Security Tip # 4 – Software updates

This post is part of a series on the top 10 things I look for when securing my home Linux installations. You can find the other posts here.

Before we begin: The commands below are based on Fedora Workstation, releases 34 & 35. That is because Fedora, RHEL and variants are my personal Linux comfort zone. I have a working knowledge of Ubuntu and its variants too, so feel free to pop a question into the comments below if you want some pointers in the Ubuntu space.

Apply software updates automatically or often

Applying software updates (a.k.a patching) is necessary to get fixes for the software packages on our home Linux systems. This keeps systems up to date with security fixes, and makes new functionality available as developers and vendors roll these out.

DNF is Fedora’s default package manager, replacing YUM several releases ago. Apt is Ubuntu’s default package manager.

To check for available patches and software updates on a Fedora system:

sudo dnf check-update

You can patch your Fedora system by running:

sudo dnf update

To automate some of DNF’s functions, install dnf-automatic and configure it to your needs. This will be the subject of a future blog post. Be aware of internet data costs if you have a metered connection!

I run GNOME (Fedora’s default desktop manager), therefore much of my system’s software management happens through GNOME Software. Updates can be set to apply automatically through Preferences in the GNOME Software interface. Again be aware of internet data costs.

To keep costs down on metered connection, you can label your network connection as metered under GNOME’s Wi-Fi settings, and then configure GNOME Software to only automatically download on unmetered connections. See below.

Find out more

A final word on Tip # 4: Do the same on all devices in your home network.

Recap of my top 10 things to look for when security Linux @home

  1. Enable and use an OS-level firewall
  2. Enable SELinux or another Mandatory Access Control mechanism
  3. Use sudo
  4. Apply software updates automatically or often
  5. Use encryption
  6. Use multi-factor authentication
  7. Enable threat-detection
  8. Browse securely
  9. Limit running services
  10. Backup securely

That’s it! ‘Like’ or comment to let me know what you think of these tips so far. And check back in on Monday for Tip # 5. Until then, have a great weekend!

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!

Sources

The post references documentation and articles on fedoraproject.org. Sources are linked to within the post’s content above.

Wave image from Pexels.com by DLKR

Security Tip # 3 – sudo

This post is part of a series on my top 10 tips for securing Linux home installations. You can find the other posts here.

Use sudo

Sudo allows a user account on a Linux machine to run commands and perform tasks as another user. Typically, as an administrator or root user. Most modern Linux distros will prompt for sudo access to root to be configured during installation. Direct login as user ‘root’ is usually disabled by default, though it can be enabled by setting a password for the root user.

My recommendation is to leave direct root logins disabled, and continue using sudo for privileged access as needed. Here’s why:

  • The root user on a Linux machine has god-like powers. A human error can easily trash a Linux system when the user is logged on as root, or a process is running as the root user.
  • Performing your day-to-day tasks as a non-privileged user provides a measure of sandboxing. Your Linux apps won’t be running as root with unnecessary power over your machine.
  • Finally all sudo access gets logged, providing an audit trail which helps track unusual activity on your system.

So how do you run sudo? Simply run the command you want to run as another user, preceded by the word ‘sudo’.

sudo <command>

You will be prompted to enter your own password. This is to prove that you are you, before proceeding. Sudo will then check if your user account has the privileges necessary before running the command.

For example, to view the sudoers file which is only readable by user root:

sudo cat /etc/sudoers

Another example, to update all packages on a Fedora system:

sudo dnf update

You can use sudo to take on the identity of another user. This is most often used to take on root’s identity:

sudo su - root

This should take you to the ‘#’ prompt, indicating you have now become root. I recommend limiting the commands run in this mode for the reasons listed above.

Configuring and customizing sudo

Sudo can be configured by editing the sudoers file using visudo or by creating sudo ‘modules’ in /etc/sudoers.d/. Stay tuned for a future deep-dive into sudo.

Also, sudo’s behaviour can be customized – for instance, the password prompt timeout (how often sudo prompts a user for a password) can be changed. Sudo can also be configured to not prompt for a password (not recommended for general usage, it defeats the purpose of using sudo).

Find out more

That’s it! Stay tuned for Tip # 4 tomorrow. Meanwhile, let me know what you thought of this article by leaving a comment below.

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!

Sources

The post references documentation and articles on github.com, and fedoraproject.org. Sources are linked to within the post’s content above.

Featured image by Pixabay on Pexels.com.

