The trouble with security is knowing where to start. Security involves the entire operating system and can require an intimidating amount of expertise. So how can you secure your machine without making security a lifetime study?
Most people know enough to install some sort of antivirus tool like ClamAV [1] and anti-spam filters such as SpamAssassin [2] and Bogofilter [3]. However, antivirus protection is low priority on Linux, unless a system exchanges files regularly with Windows machines. Moreover, both antivirus and anti-spam tools are reactive security, useful only after you already have a problem. Your security is almost always much tighter if you focus your attention on architectural security – that is, settings designed to prevent intrusions in the first place.
Fortunately, not only are architectural security fixes common, but a few are easy enough for even new users to apply. Of course, that doesn't mean that they might take time to apply. Sometimes ease-of-use may be only relative to similar tools and still require a long and difficult learning curve.
Within these limitations, the nine solutions listed here are among the easiest to apply. Between them, they cover most of the major areas of concern in security, and if you apply all of them, you can be reasonably sure that your system is protected.
Lynis
Like the once-popular Bastille Linux, Lynis [4] does a security audit of your system. In less than 10 minutes, it conducts over 220 tests, including some designed for major distributions, and provides a list of suggestions for improving a system's security (Figure 1). Each suggestion links to a detailed online description of why the suggestion matters and possible options. The tests can be run from the root account for an overall architectural audit or from an ordinary account for penetration testing.
Figure 1: Lynis produces a list of ways to tighten the security on your computer.
Depending on the state of your system, Lynis can keep you busy for hours as you harden your system. But it directs your efforts and teaches you more about the inner workings of Linux than anything else available. Run it as soon as possible after installation, then as part of your regular maintenance, comparing the results of the two most recent audits to see what has changed, and check it.
Firejail
Sandboxes – isolated environments – have become a standard security feature in the last few years. Usually, that means running containers, which can be difficult to install. Firejail [5] is an easier alternative, installing lightweight sandboxes and running primarily on standard kernel modules (Figure 2). Using it is as easy as adding Firejail at the start of a command. Create a panel or desktop launcher, and launching an application in a sandbox is reduced to a single click.
Figure 2: Firejail sandboxes common desktop apps through a series of predefined profiles.
Firejail installs with over 60 profiles for common applications like Firefox, XChat, and Wine, and a default profile for other applications. This basic security can be supplemented by compiling Firejail for AppArmor support, a whitelist or blacklist, and a range of other options, including an array of permissions.
Like any form of sandboxing, Firejail should not be your only line of defense. However, it remains a valuable addition to your security toolbox.
Signal
Developed by the non-profit Open Whisper Systems, Signal [6] encrypts voice and text messaging on Android and iOS phones (Figure 3). Signal Desktop, a Chrome app, is currently in beta, allowing users to take advantage of a laptop or workstation's larger screen and full-sized keyboard when using a linked phone.
Figure 3: Signal encrypts voice and text conversations through its centralized servers.
The phone apps are drop-in replacements for the default apps, installing seamlessly despite the warning issued by the phones. Conversations are carried by Open Whisper's servers, with the exchange of encryption keys done invisibly for the users. All participants in a conversation must have Signal installed for encryption to be possible, but if they do not, then Signal still works unencrypted.
Signal itself should be protected by a passphrase. You also have the option of setting an expiry date for each conversation and adding graphic and audio attachments to messages.
However Signal's use of centralized servers could be a potential security risk. There are also some proprietary components on the backend. You might prefer similar but decentralized solutions such as Ring [7].
umask
umask
[8] is the standard command in Linux for setting the default permissions for a new directory or file. It sets the permissions for the owner, the owner's group, and other users, setting whether each can read, write, or execute a file.
By default, most distributions set umask
laxly, giving users all these permissions, while the owner's group and others can read the file. By denying the group and others read permissions, you substantially limit an intruder's navigational abilities within your system. Read the man page for chmod
to refresh your memory about other ways to use permissions.
BleachBit
BleachBit [9] is a multipurpose utility (Figure 4). Its original purpose was to identify files that could be safely deleted, such as web caches, HTTP and Flash Cookies, unused localizations, and temporary log files that have outlived their usefulness.
Figure 4: Despite its reputation as a conspirator's tool, BleachBit has several legitimate uses.
For those who like to optimize their systems, this functionality remains important. Today, however, BleachBit is known primarily for its ability to shred files and wipe unallocated disk space. In fact, these uses have become so notorious that poorly informed people often assume that anyone who uses BleachBit must be a conspirator. However, if you deal with sensitive information or are a privacy advocate, these are completely legitimate functions, and you should not be discouraged from using BleachBit.
FireStarter
Firewalls are a time-honored form of security. The problem is, even graphical interfaces for setting up firewalls can be difficult to use unless you are well-versed in their structure.
FireStarter's [10] wizard is among the best interfaces available for setting up a firewall (Figure 5). Better yet, detailed instructions for specific distributions, including Linux Mint [11] and Ubuntu [12], are available online.
Figure 5: FireStarter is one the easiest ways to set up a firewall when you lack expertise.
KeePassX
Everyone knows strong passwords are a basic security feature. Yet many users avoid them because they are difficult to apply – or, worse still, keep them on a Post-it note taped beneath their keyboards.
Password banks like KeePassX [13] are a reasonable solution, storing passwords in a secure environment and helping you generate strong passwords and avoid the temptation of easy-to-remember weak ones (Figure 6). KeePass, a command-line version, is also available.
Figure 6: KeePassX not only makes strong passwords practical, but helps you to generate them as well.
Enigmail
Most modern email readers support encryption. However, too many give no indication of how to encrypt. Fortunately, the Free Software Foundation has released a page called "Email Self-Defense" [14] that explains how to encrypt in Thunderbird with Engimail [15] using PGP (Pretty Good Privacy).
Besides explaining where to find and install Thunderbird and Engimail, "Email Self-Defense" explains how encryption keys work, how to generate them, and how to test the result. Each section contains a link for troubleshooting, and the last lines give general tips, such as the fact that the subject line is not encrypted and should therefore not contain any sensitive information. Provided you have the patience to follow instructions, you should have the ability to encrypt email within half an hour.
Looking for More
If you configure all these tools, the end result should be a reasonably secure system. However, a basic axiom of security is defense in depth – meaning you can never have enough tools to keep your computers safe.
The next time you install, consider encrypting your home directory. (You can do it later, but that immensely complicates the procedure.) If you are really serious, consider learning SELinux [16] or AppArmor [17] and writing your own security rules. Or, as fond as you may be of Ubuntu, you might consider switching to Qubes OS [18], which builds different levels of security into the operating system and is available as a Debian derivative.
However, such extreme tactics are more than many users are willing to try. Stick with the suggestions here, and your system should be vulnerable to little except human engineering, the exploitation of user gullibility – and against that, nothing can protect you except common sense.