Linux Security Basics

Security updates are essential to ensuring that a Linux system is not vulnerable to attack. Apply updates regularly by configuring Linux to automatically install updates when they are made available (or to notify you that updates are available so you have the option to decide before applying the update). Update settings and procedures differ between Linux distributions and versions of distributions. To configure updates on Ubuntu systems, select System then Administration then Software Sources then select the Internet Updates tab and then in the Automatic Updates section click the 'Check for Updates' box to enable automatic updates. For more detailed information click here.

The Fedora Linux distribution provides a similar mechanism however it automatically downloads updates but does not install them until installation is triggered by the user. To enable automatic download of updates, depending upon the version of Fedora, click System then Preferences then Startup Applications and there you can enable or disable the update application on boot up. To enable the update process itself click System, then Preferences, then Personal, then Sessions and then click the 'Packagekit Update Applet' checkbox or System, Preferences, System, Software Updates and enable the automatic update feature

Services are programs that run in the background. Typically they listen on the network for connection requests using an assigned 'port' number which is essentially an ID number used by the operating system to identify the service to which network traffic is forwarded. To determine which services are running on a Linux PC and listening for network connections, open a command line terminal and type:

netstat -anp

and press Enter and the output will list services by name and include the port number if they are listening for network requests.

Services that should be disabled and are most likely not in use include NFS, rsh, rlogin, rexec, rcp (the 'r' services), telnet server, ftp server, BIND, sendmail, exim, postfix, qmail (email services).

If services are listed that should not be running they should be disabled so that they do not run on startup. So to disable a service, first stop the service by typing:

service stop service-name

replacing 'service-name' with the name of the service you wish to stop. Then once the service has stopped, identify the exact name of the startup script for the service by typing:

ls -l /etc/rc.d/rc3.d/S*

and press Enter and then type:

ls -L /etc/rc.d/rc5.d/S*

and press Enter. The output of both commands will show services that start at run level 3 and 5 (run level 5 being graphical mode services). Then use the chkconfig utility to disable the service startup script from starting at boot up by typing the following:

chkconfig -levels 2345 script-name off

replacing 'script-name' with the name of the script to be disabled. Note that these command line operations require superuser permissions and also assume that the command line shell configuration includes the path to binaries for the commands specified. For some distributions such as Ubuntu, it is necessary to start each command with 'sudo' and then type the root or superuser password in order to execute the command. It may also be necessary to provide the full path to the utility binary in order to issue the command, for example:

/sbin/chkconfig

rather than simply typing the command in order for the command to run.

Note that the Xinetd service is special in that it listens for requests on specified ports and when a connection request is received on one of the ports it starts the service associated with that port in order to handle the request. So to disable a service controlled by Xinetd navigate to the /etc/xinetd.d directory and find the file with the same name as that service then open the file and change the 'disable = no' attribute to 'disable = yes' and then save the change and then reboot the Linux PC or on the command line type:

service xinetd restart

in order for the changes to take effect.

Also, depending upon the distribution of Linux that is installed, it may be easier to access the graphical version of these same utilities. Look under the System or Administration section of the menus for the Services utility then open it and deselect services that should not run at startup and then save the setting.