Good security practices for your GNU / Linux distro

Isaac

4 minutes

Security: padlock on circuit

If you are concerned about security in your operating system, these are some good practices and tips that you can develop in your favorite GNU / Linux distro to be a little more secure. You already know that by default * nix systems are more secure than Microsoft Windows, but they are not foolproof. Nothing is 100% safe. But with that extra security and with the help of these recommendations, you will be a little calmer in terms of possible attacks.

In addition, they are very simple tips that are not complicated for most users, but due to laziness or laziness many neglect. You already know that spending a while properly configuring your system and other programs can save you scares. If you want to know what are those things you could do to protect your system, here are our recommendations ...

The 10 commandments of safety:

  1. Always download software from trusted sources. And that also implies the image of your distro, the drivers and apps. For example, if you download applications, try to use the software center of your distro, the official repositories, or failing that, the project's official website, but never third-party websites. That doesn't guarantee anything, they could have attacked the official server and changed the binary or the sources, but at least that's more complicated. If you try to download drivers, you can do it from GitHub if they are open source, or from the official website of the hardware device if they are proprietary. And for video games ditto, for example, from Valve's Steam. This will prevent you from downloading software with possible malicious codes. Remember that if you use Wine, the vulnerabilities of those Windows programs could also affect you ...
  2. Disable the root user when possible. Always use sudo.
  3. Never use X Windows or browsers like root. Neither do other programs that you don't have full confidence in.
  4. Use one strong password. That is to be at least 8 characters minimum. It should not be made up of any known words, birth dates, etc. Ideally, use a combination of lowercase letters, uppercase letters, numbers, and symbols. For example: aWrT-z_M44d0 $
  5. Do not use that same password for everything, that is, avoid master passwords. Because if they can find out, they can have access to everything. While if parcels (fencing), they can enter a system, but not all services.
  6. Uninstall all the software that you are not going to use. Do the same with the services, you must deactivate all those services that you do not consider necessary in your case. Close ports you don't use.
  7. If you think you have been the victim of an attack or that they have your password, it would be fine change your passwords. If two-step verification is possible on your systems, go for it.
  8. Keep the system always up to dateor. The new patches cover some known vulnerabilities. That will prevent them from being taken advantage of.
  9. Don't give excessive details when you sign up for online services. It is better to use false dates or names if it is not strictly necessary to use the real ones. Also, do not post technical or system details in public forums.
  10. If you get messages from mail with rare attachments, with extensions like .pdf.iso, etc, don't download anything. Also avoid browsing strange websites or downloading programs that appear on them. Also ignore possible SMS messages or of any other type asking to reactivate a service, or give the password of a service. They could be phishing practices.

On the other hand, I also advise you something else:

Politics For normal user
 For a server
Disable the SSH protocol Yes, if you are not going to use it. In any case, disable root access, set a strong password, and change the default port. No, it will generally be required for remote administration. But you can ensure it with a good configuration.
Configure iptables You should have at least some basic rules defined. It is essential to have a complex system of rules to protect the server.
IDS It is not necessary. Yes you should have auxiliary protection systems such as an IDS, etc.
Physical / boot security It is not essential, but it would not hurt if you put a password to your BIOS / UEFI and your GRUB. It is essential to restrict access through physical protection.
Data encryption It is not essential, but it is highly recommended to encrypt your disk. It will depend on each case. In some it should be done, in others it should not. Or maybe only on some partitions. It will depend on the type of server.
VPN It would be advisable to use a VPN configured for your router so that all the devices you connect will be secured. Or at least, do it in the one you use the most. No, due to the nature of the server, it should not be behind a VPN.
Enable SELinux or AppArmor Yes, you should configure it. Yes, it is essential.
Monitor the permissions, attributes, and have a good administration policy. Recommendable. Essential.

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   mlpbcn said
    ago 4 years

    The article is very good, but now you have to make one clearly explaining how all the advice you give is done, because for example I don't know how many of them are done and that I have been using Linux for about 10 years. And I consider that what this article exposes is extremely important and that you should not only say what to do, but also explain how it is done.

    Reply to mlpbcn
  2.   Daniel said
    ago 4 years

    Very good article, a demo video would be very good and would help all GNU / Linux users both novice and advanced. Greetings.

    Reply to Daniel
  3.   Aradnix said
    ago 4 years

    The advice is good in general, but there was a recent vulnerability with sudo, which in addition to the criticisms, is a detail that should not go unnoticed because many distros have not corrected it yet, the patch for sudo is not everywhere.

    The other thing is that there are several tips that contradict what was said in the second paragraph because they are not trivial or simple, for example, what are the minimum rules that a mortal, ordinary user should configure? Or what is an IDS, does it come by default, how is it disabled? For those who are interested, how is physical security enabled at startup? How do you configure a VPN for the router, what VPN service is recommended and Don't collect my data and really respect my privacy? That is not an easy question to answer.

    SElinux in Fedora years ago they were a pain in the balls and configuring it was not easy, again you have to explain how to do it and / or with App Armor the same. Finally, how do you have a good administration policy? taking into account that many users are far from a sysadmin profile that may have a clearer idea of ​​this issue.

    I hope that this article is the tip of the iceberg of several others on security where it delves into these recommendations that although they are correct, they are neither clear nor simple for a large number of users.

    Reply to Aradnix
  4.   Fernando said
    ago 4 years

    Hello, I agree with the others a little explanation on some of the topics discussed would not hurt. But maybe we're spoiling the surprise hahaha. Greetings and good article.

    Reply to Fernando