Beginner Linux administrators and users should know that even though the operating system is deemed secure, there are many pitfalls and details to consider. Linux security may be there by default but the various distributions may opt to enable certain “user-friendly” features and programs that can potentially expose the machines to risks.
This is the reason why some questions arise over the perceived state of security. Our Q&A aims to showcase some of the most popular case scenarios where Linux security issues are resolved.
Top 15 Linux Security Questions Answered
1. How to Reset Your Password in Linux?
A password reset is needed when the user has received a computer without any known account credentials or when they are forgotten. The easiest way is to boot into recovery mode, depending on the Linux distribution of choice the boot menu may offer such an option. If the computer is running Linux as the only operating system then the users need to press down the Shift key during boot to access the menu.
On Debian and Ubuntu based distributions when entering the recovery menu a list of options will be displayed. The users need to select the “root” option to enter the system as the administrator account. This effectively mounts the operating system partition with “read-only” rights. To changed the password the user needs to enter to a set of commands.
- Remount the filesystem by typing mount -o rw,remount /
- Optional By typing in ls /home the user can list all user accounts other than the root system account.
- The password of a Linux user can be changed by typing in passwd username. Replace “username” with the requested account.
Type in exit to quit the command shell and then choose the “resume” option to boot to the operating system.
Linux Security Tip: You can prevent abuse by using a BIOS password.
2. What Are the File Permissions and How to Change Them?
Changing permissions on a file can be tricky as there are several different types of permissions according to the group ownership. To determine the set permissions the command ls -n can be used. Every file lists its descriptions in a set format. An example file showcases the following:
-rw-r–r– 1 1000 1000 129024 Jul 28 10:21 metadata.db
The first section shows the “Type” value. In this case this is blank, meaning that the object is a plain file. Other cases include the following types and their abbreviations: d (directory), c (character device), l (symlink), p (named pipe), s (socket), b (block device), D (door) . The second line represents the user rights, the third group rights and the next “others” rights. There are three primary permissions: read (r), write (w) and execute (x).
Permissions can be changed with the chmod command by following the predefined model: chmod who=permissions filename.
For example we can give full user permissions to a file called “example”file by typing in:
chmod u=xwr example.file
3. How to Terminate (Kill) Running Processes?
Linux administrators can opt to kill a non-responsive or unwanted process by using the kill command. It is used to send specific signals to the applications. There are a lot of common signals used by the operating system, three of them are the most widely used for termination:
- SIGHUP (1) ‒ This signal is used to reload configuration files as well as open or close log files.
- SIGKILL (9) ‒ This signal is used to kill the process without saving or cleaning any data.
- SIGTERM (15) ‒ This is the default and safest way to kill a process.
All running processes are assigned a process identification number (PID). To discover the PID of known processes the users can use the pidoff command, for example:
To kill it the uses can use the kill by specifying the PID:
By default this will send the SIGTERM signal to the Firefox process. Note that the root user can kill processes started by other users and system level ones. A Linux-specific command killall can be used to kill processes by name, without resorting to PID query. To initiate a kill with SIGTERM type in the following:
killall -15 firefox
4. How to Remote Login with SSH?
There are several different ways of accessing a remote computer. There a variety of protocols that can be used, however the industry standard is the SSH (Secure Shell) protocol. It uses a public-key cryptography authentication method to secure the communications between the hosts. When configured correctly it provides a secure line that is able to guard itself from man-in-the-middle-attacks and DNS spoofing. SSH allows for data compression and sending of graphical commands via X11.
To connect to a remote host (192.168.100.1 for example) the computer users can type in the ssh command with a single option defining the server: ssh 192.168.100.1. To specify an explicit username (martin in this example) the users can modify the command by typing: [email protected].
5. How to Block Ports on Linux with IPtables?
Linux security administrators can opt to block certain applications and services by disallowing access to their ports. The port numbers system is one of the fundamental security concepts ‒ every hosted service uses a specific Internet port to offer its resources. One of the main ways of doing is to interact with IPtables, the user-space application part of the Linux Kernel. Note that this requires root privileges.
