LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-25-2005, 11:37 AM   #1
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 7,506

Rep: Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388
How to keep your system secure ...


Microsoft Windows gets a lot of bad-rap for (lack of) security ... a reputation it really does not quite deserve, because Windows does have a good security model. The only trouble is, it's usually turned off!

Fortunately, Linux systems by-default do have security turned-on. Here's how you can use Linux's built-in security to quickly strengthen your system against most "virus" or "worm" attacks: (P.S: Most of these maxims apply equally well to Windows!)

Set up a non-privileged, ordinary user-id for yourself: Even though you, as the owner of the computer, have the authority to do anything you wish with "your" computer, you do not want "any program you might happen to run" to have the same authority! So, for most uses of your machine, you should set up a perfectly ordinary non-privileged account for yourself. This is your daily role, which is simply that of an ordinary user. When your friends want to use your machine, set up a separate (per-person) account for them.

Set up a separate "system maintenance" account, apart from root: When you are maintaining applications, or the system itself, you should have a separate user-id for that role. This user might have more expansive access to system files, and in any case it will be the "owner" of the application files and directories. This account is separate from root, which is used only for the tasks which require it.

Disable, or remove, all un-necessary logins: Some user-names and group-names exist just for ownership of system files, and never "log in." Make sure that these accounts, like [b]news, mail,[b] and so-on, are disabled for login. (Set the "shell" to /bin/false or somesuch.)

Stop all unnecessary services (daemons): Many distributions install lots of stuff that you don't actually use. If you don't actually use a service, stop it. Even ssh... if you don't use it, stop it.

Use a firewall: The first thing "downstream" of your cable-modem or DSL box should be a router... with a built-in firewall that is turned on.

Don't use passwords out of a dictionary: Scripts can try thousands of words from a dictionary. Simple concatenations of words, or the first letters of a phrase, will never be found in such a search. Use these.

If you "wear many hats," have several user-ids: Aside from the system-maintenance role mentioned above, if you serve several roles in your (maybe one-man) business, have a separate user-id for each one. This will keep the files logically and easily separated from one another.
 
Old 11-25-2005, 11:44 AM   #2
jailbait
LQ Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Jessie, Linux Mint 17
Posts: 7,793

Rep: Reputation: 292Reputation: 292Reputation: 292
"Microsoft Windows gets a lot of bad-rap for (lack of) security ... a reputation it really does not quite deserve, because Windows does have a good security model. The only trouble is, it's usually turned off!"

Then how was Sony able to routinely install root kits on Windows systems simply by having the user play a CD.

------------------------------
Steve Stites
 
Old 11-25-2005, 12:18 PM   #3
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
Quote:
Originally posted by jailbait
"Microsoft Windows gets a lot of bad-rap for (lack of) security ... a reputation it really does not quite deserve, because Windows does have a good security model. The only trouble is, it's usually turned off!"

Then how was Sony able to routinely install root kits on Windows systems simply by having the user play a CD.

------------------------------
Steve Stites
because as he mentioned the "security" by default it turned off. 99% of MS users run as administrator, the linux equivalent to root. that makes it extremely easy for all types of malware to be installed on a users system because they run with root level access to their systems.

now even running as user or limited user things can still be installed or can work around the "windows security" but it is not as easy.
 
Old 11-25-2005, 12:37 PM   #4
jailbait
LQ Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Jessie, Linux Mint 17
Posts: 7,793

Rep: Reputation: 292Reputation: 292Reputation: 292
"now even running as user or limited user things can still be installed or can work around the "windows security" but it is not as easy."

So did the people who ran as user block Sony's rootkit?

--------------------------
Steve Stites
 
Old 11-25-2005, 02:35 PM   #5
zeventh zenze
LQ Newbie
 
Registered: Nov 2005
Posts: 7

Rep: Reputation: 0
Re: How to keep your system secure ...

