Some of my Linux security tips

Linux is such a great operating system with literally hundreds of distros (distributions) and desktops for your needs. However, it’s not secure by default, so don’t neglect that essential aspect.

What is this guy saying about Linux??!

Please don’t get me wrong with this post. Linux IS quite safe and has many secure configurations by default!

It’s undeniable. Whether it’s memory access and management, privileges, or kernel updates, Linux has everything to be the most robust system. However, you need to be a power user to leverage the benefits of the most advanced tweaks.

In a nutshell, depending on the distro you choose, you won’t get the same security features, and you’d better know what you’re doing. Otherwise, you might put yourself at risk with processes you don’t fully understand.

N.B.: Please go to this page if you want to download and test some variants of Ubuntu and other major versions, because I won’t list them here.

Disable unused services and ports

The most generic distros might be handy for beginners because you don’t have to install everything manually, but it might also activate many services you don’t need by default.

For example, on Ubuntu, whether it’s for a server or a desktop, you may run the following:

sudo apt-get purge --auto-remove telnetd ftp vsftpd samba nfs-kernel-server nfs-common

Of course, if you need one or several of these services, don’t include them in the command line. In any cases, such services will be enumerated by most attackers if they try to hack their way in.

N.B.: the syntax may vary significantly for distros that are not based on Debian.

Regarding ports, you can use nmap to enumerate them. When a service is listening for some connections, it uses an open port.

Using a firewall on Linux is strongly recommended. Even if it’s not bullet proof, it’s a great way to filter what goes in and out. Deinstalling stuff is not enough. You have to block ports too. For example, configure your firewall to block port 21 if you don’t need any FTP access.

Don’t have a CTF-like machine/server

The machines you get in CTFs are particularly flawed. Pretty much everything is opened without monitoring. If you manage to get a shell, privilege escalation can often be achieved by simply running known scripts such as linpeas.

After that, it’s only a matter of time before you can run the right exploit kit to get the targeted root access.

It’s pretty fun, but in real life, being able to download stuff on internet or from another machine on the network, or the possibility to run netcat commands with unprivileged accounts without any restrictions is a huge security hole.

That’s the point with CTFs: attacking vulnerabilities and practicing even if the scenario is a bit less realistic. For example, CTF’s authors may have to configure very specific settings to allow the exploit, which would not happen in real life even if the admin is particularly sloppy.

Don’t get me wrong. Many scenarios are based on real situations, but CTFs’ machines are often open boxes with almost inexistent protection, and when there are some defense mechanisms, the CTF will likely be marked as intermediate or hard.

Again, in real life, you probably want to keep your system up-to-date, change default port 22 for SSH, disable root login, disallow empty passwords and enforce password complexity, fine tune sudo configurations, and audit your system on a regular basis.

Learn Linux security

It’s hard, perhaps impossible, to get an exhaustive list, but the above links are great resources for Linux security, IMHO.

See Also