Security Tip # 2 – SELinux or other mandatory access control

This post is part of a series on my top 10 tips for securing Linux home installations. You can find the other posts here.

Enable Mandatory Access Control (MAC)

Traditionally, Linux and Unix operating systems have implemented simplistic access controls (a Discretionary Access Control (DAC) approach). These are relatively easy to exploit, and have limited flexibility in securing access to files, processes and resources. A MAC framework offers finer-grained control over users and processes on a system.

On Fedora, MAC is implemented via SELinux. It is enabled by default and set to enforcing mode on a standard Fedora system install. For most purposes you won’t need to tweak the default settings.

If you are running a Ubuntu variant, the MAC implementation would probably be AppArmor, though SELinux and AppArmor aren’t exactly equivalent.

What exactly is SELinux?

It’s a mechanism to control access within a Linux system to files, processes, applications, and ports. Access to these entities can be enforced or denied by SELinux security policies.

Check if SELinux is enabled and in enforcing mode

On Fedora you can check if SELinux is enabled using one of the following:

sestatus
getenforce

To modify the SELinux mode to enforcing, you can run either:

sudo setenforce Enforcing

or:

sudo setenforce 1

To modify the SELinux mode to permissive you can run either:

sudo setenforce Permissive

or:

sudo setenforce 0
Find out more

A Soapbox Moment

I wish I had a dollar for every time I’ve seen a system with SELinux permanently disabled or permanently placed in permissive mode. This defeats its purpose and robs the system of SELinux’s power! This article from TechRepublic explains why running SELinux in enforcing mode is important.

Note that placing SELinux in permissive mode temporarily is useful when trying to determine if a problem is SELinux-related.

Stay tuned for a future post on SELinux, including how to monitor audit logs, create custom policies and configure booleans.

Recap of my top 10 tips for securing Linux@home

  1. Enable and use an OS-level firewall
  2. Enable SELinux or another Mandatory Access Control mechanism
  3. Use sudo
  4. Apply software updates automatically or often
  5. Use encryption
  6. Use multi-factor authentication
  7. Enable threat-detection
  8. Browse securely
  9. Limit running services
  10. Backup securely

That’s it! I’ll have a bit more to say tomorrow on Tip # 3 – use sudo. Meanwhile, let me know what you think of this tip by leaving a comment below.

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!

Sources

The post references documentation and articles on kernel.org, fedoraproject.org, redhat.com, ubuntu.com, and techrepublic.com. Sources are linked to within the post’s content above.

Featured image from Pexels.com by Ann H. Wave image from Pexels.com by DLKR

Security Tip # 1 – OS-level Firewall

In my previous post I listed my personal top 10 tips on securing a home Linux installation. Here are further thoughts on Tip 1.

Enable OS-level firewall and disable unnecessary ports and services

Firewalls block unnecessary traffic from getting to (inbound) or leaving from (outbound) your system. Correctly configured firewalls minimise the attack surface you present on the internet. Pro tip: create a cyber honeypot and monitor network traffic to it. You’ll be amazed at the amount of unsolicited requests and exploit attempts that start hitting your honeypot system.

You can use firewalld on Fedora or ufw on Ubuntu. Essentially these are front-end configuration tools for the Linux kernel’s netfilter subsystem.

Check if your system firewall is enabled

On Fedora, to check if firewalld is already running:

sudo systemctl status firewalld
sudo firewall-cmd --state

To identify the active firewalld zone and what ports and services are enabled:

sudo firewall-cmd --list-all-zones
Find out more

A final word on Tip # 1: Don’t forget to check that firewalls are enabled on all devices in your home network – routers, switches, any network-attached storage and IoT devices.

General notes:

  • Any commands above are based on Fedora Workstation, releases 34 & 35. That is because Fedora, RHEL and variants are my personal Linux comfort zone. I have a working knowledge of Ubuntu and its variants too, so feel free to pop a question into the comments below if you want some pointers in the Ubuntu space.
  • I will usually give command-line instructions through this blog. Partly because the CLI is what I am most familiar with. The CLI can also provide finer configuration control, with better opportunities to understand how systems work under the hood.
  • Finally, I have given the commands but not expected outputs. Those will have to wait for future deep-dives into specific topics.

That’s it! Stay tuned for Tip #2 of my top 10 tips for securing Linux @home. Let me know what you think of this one by leaving a comment below.

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!

Sources

This post references documentation and articles on netfilter.org, fedoraproject.org, redhat.com, ubuntu.com and kaspersky.com. Sources are linked to within the post’s content above.