Quote:
Originally posted by sundialsvcs
[B]Microsoft Windows gets a lot of bad-rap for (lack of) security ... a reputation it really does not quite deserve, because Windows does have a good security model. The only trouble is, it's usually turned off!

Fortunately, Linux systems by-default do have security turned-on. Here's how you can use Linux's built-in security to quickly strengthen your system against most "virus" or "worm" attacks: (P.S: Most of these maxims apply equally well to Windows!)

Set up a non-privileged, ordinary user-id for yourself: Even though you, as the owner of the computer, have the authority to do anything you wish with "your" computer, you do not want "any program you might happen to run" to have the same authority! So, for most uses of your machine, you should set up a perfectly ordinary non-privileged account for yourself. This is your daily role, which is simply that of an ordinary user. When your friends want to use your machine, set up a separate (per-person) account for them.

Set up a separate "system maintenance" account, apart from root: When you are maintaining applications, or the system itself, you should have a separate user-id for that role. This user might have more expansive access to system files, and in any case it will be the "owner" of the application files and directories. This account is separate from root, which is used only for the tasks which require it.

Disable, or remove, all un-necessary logins: Some user-names and group-names exist just for ownership of system files, and never "log in." Make sure that these accounts, like [b]news, mail, and so-on, are disabled for login. (Set the "shell" to /bin/false or somesuch.)

Stop all unnecessary services (daemons): Many distributions install lots of stuff that you don't actually use. If you don't actually use a service, stop it. Even ssh... if you don't use it, stop it.

Use a firewall: The first thing "downstream" of your cable-modem or DSL box should be a router... with a built-in firewall that is turned on.

Don't use passwords out of a dictionary: Scripts can try thousands of words from a dictionary. Simple concatenations of words, or the first letters of a phrase, will never be found in such a search. Use these.

If you "wear many hats," have several user-ids: Aside from the system-maintenance role mentioned above, if you serve several roles in your (maybe one-man) business, have a separate user-id for each one. This will keep the files logically and easily separated from one another.
Interesting
 
Old 11-26-2005, 04:11 PM   #6
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
Quote:
Originally posted by jailbait
"now even running as user or limited user things can still be installed or can work around the "windows security" but it is not as easy."

So did the people who ran as user block Sony's rootkit?

--------------------------
Steve Stites
simple as stated above 99% of windows users run as administrator. that allows for the rootkit to be installed without question by the system. no different if a linux user were stupid enough to install something as ROOT on their system that contained a hidden rootkit.
 
Old 11-26-2005, 04:33 PM   #7
ethics
Senior Member
 
Registered: Apr 2005
Location: London
Distribution: Arch - Latest
Posts: 1,522

Rep: Reputation: 45
Whilst it's true you shouldn't run windows as admin.

Some poorly designed/implemented software (especially games with anti-cheat areas) fail unless run via an admin account.
 
Old 11-26-2005, 04:33 PM   #8
spooon
Senior Member
 
Registered: Aug 2005
Posts: 1,755

Rep: Reputation: 49
Re: How to keep your system secure ...

Quote:
Originally posted by sundialsvcs
Set up a separate "system maintenance" account, apart from root: When you are maintaining applications, or the system itself, you should have a separate user-id for that role. This user might have more expansive access to system files, and in any case it will be the "owner" of the application files and directories. This account is separate from root, which is used only for the tasks which require it.
I agree with the system maintenance account, but I don't think you should give it access to many files; instead you should give this account sudo privileges, so you never run as root. This way, you can have an account that can do anything root can do; but you don't have to worry about walking away when it's logged in since you need to enter the password of this account (which random people wouldn't know) to use sudo, and otherwise if the account gets trashed it should do no damage.

Quote:
Even ssh... if you don't use it, stop it.
And if you do use SSH (like most people), you should make sure root login is disabled: look at /etc/ssh/sshd_config and make sure the line with "PermitRootLogin" is uncommented and says "PermitRootLogin no".
 
