One of the most attractive things about Linux is the number of installation options one is presented with and how tempting it is to customize. But for a newbie, in terms of Web security and PC hygiene, that's also the worst thing about it. The fact is, Windows is easier than Linux for a casual user to make fairly secure, whereas Linux is easier than Windows for a power user to make very secure.
For most home PC users, fairly secure is perfectly adequate, and that's what we'll be concentrating on below. In a week or two I'll get into details for power users, but for now I'm going to concentrate on a particular presumed reader: a home user who's fairly new to the Linux desktop, who's using a packaged distro, and who's not intimately familiar with PC security -- a 'recovering Windows user', let's say.
Fortunately, Linux is a wise investment; you already have, or can easily find for free, virtually everything you need to make it secure. There's no need to buy hundreds of dollars' worth of security utilities and services, though you do need to learn how to use what you've got. But before we get to the Internet security matters promised in the headline, we have some housecleaning to do.
Options up the butt
For those just getting started with Linux, it's easy to end up with a number of unnecessary services and daemons running, some (not all) of which may make your box less secure. You've got IRC servers, telnet servers, print servers, font servers, mail servers, remote admin servers, Web servers, FTP servers, you name it. The installation options can be overwhelming; and if you're new to all this, it's a safe bet that you've got a few things going that you're not even aware of.
The first thing I'd recommend is running a security scanner like SAINT or Nessus, which are typically packaged free with many distros, against localhost. This can reveal a number of things you never imagined you had available on your machine. Most distros also have some sort of GUI control interface which will make it reasonably easy to turn off what you don't need. With SuSE, the distro I prefer, this is called the 'runlevel editor', available via the YaST2 control center. It likely has the same or a similar name in the distro you're using. Alternatively you can have a look at /etc/init.d and peruse a list of what's being loaded (just make sure you know exactly what these scripts do before you start editing or deleting). Shutting off unnecessary services is the most basic first step in tightening up your machine, so take a good look at what you've got, and get rid of the extraneous nonsense. If you don't know what something is, Google on it and get hip.
Users are safer
One simple thing you can do to avoid remote compromises is to stay off the Net when you're in the root account. Running IM and IRC clients as root is positively self destructive. Ditto for opening mail attachments and HTML mail as root. By choosing Linux you've already made yourself a lot less likely to get infected by a worm or virus or a malicious script than a Windows user, so be sure to maximize that advantage. Do all your on-line business from a user account, and save the root account for off-line tweaking and tinkering.
Of course this discipline means little if your file permissions are sloppy. There are lots of commands you can issue from the shell which are relevant here, but since we're assuming a relative newbie, we'll try to avoid too much of that. For those interested in what's possible from the command line, I recommend the book "Linux in a Nutshell" (pun apparently intended) from O'Reilly Publishing. It's an excellent desk reference of shell commands. Of course, just by typing a command followed by --help you'll get the same information, but it is nice to have it all compiled in a handy hardcopy form.
There are a couple of ways you can set permissions with the GUI and save yourself a lot of repetitive typing. One is to use Krusader or Nautilus and simply right-click on a directory, and go to 'properties'. If you're root, you can make sure that user a can't access user b's files. But don't go wild here: there are numerous directories, config files, executables, etc., that users need access to for Linux to run properly. If you're at a loss to select which directories and files need strict permissions and which don't, then your distro probably has some sort of interface with a menu of pre-set rules which you can choose from and apply globally as root. This will usually be called something like 'security settings', and the options will usually be named something like 'easy, secure and paranoid'. 'Secure' is probably as far as you need to go. Chances are this will forbid root logins except via the command line, so it's best to get all your tinkering done beforehand in the root GUI account, where things are more familiar to recovering Windoze users. After that, you'll have to open a shell or supply the root password to the distro's 'control center' from your user account. This is definitely the right way to run a Linux machine so long as you're basically satisfied with how it's set up.
In many households, several people may have user accounts on the same box. Consider carefully whether these people are friends, or mere flatmates and acquaintances. If you're using a machine you don't own, then you have to ask yourself whether or not you trust the owner. If you don't trust root personally, then don't use his kit for anything you wouldn't document and publish freely. Root knows everything you do on his machine. Worse, and far more likely, he may be a well-meaning idiot who maintains a totally insecure machine connected 24/7 to the Net.
Conversely, if you are root and the box is shared, make sure you trust the people using it. Giving a user account to someone you're sketchy about is a security risk, much like leaving them in your office or bedroom unsupervised. They may know more than you about how to compromise a machine from within, which is a lot easier than compromising it from without.