An example command to block HTTP port 80 which is typically used for setting up web servers is the following:
iptables -A INPUT -p tcp –destination-port 80 -j DROP
To save the table permanently type the following command:
6. How To Check The Running Network Services?
One of the important security principles is to only allow the minimum number of services that are needed for the completion of a task. A core Linux security concept is the minimization of open services in an attempt to combat potential risks. By using the netstat command the system administrators can pool all running services and their ports. Launch the command with the following options for the best results:
7. What Are the Different Security Extensions Available for Linux?
Linux allows for the use of several security modules that extend the Kernel into using a more competent way of handling data and the processes. This is done via the Linux Security Modules (LSM) which is an open-source framework compatible with several implementations. The accepted modules include the following:
- SELinux ‒ This is probably the most famous and one of the most widely used security modules used by the operating system. SELinux stands for “Security-Enhanced Linux” and it has specifically has been created to confront to the standards of the United States of America Department of Defense. Mandatory access control (MAC) is enforced and the module comes with both kernel configurations and user-space tools. One of the core concepts around SELinux is that it attempts to separate enforcement of security decisions from the policy itself and streamlines the volume of software used to guide the set instructions.
- AppArmor ‒ This is one of the most well-known security modules available for Linux. App Armor is short for “Application Armour”, an extension that allows system administrators to restrict installed applications with per-program profiles. The instructions include permissions on network access, raw socket access and read/write/execution files on matching paths. AppArmor contains also a learning mode where violations are logged and not prevented. Based on the gathered information a full profile can be created based on the program’s typical behavior.
- Smack ‒ The full name of this module is “Simplified Mandatory Access Control Kernel” and it is used to protect data and processes from manipulation. The enforced principle is the mandatory access control (MAC) rules that are designed to be easy to implement. Smack itself is comprised of three components: A kernel module, a startup script and a set of patches to the Gnu Core C utilities that make it aware of the extended file attributes.
- TOMOYO Linux ‒ This is mandatory access control (MAC) implementation that adds further protection to the Linux systems. The first version was launched back in March 2003 and until March 2012 was sponsored by the NTT Data Corporation. The main features of this module include: system-wide analysis, MAC enforcement, policy generation aid tools, simple syntax, few dependencies and an easy-to-use configuration file. In addition existing binaries do not need to be modified. When TOMOYO Linux is activated the module automatically starts to monitor the allocated resources and behavior of all operational processes to effectively counter any potential incidents.
- Yama ‒ Yama is a LSM extension that enforces system-wide Discretionary access control (DAC). This is a common security feature among hardened solutions. Yama handles the system’s security by monitoring for events that are not covered by the kernel’s ordinary work.
Depending on the chosen Linux security module it can be installed and configured in different ways. Distribution specific instructions are usually available on the respective modules official web pages.
8. How to Setup Password Aging?
System administrators can enforce password aging with the help of the chage command. It is used to change the number of days between mandatory password resets. System-wide configuration is handled by the /etc/login.defs file . By editing the document the users can assign the following parameters:
- PASS_MAX_DAYS ‒ Maximum number of days a password may be used.
- PASS_MIN_DAYS ‒ Minimum number of days allowed between password changes.
- PASS_WARN_AGE ‒ Number of days warning given before a password expires.
The chage command can be used to enforce a password change configuration change instead of editing some system files.
9. How to Use a Centralized Authenetication Service?
The use of a central authentication service (CAS) permits users to access network services after they have provided credentials stored in a central database. Depending on the configuration it may be a username and password or another type of credentials. Proper Linux security when working with network hosts requires the use of such solutions. To effectively use a CAS provider an adequate service has to be chosen. Examples of popular implementations include Active Directory, Apache Directory Server, Red Hat Directory Server and others. There are major differences between them, the configuration and choice reflects the experience and requirements for the company network.
