Secure your Linux desktop
Linux can thwart a majority of attacks on its own, but Mayank Sharma’s on hand to help you put up a level 10 force-field around your computer.
Running Linux just because you think it’s safer than Windows? Think again. Security in Linux is a built-in feature and extends right from the kernel to the desktop, but it still leaves enough room to let someone muck about with your /home folder. Sure, Linux is impervious to viruses and worms written for Windows, but attackers have several other tricks up their sleeves to illegally access your precious bits and bytes that make up everything from your personal emails to your credit card details.
Locking your data behind a username and password shouldn’t be your only line of defence, and isn’t enough to hold off a determined attacker. As the number, nature and variety of computer attacks escalate every day, you too should go out of the way and take extra measures to secure your computer against unauthorised access.
All mainstream Linux distributions such as Debian, Ubuntu and Fedora have security teams that work with the package devs to make sure you stay on top of security vulnerabilities. Generally, these teams work with each other to make sure that security patches are available as soon as a vulnerability is discovered.
Your distribution will have a repository dedicated to security updates. All you have to do is make sure the security-specific repository is enabled (chances are it will be, by default), and choose whether you’d like to install the updates automatically or manually at the press of a button. For example, from the Updates tab in the Software & Updates app, you can ask Ubuntu to download and install security updates automatically.
In addition to the updates, distributions also have a security mailing list to announce vulnerabilities, and also share packages to fix them. It’s generally a good idea to keep an eye on the security list for your distro, and look out for any security updates to packages that are critical to you. There’s a small lag between the announcement and the package being pushed to the repository; the security mailing lists guide the impatient on how to grab and install the updates manually.
You should also take some time to disable unnecessary services. A Linux desktop distro starts a number of services to be of use to as many people as possible. But you really don’t need all these services. Samba, for example, shouldn’t really be enabled on a secure server, and why would you need the Bluetooth service to connect to Bluetooth devices on a computer that doesn’t have a Bluetooth adapter? All distributions enable you to control the services that run on your Linux installation usually with a built-in graphical utility. However, some applications might stop functioning because you decided to disable a service on which they rely. For example, many server applications rely on databases, so before you turn off MySQL or PostgreSQL you should make sure you aren’t running any applications that rely on them.
SECURE USER ACCOUNTS
On a multi-user system like Linux, it’s imperative that you limit access to the super-user root account. Most distributions these days don’t enable you to log in as root at boot time, which is good. Furthermore, instead of giving multiple people root permission, you should grant root access on a per-command basis with the sudo command. Using sudo instead of logging in as the root user has several advantages. All actions performed with sudo are logged in the /var/log/secure file, which also records all failed attempts.
One of the major advantages of using sudo is that it makes it possible to restrict root access to certain commands. For this you need to make changes in the /etc/sudoers file, which should always be edited with the visudo command. This command locks the sudoers file, saves edits to a temporary file and ensures the configuration is correct before writing it to /etc/sudoers. The default editor for visudo is vi.
To enable a user named ‘admin’ to gain full root privileges when they precede a command with sudo , add the following line in the /etc/ sudoers file: admin ALL=(ALL) ALL To make it possible for a user named Joe to run all commands as any user but only on the machine whose hostname is viperhost, add joe viperhost=(ALL) ALL You can also restrict access to certain commands. For example, the following line will only enable a user called Susie to run the kill, shutdown, halt and reboot commands:
susie ALL = /bin/ kill, /sbin/shutdown, /sbin/ halt, /sbin/reboot Similarly, a user called Jack can only add and remove other users, like so:
jack ALL = /usr/sbin/ adduser
You can also restrict a user’s scope. The following enables the user named Nate to kill unresponsive processes, but only on his workstation named Tango and not anywhere else: nate tango = KILL
On a related note, you should also set expiration dates for accounts used by non-permanent users. This can include any interns, temporary employees and consultants who need to access your Linux installation. Ideally, you should immediately deactivate and remove the temporary accounts as soon as they aren’t required. The expiration date acts as a safeguard to ensure these accounts can’t be misused.
Use the usermod command to tweak a user’s account and set an expiration date, such as: $ sudo usermod -e 2018-0902 bodhi
In this example, the user named Bodhi won’t be able to log into the account from September 2, 2018.
