Before getting into specifics, let's try to briefly answer some questions
about why we need to be concerned about security in the first place.
It is easy to see why an e-commerce site, an on-line bank, or a government
agency with sensitive documents would be concerned about security. But what
about the average user? Why should even a Linux home Desktop user worry about
security?
Anyone connected to the Internet is a target, plain and simple. It
makes little difference whether you have a part-time dialup connection, or a
full-time connection, though full-time connections make for bigger targets.
Larger sites make for bigger targets too, but this does not let small users
off the hook since the "small user" may be less skilled and thus
an easier victim.
There are those out there that are scanning just for easy
victims all the time. If you start logging unwanted connection attempts,
you will see this soon enough. There is little doubt that many of these
attempts are maliciously motivated and the attacker, in some cases, is
looking for Linux boxes to crack. Does someone on the other side of the globe
really want to borrow my printer?
What do they want? Often, they just may want your computer, your IP
address, and your bandwidth. Then they use you to either attack others, or
possibly commit crimes or mischief and are hiding their true identity behind
you. This is an all too common scenario. Commercial and high-profile sites
are targeted more directly and have bigger worries, but we all face this type
of common threat.
With a few reasonable precautions, Linux can be very
secure, and with all the available tools, makes for a fantastically fun and
powerful Internet connection or server. Most successful break-ins are the
result of ignorance or carelessness.
The bottom line is:
These are all real possibilities, unless we take the appropriate
precautions.
![Warning](../images/warning.gif) | If you are reading this because you have already been broken into, or
suspect that you have, you cannot trust any of your system utilities to
provide reliable information. And the suggestions made in the next several
sections will not help you recover your system. Please jump straight to the
Have I been Hacked? section, and read that
first.
|
Ideally, we would want one computer as a dedicated firewall and router. This
would be a bare bones installation, with no servers
running, and only the required services and components installed. The rest of
our systems would connect via this dedicated router/firewall system. If we
wanted publicly accessible servers (web, mail, etc), these would be in a
"DMZ" (De-militarized Zone). The router/firewall allows
connections from outside to whatever services are running in the DMZ by
"forwarding" these requests, but it is segregated from the rest
of the internal network (aka LAN) otherwise. This leaves the rest of the
internal network in fairly secure isolation, and relative safety. The
"danger zone" is confined to the DMZ.
But not everyone has the hardware to dedicate to this kind of installation.
This would require a minimum of two computers. Or three, if you would be
running any publicly available servers (not a good idea initially). Or maybe
you are just new to Linux, and don't know your way around well enough yet. So
if we can't do the ideal installation, we will do the next best thing.
Before we get to the actual configuration sections, a couple of notes.
First, one of the interesting aspects of Linux, is the different
distributions like Caldera, Red Hat, SuSE, and Debian. While these are all
"Linux", and may share certain features, there is surely some
differences as to what utilities they may install as defaults. Most Linux
distributions will write their own system configuration tools as well. And with
Linux, there is always more than one way to skin a cat. But for the purposes
of our discussion, we will have to use as generic set of tools as we can.
Unfortunately, GUI tools don't lend themselves to this type of documentation.
We will be using text based, command line tools for the most part. If you
are familiar with your distribution's utilities, feel free to substitute
those in appropriate places. And if not, you should learn them or suitable
alternatives.
The next several sections have been written such that you can perform the
recommended procedures as you read along. This is the
"Quick Start" in the document title!
To get ready, what you will need for the configuration sections below:
A text editor. There are many available. If you use a file manager
application , it probably has a built in editor.
This will be fine. pico and mcedit
are two relatively easy to use editors if you don't already have a
favorite. There is a quick guide to Text
editors in the Appendix that might help you get started. It is
always a good idea to make a back up copy, before editing system
configuration files.
For non-GUI editors and some of the commands, you will also need a
terminal window opened. xterm,
rxvt, and gnome-terminal all will
work, as well as others.
You should also be familiar with your distribution's method of stopping
services from running on each boot. Also, how they install (and uninstall)
packages (rpm, deb, etc). And where
to find the updates for your release. This information is available in
your release's documentation, or on your vendor's web site.
We'll be using a hypothetical system here for examples with the hostname
"bigcat". Bigcat is a Linux desktop with a fresh install of the
latest/greatest Linux distro running. Bigcat has a full-time, direct Internet connection. Even if your
installation is not so "fresh", don't be deterred. Better late
than never.