The best thing to do with a shared machine is to encrypt files you want to keep private. So get familiar with GnuPG. Just remember that root has access to your private and public keys, and can run a keystroke logger on the box and get your crypto passphrase. So as I said, if you don't trust root, don't use his machine for anything private. Period. Is he a mere acquaintance? Is he a loyal little soldier of your employer? Then screw him. Crypto is useless in that situation. Ditto for all computer equipment you use at work, in public libraries, or Internet cafes.
On the other hand, if you're the machine's owner and you trust your users, or you're a user and you trust the owner, then you should encrypt, though you must be careful to choose a strong passphrase: a nice, long one combining upper and lower-case letters, numbers and special characters. Use a phrase that's easy to remember but extremely difficult to guess or bruteforce. I recommend using a short, grammatically-valid sentence that makes no sense, like 'sleazy bricks applaud sideways'. Now misspell some of the words and substitute characters in a way that's easy to remember, so it looks something like this: 'sl33Z1E bR1@k$ apPL4ud s!d3w^yz'. Note that we've substituted numbers and special characters that, at least vaguely, resemble the letters they're standing in for to make it easier to memorize.
You should also make a backup of your GPG keys and revocation certs, and store that on removable media in a safe place. It's also a good idea to submit your public key and, if ever necessary, your revocation cert, to a keyserver. If you don't know what I'm talking about, then follow that GnuPG link above and start reading. This is a good thing, and it's free. Use it.
Your account passwords, especially the root password, should be long and hard, and you should use MD5 encryption for them and set a time of ten or fifteen seconds between unsuccessul logins to prevent brute force and dictionary attacks (you'll find these options in the 'security settings' interface). Don't use a root password of fewer than ten characters, and always combine upper and lower-case letters, numbers and special characters.
But since there are a number of ways into any machine, the most important thing of all is your crypto passphrase. Put the time and effort into devising and memorizing one which, like our example, is very troublesome to crack. And make sure you have strict file permissions on the .gnupg directories. Only root and the specific relevant users should have access.
Every computer collects files the way a kitchen drawer collects junk. Over time, many of these become irrelevant, yet they may contain information one would like to keep private. A good rule of thumb is, never encrypt when you can wipe. The last thing you need is a directory full of useless, irrelevant files. This only makes it more time-consuming to manage sensibly the ones you do need. Go through your personal files regularly and use a proper wipe utility to erase the ones you no longer need. Understand that deleting is nothing; to get rid of a file you have to wipe it. Those files you wish to archive should be encrypted and copied to a separate directory or removable media, and their originals wiped. The easiest way to do a proper wipe is using Krusader or Nautilus and selecting 'shred' instead of 'delete'.
Another notorious junk collector is the Linux swap partition, a holdover from the days when RAM was expensive and difficult to buy in fat chunks. It's possible to encrypt it, but probably a bit over the top for a primer like this and certainly a performance damper. A simpler approach is to do away with it. I'm running a 2.4.18 kernel with 512MB of RAM and no swap partition, and I can't detect any performance hit. Indeed, if anything the system runs better than it did. If you can afford it, and nowadays it's easy, I recommend strapping on extra RAM and just not swapping memory to disk. You never know what's going to end up there, or how long it's going to remain. Crypto programs are supposed to protect memory blocks used and not swap them out. So what? Are you absolutely certain there's no way the designers the program you're using could have made some obscure mistake which in turn could leave traces of crucial data in the swap file?
I didn't think so.
The IP battle zone
Now you've purged your Linux box of unnecessary daemons, you've set your file permissions sensibly, you're working happily from a user account, and you've got encryption protecting your digital sanctum sanctorum. It's time to protect yourself from worms and rootkits and malicious sites and evil scripts and the on-line pestilence of kiddiots trying to break into your box and Web merchants who couldn't secure a bowling ball much less your personal data on their lame II$ machine and nosey Feds and incompetent ISPs and so-called 'Trust Authorities' who have idiotically sold digital certs to hackers.
Maybe you should buy a hardware firewall, or an Intrusion Detection System (IDS), or an e-mail virus scanner, or an anonymous proxy service?
Or maybe you should just use your head and stop worrying. Here's how:
There are two things you need to have, and two things you need to do. The first thing you need to have is a packet filter, otherwise known as a firewall. Well, you've got one: in the 2.2.x kernel it's called ipchains and in the 2.4.x kernel iptables. The frontends are called Bastille on Mandrake (which adjusts other security options as well) and SuSE Firewall-2 on, what else, SuSE. (Most everyone can use Bastille, by the way.) I don't play with Dead Rat, so you guys will have to figure out what yours is called. Now configure it and shut off everything unless you're running a server (and if you're a newbie you really shouldn't be doing that just yet).
