While Microsoft Windows remains the dominant operating system on the market, Linux is growing in popularity. If you encounter Linux in a business context, it is almost always in the form of a server providing network services to endpoint devices. However, Linux is a perfectly usable OS for employee workstations and can even save your business quite a bit of money on technology costs. If you have any Linux systems, whether servers or endpoints, make sure to implement common best practices for security.
NOTE: this guide is meant for Debian based Linux distros like Ubuntu, Mint, and Zorin. This is because I recommend Debian based distros for business environments and/or first-time users due to their simpler nature and wide support base.
Strong Authentication: as with all other operating systems, Linux accounts should have strong passwords that follow your organizational password policy. If your Linux systems function as servers, it is best practice to enable Passwordless authentication. This entails generating an SSH key pair and appending the public key to the authorized keys file in the target server. Password based authentication can then be disabled in the Linux config files. From now on, authentication to the target server is done through SSH rather than simple passwords.
Regular Updates and Upgrades: Linux should always be kept updated to address the latest security and functionality fixes. There are several different commands to be used for installing Linux updates:
- Sudo apt-get update
- Sudo apt-get upgrade -y
- Sudo apt-get dist-upgrade -y
Those are the basics, and you can even compile these commands into an executable script which can then be set to run automatically on a schedule through crontab.
Disable Root Login: the Linux root account is the equivalent of the Windows admin account. The root account should not be accessed except for configuration and maintenance purposes. The root account should especially not be accessed remotely. Ensure that you disable root account authentication in the SSH configuration files.
Uninstall Unnecessary/Legacy Packages: Linux programs are installed in the form of packages. Even if you have minimal software running on your system, there are many different packages present for system related functionality. However, there may be old and unnecessary packages installed that can pose security vulnerabilities to your systems. These include Telnet and TFTP. Check the package names using apt-cache pkgnames | more and carefully review the packages and uninstall unnecessary ones.
Configure a Host Firewall: Like Windows, a host-based firewall is a necessity for keeping individual hosts secure. For the most basic Linux firewall setup, I recommend UFW, literally Uncomplicated Firewall. This firewall can be installed and configured with just a few commands.
Sudo ufw enable = this will enable UFW
Sudo ufw status verbose = check the status of UFW
You can then allow and deny services and ports as you like. For example, if your Linux system is hosting a web service, you may want to enable the following ports:
Sudo ufw allow 22/tcp
Sudo ufw allow 80/tcp
Sudo ufw allow 443/tcp
Configure AppArmor/SELinux: AppArmor is a special security module for Linux that enforces mandatory access controls through rules. It configures this at the path level and makes decisions on what apps should be able to access what. On the other hand, SELinux enforces mandatory access controls using more in-depth methods like security labels and policy language. To tighten control over your Linux system surface, consider implementing one of these modules. AppArmor may be better since it is easier to configure and is less intrusive on usability.