Previous | RSS | Next
Secure your GNU/Linux desktop
Back in 2008 I wrote an article on securing your GNU/Linux box. But after recent revelations about horrific processor exploits I was left wondering if the same advice still applies in 2018.
I should note before we start that in the past 10 years I've gone from being a sixth form college student to a Computer Science degree graduate with 5 years' full-time experience in the tech industry, so it's probably fair to say my views have changed a bit along the way...
Without further ado, let's go through my previous advice!
Password protect every workstation
This is still a good idea, but I'd go one further and say you should encrypt every workstation too. As we've been hearing in recent years it really does work.
If you're using Ubuntu the option is included at the install stage, or you can run
sudo apt install ecryptfs-utils and create an encrypted folder to store sensitive files. You can also use Veracrypt to fully encrypt your hard drive on existing installations.
When you're not using a machine, shut it down. This ensures data is only decrypted when you actually need it and no one can boot your computer without providing a password. For safety, you should store your recovery disks in a safe place.
Contrary to my previous advice, your machine's login password doesn't need to be particularly complex. So long as you don't login automatically, the password isn't obvious to guess and you don't reuse it for any online services you're probably fine.
Enable all security settings on your router
Erm... well, "yes" and "no" on that one.
First things first, change the router admin password. The defaults for WiFi routers that are handed out to customers for free by ISPs are usually published online for everyone to see. You should keep a note of it in case you ever have problems with your broadband line and need to contact tech support to fix it.
Next, disable WPS. It is horribly insecure and you're probably not using it anyway. Also disable any "guest networks" your ISP might have enabled unless you expect to make use of them.
You could also disable SSID broadcast, but as this doesn't really improve security and makes your life tougher it's probably not worth it. Similarly you could turn on MAC address filtering, but as this can be easily fooled it's not something I usually bother with.
You should also ensure you are using the latest version of WPA that your router supports. However, given even WPA2 has now been cracked your best bet is to install a browser add-on like HTTPS Everywhere so it is harder for people to snoop on your browsing habits.
Finally, if you can connect most machines over ethernet instead of WiFi then not only will you achieve more reliable connection speeds, it will make man-in-the-middle attacks on your local network a bit tougher. (I use powerline network adapters to avoid ripping up the carpet or floorboards to do this)
These basic steps will probably keep out the neighbour kids angling for free WiFi, but a determined malicious hacker won't have any problems breaking into your home network. This is why you should secure each machine individually, install the latest security updates and only turn a computer on when you actually need it.
I leave it up to you how you treat smartphones. Generally leaving them on and connected to WiFi saves on data costs and ensures app updates and OS upgrades are performed automatically, so it seems better than the alternative in my view.
Install a decent Firewall/Anti-virus/Anti-rootkit
I'll be honest, on a modern GNU/Linux desktop this is largely an optional step for home users.
So long as you regularly install the latest security updates then you shouldn't encounter any problems. I'd also recommend installing browser add-ons like HTTPS Everywhere and an ad-blocker such as uBlock Origin or SpyBlock. Disabling third party cookies by default is also a sensible idea.
If you're using a laptop that regularly connects to public WiFi then you should take the extra precaution of using an encrypted VPN or (if you know how to use it properly) installing the Tor browser. I would also suggest you avoid visiting any particularly sensitive sites or storing files you'd like to keep secure on that particular machine.
UYSS "Update your software, stupid!"
Yes, that's just as true today as it's ever been. It should be the first and last task you perform every time you login on any computer you use. Not only do you benefit from cool new features but you will also ensure your system is patched against most zero-day exploits.
I definitely agree with backing up your files, although you may want to encrypt the drive you are storing your backups on.
If you've got a spare Raspberry Pi knocking around you could try installing NextCloud on it. This enables you to sync copies of files and folders across multiple machines just like Dropbox, but without the fear of your files being directly exposed to the internet or the target of surveillance.
As a final note, you should ensure you use a different password with every online website you use and enable two-factor authentication wherever possible. I used to recommend online password managers, but these have proved to be unreliable. A sensible compromise might be to use KeePass/KeePassXC and simply copy your password file between multiple machines.
Myself? For a time I kept a CSV file on an encrypted USB drive I carry around with me and a paper copy of my credentials locked away somewhere safe. The benefit of this is it works on any machine I want to use without needing extra software and if I get run over by a truck someone can take care of my digital life. I don't typically recommend that approach though because I don't think it would work for everybody! Today I have a hybrid approach of using the CSV file as the definitive record of credentials and Firefox sync for convenience, remembering to set a master password with each new install to ensure they are locally encrypted.
I should stress that not all of my recommendations would be endorsed by seasoned security professionals, particularly in enterprise settings. They're pitched primarily at GNU/Linux enthusiasts and their home machines, but if you have a more complex home network setup then your requirements may differ.
As an individual you need to think about your own threat model and how much value you place on the things you intend to protect.
But most importantly, don't just trust me because I occasionally write articles for Linux Format magazine. Check out what several knowledgeable sources think on DuckDuckGo and then make the security decisions that feel right for you.