How to stay secure on Linux?
Encrypt your whole drive, if possible
Full disk encryption is a built-in feature in most of the modern Linux distributions. Being the most important and basic data-at-rest protection, full disk encryption prevents anyone accessing date on your system even it was stolen, and the attacker has unlimited time on their hands.
Other than the described best practice you may only opt to encrypt your home directory only which is not as effective as the full encryption as it may be somehow circumvented by other kinds of attacks. This option differs from the full encryption as the operating system does not load if you do not enter the correct password at the startup but the in-home directory encryption system just runs and waits for user-pass authentication for the account.
Use a strong password and run commands that you trust
Using a strong password, is good and easy way to protect your user account, especially if you are not utilizing the power of full disk encryption. You should make sure you always use a strong, lengthy password enough to avert remote attacks to your accounts or from an intruder mingling with your computer.
As a user you might be in situations where you are not that good on the subject and a problem keeps occurring then you happen to follow a guide you found on the Internet. Please bear in mind that the Linux command prompt is powerful, especially if you have the superuser rights. Before you copy-paste a command you read somewhere into the terminal, ask yourself whether you trust the source and the intention of the fix you expect.
Use a basic account for your daily activity
For everyday computing, log in with a basic or standard user account; a non-root, non-privileged account. This is likely to be the default behavior when creating a new account, but it’s worth double-checking your account’s status. Note that some system-wide actions will require you to log in with the administrator account because of restricted permissions but it is okay for the sake of security.
Also, check whether the account that you are using has an administrative privilege or not. If yes, you should be more careful while performing your daily activities. If you don’t want to encounter catastrophes, think twice before entering any commands, which may affect your Linux system.
Update your system and check for rootkit regularly
Updating all the software with a single updater is possible on GNU/Linux. You may opt-out to receive minor software updates maybe, but it is encouraged to at least get all the security updates from your distribution repository at least once a week. By this routine, the only thing you will count as a threat will be zero-days which most of the systems out there would be vulnerable to indiscriminately.
Your system must be checked for rootkits regularly. It is easy to use rootkit detectors like Chkrootkit. Being a serious threat for all kinds of systems recently, performing rootkit checks regularly is a must even on a GNU/Linux system. Chkrootkit can be found on your distribution’s software repositories and be installed easily. After that, you can run it from the command line in superuser mode. That will usually be enough to stay safe from rootkits.
Be careful while using remote access
It is a nice practice to use a more secure SSH server configuration on your system if you have intentions to access it remotely. You can edit your SSH config file removing the option to remote logging in as root. To do that “PermitRootLogin no” line should be uncommented.
Also, you should change the SSH port to any number over 1000, preferably over 10000, as this will make many scanners miss your system on their default settings. Performing vulnerability analysis on your system will also help you to see if there is any gap that may be used for a remote access attack. If the scans result in a vulnerability, take the required mitigation actions immediately.
Check your installed applications
Keeping a minimum of the installed applications is one of the best ways to avoid vulnerabilities. You can check installed applications manually, also using tools makes it easy. As well as looking through your application list manually, there may be tools available for your distribution to make it easy, such as BleachBit. You can remove unused or unnecessary software from your system easily.
As we’ve mentioned before, performing periodic vulnerability scans will help you to discover potential application-based vulnerabilities. Simply, remove unnecessary applications from your system, instead of trying to maintain or keep up-to-date them.
Use a firewall and close all unused ports
Linux has a powerful firewall in itself, running through iptables. But iptables is hard to manage for ordinary, even for some advanced users so there are more basic approaches like UFW. UFW, an uncomplicated firewall, can easily shut down all ports to the outside world if they are not expecting connection.
Your requests are not prevented by this because by default responses to your requests are allowed through it. If you want remote access to your system leave the SSH port open (which already should have been changed from the default 22!) but shut the rest down. You will be safer.
- If you are interested in technical tips in detail, you can read the step by step how to secure a Linux server article on Imunify’s blog: What are Steps to Secure a Linux Server?