Old 11-26-2005, 04:37 PM   #9
ethics
Senior Member
 
Registered: Apr 2005
Location: London
Distribution: Arch - Latest
Posts: 1,522

Rep: Reputation: 45
Re: Re: How to keep your system secure ...

Quote:
And if you do use SSH (like most people), you should make sure root login is disabled: look at /etc/ssh/sshd_config and make sure the line with "PermitRootLogin" is uncommented and says "PermitRootLogin no".
Learn somethign useful everyday
 
Old 11-26-2005, 05:58 PM   #10
jailbait
LQ Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Jessie, Linux Mint 17
Posts: 7,793

Rep: Reputation: 292Reputation: 292Reputation: 292
"Learn somethign useful everyday"

So did the Microsoft users who followed all of these rules block the Sony rootkit?

Or are they going to have to switch to BSD, Linux, OS X, or Solaris to have a secure system?

---------------------------
Steve Stites
 
Old 11-26-2005, 06:05 PM   #11
MasterC
LQ Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Are you baiting people

This is not a thread about Linux vs Windows, let's please keep it that way. Discussing keeping your System secure in Linux is just fine though.

Just want to make sure everyone knows, we've got quite the amazing threads over in the Linux - Security forum if you are at all concerned about Security (which you ALL should be) that's a great place to spend an afternoon.

Cool
 
Old 11-26-2005, 06:52 PM   #12
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
Quote:
Originally posted by ethics
Whilst it's true you shouldn't run windows as admin.

Some poorly designed/implemented software (especially games with anti-cheat areas) fail unless run via an admin account.
this is true. you can still run as "user" and use the run as function via shift right click, there are also much more complicated ways of manipulating the registry to allow for the program to be installed, then run as user, just depends on how bad a hack job the game/program was coded in the first place.

that does not protect you from installing things like the sony rootkit, but does make it a choice to install something rather then none at all as is the case if you are running as administrator or root.

then it works slightly more like linux with user modes and if you want to do something that is potentially dangerous to your system it will tell you that you need root/administrative permissions to do so.

*big side note* in the case of the sony rootkit what makes it so bad is that Sony lied to its customers and told them they were installing a media player ONLY, it said nothing about installing software that spy's on the user, that reports listening habits, and that infects their computer with the rootkit.

in the case of a major corp. doing something as underhanded and illegal as what Sony has done there is little the average EU can do about it until the information has come out like it has with the Sony rootkit. Now there are legal actions being taken by CA and Tx with NY to fallow, and who knows how many other states will come too. Top that off with Italy and potentialy the UK and maybe even the EU getting involved with this situation, Sony has really screwed the pooch so to speak.
 
Old 11-26-2005, 07:02 PM   #13
jailbait
LQ Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Jessie, Linux Mint 17
Posts: 7,793

Rep: Reputation: 292Reputation: 292Reputation: 292
"Are you baiting people"

Yes. This thread starts off with:

"Microsoft Windows gets a lot of bad-rap for (lack of) security ... a reputation it really does not quite deserve, because Windows does have a good security model. The only trouble is, it's usually turned off! "

Then it gives a list of rules whereby people can make Windows secure. The people who created this thread are trying to create the impression that Windows is secure, it is just the dummies who use it that are the problem. So I am baiting them into proving how a Windows user could have secured himself against the Sony rootkit. My thesis is that Windows is inherently insecure.

-----------------------------
Steve Stites
 
Old 11-27-2005, 12:47 PM   #14
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 7,506

Original Poster
Rep: Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388Reputation: 2388
No, no, no... c'mon people! Obviously, no one is "baiting" anyone.

It is perfectly legitimate to bring Microsoft Windows into the picture, without bashing it if you please, because (like it or not) it is the other operating-system that "we all use to some degree or another." Furthermore, it's probably sharing our networks with our Linux and OS/X machines. Security, and good security practices, therefore must encompass all the OSes we use. 'Nuff said...