All of them use a common protocol called LDAP (Lightweigh Directory Access Protocol) that is based on the X.500 directory-information services.
10. What Are the Linux System Logs?
Depending on the Linux distribution of choice and installation options the logging daemon may log only essential data or detailed information about all important system events. There are several different kinds of logs:
- System Logs ‒ This type of logs contain information about the functioning of the operating system itself. This includes system daemons, messages and other critical components.
- Authorization Log ‒ These logs track the authorization systems usage. Examples include the Pluggable Authentication Module (PAM) system, the sudo command, remote login attempts to the sshd service and others. It can be accessed by querying the /var/log/auth.log.
- Daemon Log ‒ These log files run in the background and usually require no human intervention. The system services log their data to the /var/log/daemon. The logs contain detailed information about the running system services and the application daemons.
- Debug Log ‒ The logs located at /var/log/debug are used to provide debug-level messages.
- Kernel Log ‒ The Linux kernel logs its own messages in the /var/log/kern.log file. They may be useful when troubleshooting hardware or software issues.
- Application Logs ‒ Many applications and services seek to create their own log files in the /var/log directory. Examples include the HTTP web server, the CUPS print services, SAMBA SMB Server logs and others.
- Miscellaneous Logs ‒ All other types of services and applications can create log files as well. There are different types of non-human-readable logs including specific system messages, login records, network statistics and etc.
Most Linux distributions use the System Logging Daemon (syslogd) as the main service that logs the files. Its configuration file can be found in the /etc/syslog.conf file. System administrators can optionally install a log rotation application. One of the most widely used ones is logrotate. Once installed it can optimize the logs by automatically compressing them, removing them at set intervals or mailing them to a specific account. The utility’s configuration file can be found in the /etc/logrotate.conf file.
An easier approach into reading the logs is the use of utilities such as logwatch or logcheck. By using the relevant application system administrators can get detailed reports on unusual events. Event monitoring is one of the essential Linux security tasks that can be automated using such applications.
11. How to Set up Automatic Updates on Linux?
It would be wise to set up automatic security updates for every server or workstation computer. When this is done no user or administrator intervention is required to install the most important updates. Depending on the used distribution users can follow instructions related to their package management system.
CentOS users and those that use the YUM package manager can install yum-cron which is used to automate the operations. It is not included in the default installation so the administrators need to install it:
yum install -y yum-cron
Then a text editor (in this case gedit) can be used to edit the necessary configuration file:
env EDITOR=’gedit -w’ sudoedit /etc/yum/yum-cron.conf”
Enter your password at the prompt and then change the apply_updates = no field to apply_updates = yes. Remember to “save” the file afterwards.
Fedora uses the dnf-automatic command that customizes the package manager according to several predefined modes of operation. It can be installed using the dnf command by issuing the following command:
dnf install dnf-automatic
The root user can then modify the configuration files:
env EDITOR=’gedit -w’ sudoedit /etc/dnf/automatic.conf
There are three important fields that must be set up:
- upgrade_type ‒ This is the field that controls which updates are going to be updated automatically. The users can choose from security (only security-related ones) or default (all).
- download_updates ‒ This field denotes whether the updates should be downloaded to the local package cache.
- emit_via ‒ This field denotes how the users can be notified of the update events. The default behavior logs them to the systemd journal. This can be changed to email messages or scripts by the administrator.
Once all settings have been complete, you can save the configuration by issuing this command:
systemctl enable dnf-automatic.timer && systemctl start dnf-automatic.timer
Debian and Ubuntu systems use the unattended-upgrades
package, install it by issuing the following command:
sudo apt install unattended-upgrades for Ubuntu or:
apt-get install unattended-upgrades as root for Debian.
