Security on your Linux machine

Out of the box, your Linux system is set for very high security, so even though you may be wanting to make services available to other machines from your Linux machine, no other machine can connect to it. The machine is set up for the most hazardous environment, that of a casual user connected to the Internet.

Getting (controlled) access

We'll address two scenarios. In the first we will look at the most common, the machine exposed to the Internet without the benefit of a firewall. In the second, we will consider a machine on a network protected by a firewall.

Exposed to the Internet

Your machine has its own firewall installed, and it's set to nearly the highest level of security. The purpose is to keep crackers (the media calls them "hackers") out of your machine. There are known exploits of some services that can allow the intruder to become "root", and then he can install software that can break in to other machines, sniff your passwords and credit card numbers, and other nefarious deeds. Forget about allowing telnet into your machine, and think carefully about allowing ftp. Telnet is a major security hole primarily because passwords are sent in the clear, and anyone sniffing your network can read them. If you want a capability similar to telnet, then install and enable Secure SHell (SSH). It is found in the openssh RPMs, and may already be installed. To start it up, run (as root)

service sshd start
To have it come up automatically at boot time, run
chkconfig sshd on

Now, you still have your firewall to deal with. Run lokkit or gnome-lokkit, and select "custom". Then mark SSH as a service to let through.

You will want a Secure SHell client for your Windoze boxes. There are several software packages available, many are freeware or shareware. I recommend PuTTY.

As far as ftp is concerned, you may not need it. SSH includes an scp (secure copy) and sftp (secure ftp). If you must have ftp, consider replacing the provided wu-ftpd with proftpd, which is considered to be more robust than wu-ftpd.

Isolated from the Internet

If your network is behind a good firewall, then you can open up whatever services you want, if you trust the others on the network. First you will want to turn off the firewall. Use lokkit to set things to "no firewall". Then use ntsysv to enable whatever services you want.

That said, I wasn't kidding about trusting others on your network. I still recommend using SSH to connect to your machine because it is secure and just as easy as telnet, in fact easier if you set things up right. Read up on "ssh-agent".


Bob McClure <robertmcclure@earthlink.net>
Last modified: Wed Nov 6 16:53:07 2002