The next thing you need to have is a proxy. Quite simply, a proxy is a remote machine through which you connect to the Net, which forwards your IP traffic, and which you then appear to be originating from. When you contact a Web site via an anonymous proxy, it's the proxy's IP which shows in their logs. There are huge lists of free public proxies you can use, but most will be dead by the time you find them. Just Google on 'free proxy list' and you'll find them easily, for what that's worth.
I like a Socks proxy when I can get one because they're non-caching and a lot of IP clients support them. But they're very hard to find and they never last long. Once they start getting popular the admins always figure out why their bandwidth use is going through the roof and pass-protect them. Bastards.
On the other hand, HTTP Proxies can be chained for additional Web anonymity. This is accomplished by constructing a URL thus and copying it into your browser's address field:
There are no spaces in the above configuration. This can be done in addition to any proxy you've loaded in your browser normally with its setup options.
Take a look at this older article, related to Windows, in which finding and using proxies is elaborated. The information is fairly general, and may well be of value to a Linux user.
Because public proxies are uncertain, this is one area where spending a bit of money may be worthwhile. Anonymizer.com has a proxy service which uses SSH tunneling, which, unlike most security services, is IMHO worth the investment.
Here's how it works: you use SSH (Secure Shell) to log in to Anonymizer's proxy server. This means that your ISP can't sniff your traffic to the proxy effectively because it will be encrypted. Once you're on the proxy, everything you send and receive from it will be anonymous. Only Anonymizer.com will be able to associate you with the data you've sent and fetched. That's not perfect, but it's not bad. They have a serious financial interest in protecting your anonymity. I would assume that they'd only respond to a court order signed by a judge. If they blow that, and it gets out, they'll be out of business in a haeartbeat.
Unfortunately, they have little in the way of Linux support available, but through trial and error I've managed to use this service successfully. You can forward ports to the Anonymizer proxy and use SSH tunneling for your HTTP, FTP, POP and SMTP clients.
The way to log in is by busting out a root shell, logging in as root, and typing [ssh -2 -L 80:cyberpass.net:80 -L 25:smtp.yourmail.com:25 -L 110:pop.yourmail.com:110 cyberpass.net -l yourpass] where yourpass is your pw on the Anonymizer proxy at cyberpass.net.
Now you need to set up your e-mail client and browser to use these forwarded ports. For the browser, in proxy settings, enter a proxy of localhost and a port of 80 for HTTP and FTP. In your FTP client, do the same. In your mail client, in 'network', enter localhost and port 25 for SMTP and localhost and port 110 for POP. Now you should be cool.
Ah, but as for your IRC client, pray. You can select an HTTP proxy, but it probably will fail. My favorite Linux IRC client is Xchat, but it returns the error, 'proxy traversal failed' when i use it in conjunction with the Anonymizer HTTP proxy. I e-mailed the x-chat guy email@example.com and/or firstname.lastname@example.org asking for insight, but he or she neglected to reply. Perhaps you should email them too and ask what's up.
On the other hand, ICQ seems to have no problem with this, if you're using Gaim, for example. IRC will fail, but ICQ will accept the proxy. That's a good thing -- not a perfect thing, but a good thing.
Once you've got this proxy set up and running with SSH and port forwarding, you can use your browser with the Anonymizer Web proxy and their anonymous e-mail for an extra layer of distance from the Net. I've been using the service for several days now, and I like it. That's all I'm saying. Whether you should too is not my call.
Nevertheless, I like it. I just don't trust it completely, and neither should you.
The second thing you need to do is shut off your modem when your box is not in active Internet service. There are reasons why you might want to leave the machine running 24/7, all right; but there's no reason to leave it connected to the Net when you go away on holiday. We satirized the PathLock Internet timer; but that doesn't mean there's no reason to disconnect from the WibblyWobbly when it's of no use to you. Make it a habit.
Paranoia without anxiety
It's healthy to be paranoid, but grossly unhealthy and quite unnecessary to be riddled with anxiety. By using common sense and layers of protection, you can make yourself an unattractive target. By being paranoid in a healthy way, I mean quite simply that you must never trust anything.
I definitely don't mean 'be afraid'. There's a whole anti-virus and computer-security indu$try devoted to frightening you with constant reference to imminent threats to your on-line privacy and integrity. It's very much in their financial interest that you be frightened at all times and that new threats surface regularly to revive that profitable public-anxiety as older threats fade into memory. Who gives a shit about Melissa? Phear nimda...