The Sony rootkit "worked" because of four grevious errors that are found on literally hundreds of thousands of machines worldwide:
  • Login security is turned off. User-ids and passwords are not required.
  • The user is operating as an administrator, with carte blanche access to the machine. Therefore, the Sony Rootkit also could go where it wished and do what it willed, unchallenged and unmolested. Viruses, malware, worms, you-name-it, can all do the same thing.
  • The computer "auto-runs" any program that is found on any CD/DVD that is inserted.
  • The user operating the machine is completely ignorant of security and has no appreciation of his own vulnerability. Neither Microsoft Corporation nor its many VARs want to "inconvenience" the user by teaching him a more secure procedure.
It is a simple fact that (a current version of) Windows does possess a robust security model that is every bit as strong as Linux's, if not stronger! But it does no good if it's turned off. Plenty of well-intentioned, smart, intelligent people do not know what to do about the problems: they've never been told anything. They're "ignorant" but they don't know they are so, and certainly wouldn't be if given some information and a choice.

If you own a game that must run as Administrator, then I would say... "don't run that game!" But if you do wish to run it, then you can, within Windows-NT, specify that this program should run under some other user's privileges. If you grant yourself the right to execute that program, and make all of the files associated with that application "read only" or "execute only" to its users, and you trust that application, then you can grant it permission to run as Administrator.

That's a very far cry from the default situation, in which every program that you run runs as "Administrator," even a program that you never suspected could exist on a "Music" CD.

The most essential basic tenets of computer security, from a single-system administrator's point of view, are as follows:
  • Classify users, according to their roles: Even if many roles are performed by a single person, each role played by that person has a "private office" and a separate identity.
  • Protect files, and other resources, according to roles: The default status of all files and libraries, other than those owned by the user for his personal use alone, should be read-only or execute-only. In the Windows environment, global system-wide changes to the Registry should be "impossible, period."
  • Disciplined user-id management: There should be no unnecessary login id's; no "guest" accounts; no services (daemons) running that you don't need; no passwords lifted straight out of a dictionary. Do not respond to any prompt asking you for a password, unless you know where it came from. It's much better, and only slightly inconvenient, to briefly but explicitly log on as a supervisory account.
  • Trusted system-updates: All vendors provide trustworthy means to furnish operating-system updates to you, and they use no other source! They never use e-mail!
  • And finally, THINK. "Don't be so damned trusting!"

Last edited by sundialsvcs; 11-27-2005 at 12:49 PM.
 
Old 11-27-2005, 03:14 PM   #15
foo_bar_foo
Senior Member
 
Registered: Jun 2004
Posts: 2,553

Rep: Reputation: 52
i disagree that winblows security is adequate or whatever.
can't leave "run as" enabled good greif
even microsofts own programs like "picture it" can't run as regular user so being regular user is useless. Must be even the M$ programmers that created the policy system can't figure out how to use it. Either that or they didn't want to be botherd with avoiding putting spyware or whatever in their own product. And that is the real issue. If you can't read the Windows code you have NO IDEA what windows is doing at all. It might come with spyware rootkits and syscall hooks already installed for all we know.
But the real problem is buffer overuns and stack corruption everywhere.
a Windows computer is only safe hiding behind a Linux one to protect it.

You also say we don't know how to use windows and this is true but i wonder if anybody does.
It looks like to me like mine is running processes, even server processes, which there is absolutely NO MECHANISM available to the user to controll. Perhaps there is a mechanism and it is just so deeply burried and secret i'm not suposed to know about it because i certainly don't.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I do a simple test to see how secure my system is? M$ISBS Linux - Security 1 07-21-2005 10:56 PM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 05:12 PM
secure stable network file system? SocialEngineer Linux - Networking 1 12-19-2004 08:05 AM
PHP: secure login system markus1982 Programming 4 10-16-2003 12:50 PM
how to get the most secure system... complus Linux - Security 7 08-17-2003 11:24 PM


All times are GMT -5. The time now is 12:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration