Linux Security - Is it Ready For The Average User?
by Bob Toxen - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 1 August 2005.
There seems to be a new important security patch out for Linux every month, lots of "do not use this program" warnings, too many articles and books with too little useful information, high-priced consultants, and plenty of talk about compromised systems. It is almost enough to send someone back to Windows. Can the average Linux user or system administrator keep his or her system secure and still have time to do other things? I am happy to say yes and here is how to do it.

The Five Keys To Locking Your Linux System Down

Really, there are only five things needed to keeping a Linux system secure. This goes for both servers and client systems -- desktops and laptops. The first is to keep up-to-date with patches. This is easy to do yet is critical. First, pick a distribution that provides timely security patches, which is most Linux distributions. Mandrake, SuSE, Slackware, Gentoo, and Red Hat all do this as do most other Distros. If your Distro and version of it does not provide prompt security patches (within 48 hours) upgrade or switch Distros.

Some vendors refuse to provide patches for any given release after a short time, forcing you to upgrade to new versions more frequently, sometimes at great cost but always at an inconvenience. Also, Red Hat now charges for security patches on a per-system basis. Factor this into your selection of vendors.

The only alternative if patches for your system are not available in a timely manner from the Distro is to download the sources yourself, e.g., from,, etc. and build and install yourself. Red Hat's Enterprise series does not always release timely patches. By the way, if you are not running the or 2.4.30 kernels, it is time to upgrade (unless your vendor has back-patched a previous kernel that you are running).

Red Hat was the first to come out with a program that you can run to automatically check for new patches and install them, the up2date program. It works well so simply enable it if you use Red Hat. If you run a different Distro that has an equivalent program, use it. SuSE has yast2. Fedora has yum. Gentoo has emerge. The web site has great documentation to help beginners get started with emerge.

An alternative, used by some Distros such as Slackware is to invite you to subscribe to a mailing list alerting you to new patches. You then can decide which ones affect you and then download and install applicable patches. You can subscribe to Slackware's by hitting:

Deciding which to install usually is obvious. If you do not use it and it does not run set-UID then it is not a risk. I generally will remove the program or set its permissions to 0 if I am not going to patch it to prevent a problem if someone "accidentally" tries to use it later.

You Call That A Password?

Pick good passwords. A password should be at least 10 characters long and should not consist solely of one or two words in any dictionary. It should not consist solely of lower-case letters or solely of digits. Do not get around the one- or two-word prohibition via the trivial changing of the letter 'o' to the digit '0' or the letter 'l' to the digit '1', etc. Hackers know that trick too.

Do not use obvious numbers such as 3.1416 or 42, words like secret, root, or wheel, a word repeated, names from science fiction, or names or other data from your current personal life, such as your girlfriend's or pet's names, automobile tag, or phone number. Use two or three unrelated words or names interspersed with two or three non-alphanumerics or something equally hard to guess or brute-force crack.

Don't Blame Sendmail


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th