I agree that Linux is less vulnerable than Windows, but that doesn’t make it immune to attackers. It’s not always about security flaws, buffer overflows or denial of service attacks. Most intruders exploit incorrect system configurations or access permissions which are often caused by user ignorance.
I came up with a list of 10 basic rules that should reduce the security risk.
- Download the ISO for your preferred distro from trusted sources. It’s recommended to visit the official web page and select a download method from there. If you are downloading from unofficial torrent sites for higher speed rates, make sure they’re using the same tracker. Upon downloading always check the SHA1/MD5 sum.
- Don’t perform a full install. Select only packages that you need, why waste the disk space? Fewer packages means less bugs.
- After the installation, disable any unwanted services. A running service means an open port to the outside. If you don’t need that service, it’s better to disable it. Run netstat -ntlp | grep LISTEN as root to find out which services are running. Also, if you don’t use IPv6, you can safely deactivate IPv6 support in your network card configuration.
- Run a firewall. Either you use a distro specific GUI or configure it yourself, the firewall is a must-have security measure if you have an active network connection, as it drops unnecessary traffic and blocks a possible intruder.
- Configure tcp_wrappers. It’s really easy to do it and it gives you an extra layer of security. You can control access to all services (e.g. SSH) that are linked against libwrap or run by a super daemon (e.g. xinetd).
- Avoid using the root account. Configure sudo access for your user, it’s safer.
- Update your system on a regular basis. Don’t mind the daily updates, they’re meant to resolve bugs and keep your machine more secure.
- Use trusted software sources. Try not to install packages from unknown websites and stick to the official repositories. Avoid compiling from sources and use your distro’s package management system instead.
- If you access FAT/NTFS or Samba shares, install an Antivirus software (e.g. Clamav). You may not be vulnerable to Windows malware, but you can infect other users on the network.
- Use an Intrusion Detection System like aide or tripwire. In addition, use rkhunter to scan for backdoors and rootkits and logwatch to monitor your system.
- Set an email alias for root. Most cron jobs send emails to the root user with their findings. Read them!
- Have an active backup solution to synchronize your data to some other location. It’s better to be safe than sorry.