PERMISSIONS PRIMER
Another important part of securing your Linux system is setting proper permissions. In Linux and Unix, everything is a file. Directories are files, files are files and devices are files. Every file and program must be owned by a user. Each user has a unique identifier called a user ID (UID), and each user must also belong to at least one group, which is defined as a collection of users that has been established by the system administrator and can be assigned to files, folders and more.
Users may belong to multiple groups. Like users, groups also have unique identifiers, called group IDs (GIDs). The accessibility of a file or program is based on its UIDs and GIDs. Users can access only what they own or have been given permission to run. Permission is granted because the user either belongs to the file’s group or because the file is accessible to all users. The one exception is the root or superuser who is allowed to access all files and programs in the system. Also, files in Linux have three kinds of permission associated to them — users, groups and others — that determine whether a user can read, write or execute a file.
You can view the permissions of a file or directory with the ls -l command. The command to use when modifying permissions is chmod . There are two ways to modify permissions: with numbers or with letters. Using letters is easier to understand for most people, but numbers are much better once you get used to them. The table (over the page) lists the chmod values for each of the permission types. For example, chmod u+x
<somefile> gives execute permissions to the owner of the file. The chmod 744 <somefile> does the same thing, but is expressed in numbers. Similarly, chmod g+wx
<somefile> adds write and execute permission to the group while chmod
764 <somefile> is how you’ll express it with numbers.
However, this arrangement can’t be used to define per-user or per-group permissions. For that, you need to employ access control lists (ACL) that enable you to specify elaborate permissions for multiple users and groups. While you can define them manually, graphical tools such as Eiciel make the process more intuitive and help you save a lot of time and effort. You can install Eiciel from the repos of most major desktop distributions. Once installed, the tool can be used to fine-tune the access permissions for each individual file.
To get a better hang of the filesystem permissions on Linux, let’s put them into practice to lock sensitive files, such as the ones that house password information. The file should belong to the root owner and
group with 644 permissions. This enables users to log in and view the associated username. However, it will prevent them from modifying the /etc/passwd file directly. Then there’s the /etc/shadow file that contains encrypted passwords as well as other information, such as account or password expiration values. The owner of this file is the user root while the group is often set to an admin group, like shadow. The permissions on this file are set to 000 to prevent any user from even reading it.
Still, while there’s no access permission on the file, the root user can still access it. But if no one can access the file, how can users change their passwords that are stored in this file? This is because the /usr/ bin/ passwd utility uses the special permission known as SUID. Thanks to this special provision, the user running the passwd command temporarily becomes root while the command is running and can then write to the /etc/shadow file. Similarly, the /etc/group file that contains all the groups on the system should have the same file permissions as the /etc/ passwd file. In the same vein, the group password file /etc/gshadow should have the same permissions as /etc/shadow.
MANAGE PASSWORDS WITH PAM
The pluggable authentication modules (PAM) mechanism was originally implemented in the Solaris operating system, but has been a Linux mainstay for quite a while now. PAM simplifies the authentication management process and provides a flexible mechanism for authenticating users and apps.
In order to reap the benefits of PAM, individual applications have to be written with support for the PAM library. The command
ldd /{,usr/}{bin,sbin}/* |grep -B 5 libpam | grep ‘^/’ will display a list of all the programs on your system that are PAM-aware in some way or the other. From the list you’ll notice that many of the common Linux utilities make use of PAM.
You can also use PAM to force users to select a complex password. PAM stores its configuration files under the /etc/pam.d directory. Here you’ll find a configuration file for virtually all the programs that request PAM authentication. When you look inside these configuration files, you’ll notice that they all begin with calls to include other configuration files with the common- prefix. For example, the /etc/ pam.d/passwd file calls the commonpassword file. These common- prefixed files are general configuration files whose rules should be applied in most situations.
The common-password file controls password complexity. The
cat /etc/pam.d/commonpassword | grep password command will list the relevant lines that define the basic rules for passwords, such as:
password [success=1 default=ignore] pam_ unix. so obscure sha512
password requisite pam_ deny.so
password required pam_ permit.so
password optional pam_ gnome_ keyring.so We’re interested in the first line that defines the rules for passwords. Some rules are already defined, such as asking for passwords to be encrypted with the SHA512 algorithm. The obscure parameter ensures complexity based on various factors such as previous passwords, number of different types of characters and more.
