it upon next login. To do this, you could issue the command sudo chage -E EXPLICIT_EXPIRATION_DATE -m MINIMUM_AGE -M MAXIMUM_AGE -I INACTIVITY_PERIOD -W DAYS_BEFORE_EXPIRATION (where all options in CAPS are user defined). For more information on this command, see the man page (issue the command man chage).
3: Don’t blindly disable SELinux
Similar to the keyring, SELinux is there for a reason. SE stands for Security Enhanced and it provides the mechanism that controls access to applications. I have read of a number of “solutions” to problems that involved disabling SELinux. If this is seen as a solution, it will only lead to more, uglier problems. If a particular program isn’t running properly, look into modifying an SELinux policy to fit your needs rather than disabling SELinux. If you don’t want to do this via the command line, you might want to check out a GUI tool called polgengui.
4: Don’t log in as root
It may sound as if I’m a broken record with this one, with good reason. I can’t stress enough that Linux users should NOT be logging in as the root user. If you need to do administration on a machine, log in as your regular user and either su to the root user or take advantage of sudo. When you log in as the root user, you effectively bypass a major security hurdle and allow access to systems and subsystems that normally wouldn’t be accessible when logged in as a standard user. Do not do this. Log in with your regular account. Period.
5: Install security updates quickly
There is a HUGE difference between the way Linux and Windows handle updates. Where Windows typically does an infrequent massive update, Linux does frequent smaller updates. Ignoring these updates can be disastrous if the right security hole is not patched on your system. You have to remember, some of those updates are in fact security patches and need to be applied immediately. Never ignore that icon indicating updates are available. And if you are using a GUI-less server, make sure you set up a cron job to check for updates or check them manually either daily or weekly. Stay up to date and you stay more secure.