The main configuration file etc/apt/apt.conf.d/50unattended-upgrades can be edited with a text editor of choice. You can use gedit using sudo or issue it as root by typing in the following command:
(sudo) gedit /etc/apt/apt.conf.d/50unattended-upgrades
To enable the security updates edit the file accordingly:
To enable the updates edit the /etc/apt/apt.conf.d/20auto-upgrades :
(sudo) gedit /etc/apt/apt.conf.d/20auto-upgrades
With the following options:
The resulting updates will be logged to the /var/log/unattended-upgrades file. Linux security treats software updates very seriously as new versions usually amend found vulnerabilities. By applying the patches system administrators can protect their machines from possible intrusions.
12. How to Add a Limited User Account?
Accessing a computer’s services can be done using a specialized user account. In many cases certain services and programs can be accessed using limited user accounts. Adequate Linux security rests on well-managed computers. To set it up different commands can be used, depending on the distribution of choice.
Those based on Red Hat (CentOS, Fedora and others) can use the useradd command by following the given syntax:
useradd example_user && passwd example_user
Replace the example_user with the desired username and the password field to choose an appropriate string.
If you want to be able to use the sudo command for gaining administrative privileges and changing to the root user you can add the user to the wheel group by issuing the following command:
usermod -aG wheel example_user
Debian and Ubuntu based distributions can use adduser by issuing these commands:
If you want to use the sudo command you need to add the user to the relevant group:
adduser example_user sudo
NOTE: By default the Debian Linux distribution does not uses sudo. You will need to manually set it up.
13. How to Encrypt Files with GPG?
Users can use the GnuPG (Gnu Privacy Guard) to employ a hybrid-encryption service of a public-private key cryptography for securing files. GPG (short for GnuPG) is one of the most widely used implementations and is available for applications such as email clients, extensions, instant messaging apps and etc. It is widely regarded as an important component of every Linux security set up plan. To begin the users need to generate their own public-private key pair.
Use the gpg –gen-key and follow the prompts. Once this is complete the -decrypt and -encrypt options can be used to alter the desired names.
gpg –encrypt example.file
This will result in a newly created file with .gpg extension (example.file.gpg). To decrypt it use the –decrpypt option:
gpg –decrypt example.file.gpg
14. How to Check for Rootkit Infections?
Rootkits are advanced types of malware that can be used to cause a lot of security problems. In many cases some samples cannot be detected by anti-virus companies and this is where special anti-spyware tools are used. For Linux one of the most popular options is rkhunter which can be installed from the software repository by following the instructions of your distribution’s package management.
Ubuntu and Debian users can use the (sudo) apt-get install rkhunter command while Red Hat based distributions can use either yum or dnf.
Once it is installed it should be run as the root user to attain maximum privileges. Run it with the following commands to initiate it for first the first time:
From there it can be activated by using the rkhunter –check command to trigger the analysis of the local system. Proper Linux security rests on regular checks for all kinds of intrusions.
15. How to Install the ClamAV Anti-Virus and Use It?
To begin using it first needs to be installed on the target computer. On Debian and Ubuntu systems this can be done by issuing the (sudo) apt-get install clamav command. For other systems use the equivalent package manager (usually yum or dnf). ClamAV can also be run as a service running in the background. The exact commands will depend on your distribution’s init system and type.
CentOS users need to install the Extra Packages for Enterprise Linux Repository before installing the application:
yum install -y epel-release
yum install -y clamav
Fedora users can also install the update package:
yum install -y clamav clamav-update
We recommend that users run the command-line application to scan all available files in the background and only display the infected files if found by typing in the following:
clamscan -r -i / &
Linux security wise it is essential to have at least one anti-virus solution available on servers that are used by other clients. While Windows viruses may not be able to impact the host system they can infect other computer users. Using ClamAV or another product can effectively prevent such incidents.
These Linux security tips and guides showcase only a small fraction of all the necessary adjustments that are needed to make a machine secure. Even though they may not protect against all possible risks they provide a good base оn which to further develop your security measures.
As always feel free to comment and ask questions, we will be glad to help!