For more password-checking capabilities, let’s install an additional PAM module with sudo apt install libpam-cracklib . Installing this module will automatically change the /etc/pam.d/common-password file that lists the following additional line:
password requisite pam_ cracklib.so retry=3 minlen=8 difok=3 This line enables the pam_cracklib module and gives the users three chances to pick a good password. It also sets the minimum number of characters in the password to eight. The difok=3 option sets the minimum number of characters that must be different from the previous password.
You can append remember=5 on this line to prevent users from setting the five most recently used passwords. You can also use the dcredit , ucredit , lcredit and ocredit options to force the password to include digits, upper-case characters, lower-case characters and special-case characters. For example, you can use the following code to force the user to choose a password that’s not the same as the username and contains a minimum of 10 characters with at least four digits, one upper-case character, and one special character:
password requisite pam_ cracklib.so dcredit=-4 ucredit=-1 ocredit=-1 lcredit= 0 minlen=10 reject_ username
OBFUSCATE YOUR STUFF
One of the best ways to keep your personal data to yourself is to encrypt it, so others can’t read the files. To this
end, the installers of some leading distributions make it possible for you to encrypt your entire disk during the initial setup of the distro.
If you wish to encrypt individual files, however, you can use the zuluCrypt application. This blocks device encryption, which means that it encrypts everything written to a particular block device. The block device can be a whole disk, a partition or even a file mounted as a loopback device. With block device encryption, the user creates the filesystem on the block device, and the encryption layer transparently encrypts the data before writing it to the actual lower block device.
Using zuluCrypt, you can create an encrypted disk within a file or within a non-system partition or USB disk. It can also encrypt individual files with GPG. ZuluCrypt has an intuitive user interface; you can use it to create random keyfiles and use these to encrypt the containers. The program also includes the zuluMount tool that can mount all encrypted volumes supported by zuluCrypt.
To install zuluCrypt head to http://mhogomchungu.github.io/ zuluCrypt/ and scroll down the page to the binary packages section. The program is available as installable .deb package files for Debian and Ubuntu. Download the package for your distro and extract it with tar xf
zuluCrypt*.tar.xz . Inside the extracted folder, switch to the folder corresponding to your architecture (i386 for older 32-bit machines and amd64 for new 64-bit ones). Both folders contain four binary packages that you can install in one go with the sudo dpkg -i *deb command. On other distributions you’ll have to install zuluCrypt manually. Download the app’s tarball and follow the detailed steps in the included BUILDINSTRUCTIONS file to fetch the dependencies from your distro’s repos.
PUT UP A FIREWALL
Linux distributions comes with the venerable netfilter/iptables framework. This is a set of kernel modules that can be utilised to create packet filtering rules at the kernel level. Ubuntu ships with the Uncomplicated FireWall (UFW), which is a userspace application that can be used to create iptables rules.
There’s also a GUI for UFW called Gufw. It takes the pain out of managing iptables. The program can easily allow or block services as well as user-specified ports. You configure your policy based on pre-installed profiles for Home, Public and Office and set the policies for incoming and outgoing traffic. The default configuration should satisfy most of the users, although you can set individual rules if you wish for a more advanced configuration.
Begin by first enabling the firewall. Once enabled you can set the Incoming and Outgoing policies by selecting one of the three options in the drop-down menus. The Allow option will permit traffic without asking any questions. The Deny option will silently discard all incoming or outgoing packets. The Reject option is different in that it sends an error packet to the sender of the incoming packets.
After you’ve set the policy for both Incoming and Outgoing traffic you can define specific rules for individual programs and services. To create a rule, click the Add button after expanding the Rules section. This opens a window that offers three tabs that enable the creation of rules in different ways. The Preconfigured option enables you to select readymade rules for specific programs or services, while the other two enable you to define rules for specific ports.
We’d suggest that most users should stick to the Preconfigured tab. All you need to do is select the program you wish to control traffic for from the dropdown menu and Gufw will automatically define the most effective rules. As mentioned earlier: for a secure system, you should drop all incoming and outgoing traffic and then selectively add rules for the programs and services that you use, such as the web browser, instant messaging and BitTorrent.