Basic Linux network security, Part 1

By its very nature, Linux offers many possibilities for remote users, when networked. Much of its popularity rests on the very fact that complex networking tasks can be achieved with relative simplicity and expediency. The downside of this, however, is that Linux can be vulnerable to serious remote compromise and penetration. For the beginner and average user, the solution is an understanding of basic Linux security.

If you have just made a fresh install of Linux, or are planning to do so, ensure it is an up-to-date release of Linux and its application base, as distributions lose currency very quickly. Also, though they are current at the time of shipping, default kernels are often out of date. It is possible that the kernel, which your distribution installs by default, has been found to have one or more security vulnerabilities. Therefore, once installation is complete, it should be a priority to determine if your kernel is the current, stable release. If it is not, check the CHANGES file to see what fixes are in the new kernel. If there are security fixes, the kernel should be upgraded (details of how to upgrade a kernel are in the kernel documentation itself). I often find the best place to do this is http://www.linuxhq.com or http://www.kernel.org. It is often beneficial to upgrade kernels when a new release is made, regardless of its security fixes, as other bugs are also solved.

Once a Linux system is up and running, it can date very quickly: the programs central to its running may be updated soon after your recent installation. If you didn't recently install a distribution, but had an existing system, these programs will also be out of date. Upgrades of such utilities can be done by your distribution's package system (if, indeed, it has one). For my money, however, I prefer to do it manually: I regularly check if my system utilities have been updated, and if the update is significant, I download, compile and install it. For the sake of speaking to the widest audience, and to provide the best understanding, I will discuss this method of maintenance.

So, what are the important system utilities about which I am talking? In the matter of the security of your machine on a network, it means anything which is involved in interfacing your machine to that network. These will usually be network daemons, or servers. To see which of these is running, you should consult your initialisation scripts, i.e., boot time setup scripts, which are usually in a directory off /etc, such as /etc/rc. Reading /etc/inittab should give an indication where they are, if you cannot find them.

The script called ‘rc.inet . . .' (where ‘. . .' signifies some arbitrary characters) is responsible for executing the network daemons. Unless you have a working knowledge and understanding, services such as inetd, http, nfs, rpc, lp, DNS, ftp, samba, pop and others should not be run. That is, unless you have more than basic network security knowledge, you should not run services other than the syslog daemon (often ‘syslogd') and an smtp mail daemon (‘sendmail' or an equivalent). In order to run only these services, all others should be commented out using a ‘#'. If other services are running, you should kill them immediately. Alternatively, you could reboot.

It is these necessary services - syslogd and the mail daemon - that must be kept up to date. The documentation that comes with the packages will detail what site you should consult in the future to see if the services have been updated.

Under this model, you are running only two services to which you can connect over the network. In themselves, those two services are quite complex, particularly the mail server. A more detailed explanation of mail security can be found at http://www.sendmail.org.

Perhaps the most important aspect of security under Linux, and any environment, is understanding the programs which are running, and their vulnerabilities. This understanding comes with experience and reading.

Next issue, I will look at running services under the Internet daemon inetd, particularly secure remote shell access, and how to restrict access using basic firewalling systems built into the daemon.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gavin Sherry

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?