Featured image from Pexels.com by Mayur Rawte.

My Top 10 Tips for Securing Linux @home

In my previous post I shared how I learned that IT security is like physical security: we have to know our context, understand the threats in it and secure accordingly. Each person’s security needs are different. No-one can give a complete one-size-fits-all guide to securing everybody’s Linux environments at home.

However some general concepts apply. Here are the 10 things I look for when securing my own home Linux installations.

Major edit alert!

I’ve realised there is a lot more material here than would fit into the original two posts I had. So I’ve given each tip a post of its own.

And the tips are…

  1. Enable and use an OS-level firewall
  2. Enable SELinux or another Mandatory Access Control mechanism
  3. Use sudo
  4. Apply software updates automatically or often
  5. Use encryption
  6. Use multi-factor authentication
  7. Enable threat-detection
  8. Browse securely
  9. Limit running services
  10. Backup securely

That’s it! More on each of my top 10 tips shortly. Meanwhile, what do you think of these tips? Please let me know in the comments below.

A glossary of terms is available here.

Once again, ensure you’re familiar with the disclaimer here!

Featured image from Pexels.com by Ann H. Wave image from Pexels.com by DLKR

Securing a home Linux installation

# systemctl is-active firewalld
active
# 

You’ve just installed a Linux variant on your laptop and you’re ready to play. But wait! Have you thought about security?

What you will find below are my general opinions on security as a Linux end user. This post is intended for educational and interest purposes only. I am not a Cybersecurity expert. Ensure you’re familiar with the disclaimer here!

There are two extremes at either end of the scale when it comes to end user security. Users at one extreme live their digital life as if it were an open book on the internet. Those at the second extreme go the opposite way. Users who fall into either extreme category regard those at the other end with derision (words like ‘paranoid’ or ‘cowboy’ get thrown around, and not in sympathy or admiration). Of course, most of us are positioned somewhere in the middle, though I must admit I find myself easily swaying between both extremes.

This post is about protecting Linux home computers from threats and attacks. This falls primarily into the realm of Cybersecurity, though there is some overlap with the field of Information Security. You can read a summary of the differences between Information Security (InfoSec) and Cybersecurity here at Cloud Academy.

Three facts inform my approach to personal ICT security:

1. Threats really do exist

https://threatmap.checkpoint.com/ has a great live map that puts some of this in perspective. The majority of exploits today are automated and therefore operate on a far larger scale and reach than ever before in history. No end user is too insignificant to be targeted by the machine.

2. Security measures are only effective if they are used

This was dinned into me by many wiser heads than I. If a security measure is too hard to use, people just won’t use it. That’s as bad as the security measure not being there in the first place! Sounds bleeding obvious right? However it’s surprisingly common for ICT security to be kiboshed by well-meaning users who bypass or ignore security measures simply to make their lives easier.

3. At this point in time no-one can give a single globally-applicable catch-all guide to securing your tech

I learned from a recent IT Security course I attended that, as an end user you have to know your context, understand the threats in it, and secure accordingly. This will almost certainly mean employing more than one – if not multiple – security measures to protect your home kit.

It can get pretty overwhelming fast. ICT Security in many ways seems like playing catch up, trying to keep pace with ever-evolving threats. However, we can cover some basics. Every bit counts. Join me over the next few weeks for my take on essential considerations for a home Linux setup.

Do you have key takeaways on end user security from a Linux perspective? Please feel free to leave a comment below.

Welcome to geek girl, linux land

$ whoami

Sometimes you have to leave something to realise how much you love it.

Earlier this year, I switched careers to chase a dream with my partner which involves working in a non-tech role overseas. Up until then I had identified as a systems engineer working in the Unix and Linux space. If one includes my time in university, I’ve spent close to 30 years immersed in the information technology industry.

For most of those years I felt like a reluctant sysadmin, struggled with imposter syndrome, and felt inadequate. Once I stepped away from it, I realised both how much I loved it, and what a privileged life I’ve led, working in tech for over two decades.

This blog is part of my staying sane and connected to the industry while I get myself established in my new career. There will most probably be some soap-box moments, perhaps some reminiscing, and quite likely some how-to docs in the vague hope that someone somewhere in the big ether world will find something in here useful.

Please read the about me page to find out more.

Please read the disclaimer before you implement any advice or recommendation here. TL;DR: you are responsible for any actions you take on yours or others’ systems. Not me.