And all the while, the word these parasites throw around most often is 'trust'. I'll pay fifty dollars US (no shit) to the first Reg reader who forwards me an unedited press release from a security vendor in which the word 'trust' is absent. But here's the truth -- the kernel of the security industry's filthy little secret: the only reason you're vulnerable is because you trust.
So for God's sake stop doing it. Don't trust your firewall; don't trust your proxy; don't trust crypto; don't trust SSL or SSH; don't trust your software vendor; don't trust files you get from anywhere, including your friends and 'official' download sites; don't trust patches; don't trust your file-wipe utility. Hell, don't trust me. Trust only what you're absolutely certain of.
In the past month or two we've seen a back-doored version of SSH; we've seen that SSL, universally trusted for secure Web transactions, is vulnerable; we've seen a PGP plugin for Outlook that coughs up your passphrase, not due to a flaw in the algorithm or cryptosystem, but because the application is susceptible to a buffer overflow. We've also seen a man-in-the-middle attack against PGP and GPG. You've got three layers there, algorithm, cryptosystem and application, any one of which might be broken in any number of ways. Do you know how to spot a flaw in a complex piece of software like that?
I didn't think so.
And then of course there are key loggers, packet sniffers, Trojans, rootkits, and the 0-day remote exploits which only a handful of people know about and for which there are no patches, and for which there may never be any patches.
Stop the insanity
By all means use security utilities, but never trust them fully. Layer them, apply common sense, and always assume that no matter what you do, there will always be several ways to compromise your privacy and security. The whole game is to leave the smallest footprint possible on the Web, never to trust other people's equipment, and to make your box a pain in the neck to crack so that ninety-five per cent of attackers will simply move on to one of the millions of easier targets hooked up out there. But be assured that nothing will make a compromise impossible except keeping your computer in a locked, heavy-duty vault with no Internet access, which of course is no fun at all.
But to compute and to surf the Web without anxiety, there's an easy answer: simply refuse to trust your machine, any network whether local or remote, any security device or service, any crypto scheme, any Draconian laws against hacking, any ridiculous claims of 'Trustworthy Computing', any shiny digital certificate, any 'Trust Authority', any local client, or any remote host with any scrap of data you simply can't afford to lose control of.
Now you're paranoid in a healthy way, and blissfully free from anxiety. Your computer, his network server, their shopping cart -- these things aren't the digital equivalent of bank vaults. So don't listen to the marketing-department drivel about how 'secure' these things can be made. Never -- absolutely never -- treat these things as if they were the digital equivalent of bank vaults, and move on and enjoy your life. You'll find that the air smells fresher, that food tastes better, and that you wake every day with more energy and confidence than you've had in years.
If you're sensible and cautious, applying the common-sense suggestions we've just considered, the odds against getting compromised will be very much in your favor. But just remember that, regardless of the odds, it's mad to wager something you can't afford to lose. Your credit-card number is no big deal: your total liability is fifty bucks and you can get a new one in a week or so. Your credit card number, Social Security number, name, date of birth and address packaged all together is a far greater worry, so never give out more information than absolutely necessary to complete a transaction. Never allow merchant sites to store such information. If they insist on it, do business elsewhere. Don't let your browser save form-data, or passwords to important Web sites like your bank. Use a packet-filter and a proxy. Wipe your browser history, URL history, page cache and cookies regularly. If your browser doesn't make all of those steps easy for you, use a different one. You've got the power of the Penguin behind you; you've got alternatives. Shop around for a good browser. Personally, I like Mozilla. That doesn't mean you have to.
On a laptop, don't save any logins or passwords, not even to your ISP or POP or SMTP accounts. Enter them all manually. Don't bother with encryption; there's no need for it because you should assume that the box is going to be lost or stolen at some point. Never put anything on it which you can't afford to lose or permit someone else to see. Think of it as a Manila folder worth a couple of thousand dollars. That's about how secure it is, about how universally useful it is, and about how tempting it is to thieves; so for God's sake, don't treat it like a portable safe. It's nothing of the sort. Here again, the security indu$try is likely to do you far more harm than good if you trust in their laptop 'phone home' schemes and data scrambling technology. When the box finally grows legs, the company has got your money, and some repulsive little sneak-thief has got your machine.
Guess what that makes you?
That diary of your years as a junkie; that map to the 'rainy-day' cash you buried in the back yard; those early, fumbling moments of sexual exploration with your first cousin -- keep that sort of thing in your head, or on hard-copy in a bank's deposit safe, but never on any digital medium or device. Unless, of course, you wish to share it with the world.
Trust nothing, fear nothing.
Now tighten up that machine, get on-line, and relax and enjoy the ride. ®