Paranoid Penguin - Brutally Practical Linux Desktop Security
As I write this month's column, I'm getting ready to attend DEFCON, my all-time favorite information security conference and hacker rave party. I'll catch up with treasured Known Associates, attend cutting-edge technical presentations and drink Sam Adams beer two-fisted at Hacker Jeopardy (it's a tough job, but I'm up to it).
And, at some point, I'll engage in two closely related activities: connecting my laptop to the DEFCON WLAN (wireless local-area network) to check e-mail, hoping fervently that I won't do anything dumb enough to expose my passwords or other personal information to the thousands of other mischievous punks connected to the DEFCON WLAN, and I'll have a nervous chuckle or two at the Wall of Sheep, a real-time list of WLAN users who have done something dumb enough to expose their passwords and other personal information to the thousands of mischievous punks on the DEFCON WLAN.
There isn't necessarily that much shame in ending up on the Wall of Sheep. Several years ago it happened to none other than world-renowned security expert Winn Schwartau. I should mention that Winn was a very good sport about it, too—no identity theft, no foul, as they say.
But, that doesn't mean I'm quite ready to put my own reputation on the line without a fight. You can bet that before I board the plane for Las Vegas, I'm going to lock my laptop down, and when I'm there, I'm going to take care of myself like I was back home in the hood, on the wrong side of the tracks, after dark, with a pork chop hung around my neck. Nobody's going to pwn Mick at DEFCON this year without busting out some supernatural kung fu. (I hope.)
So what, you may ask, does any of this have to do with those of you who never go to DEFCON and generally stick to your friendly local coffee shop wireless hotspots and neighborhood cable-modem LAN segment? Actually, I think that question pretty much answers itself, but I'll spell it out for you: the tips and techniques I use to navigate the DEFCON WLAN safely with my trusty Linux laptop should amply suffice to protect you on whatever public, semiprivate or spectacularly hostile networks to which you may find yourself having to connect.
This month's column is about ruthlessly practical Linux desktop security—what to do to harden your system proactively and, even more important, what to avoid doing in order to keep it out of harm's way.
Here's a summary of what I'm about to impart:
Keep fully patched.
Turn off all unnecessary network listeners or uninstall them altogether.
Harden your Web browser.
Never do anything important in clear text. Actually, do nothing in clear text.
Use VPN software for optimal imperviousness.
Pay attention to SSL certificate errors.
Be careful with Webmail and surf carefully in general.
Make backups before you travel.
Some of those things should be extremely familiar to my regular readers, or simple common sense, or both. Patching, for example, is both critically important and blazingly obviously so. Most network attacks begin with a vulnerable piece of software. Minimizing the number of known bugs running on your system is arguably the single-most important thing you can do to secure it.
I'll leave it to you to use the auto-update tools on your Linux distribution of choice, and the same goes for making backups, an equally obvious (though important) piece of advice.
At least equally important is minimizing the number of software applications that accept network connections. If a given application either is turned off or has been uninstalled, it generally doesn't matter whether it's vulnerable or not. (Unless, of course, an attacker can enable a vulnerable application for purposes of privilege escalation, which is one reason you should not only disable but also remove unnecessary applications.) I cover service disabling in depth later in this article.
So far, so obvious. But, what about antivirus software? As a matter of fact, and by the way I'm waiting for someone to convince me otherwise on this, viruses and worms are not a threat I take very seriously on Linux. In all my years using and experimenting with Linux, including in university lab settings and in my own Internet-facing DMZ networks, I never have had a single malware infection on any Linux system I ran or administered.
Is this because there are no Linux worms or viruses, or because Mick is so fabulously elite? No, on both counts. Rather, it's because I've never been lazy about keeping current with patches, and because I've always very stubbornly used plain text for all my e-mail.
Worms exploit vulnerable network applications—no vulnerability (or no app), no worm. E-mail viruses depend on users executing e-mail attachments or on their e-mail software's running scripts embedded in HTML-formatted e-mail—no attachment executing or script running, no infection.
I've also been lucky in this regard because there are few Linux worms and viruses in the wild to begin with. But, even if there were more, I would repeat, keeping current with patching and using e-mail carefully is more important than running antivirus software.
- High-Availability Storage with HA-LVM
- Localhost DNS Cache
- DNSMasq, the Pint-Sized Super Dæmon!
- Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi
- Days Between Dates: the Counting
- The Usability of GNOME
- You're the Boss with UBOS
- Linux for Astronomers
- Multitenant Sites
- PostgreSQL, the NoSQL Database