Security/Firewall/Anit-virus HOWTO for newbies?

[Guest urbanotter]

Hi,

 

As a new linux user (and very much enjoying it I must say) coming from windows I am acutely aware of the existence of security problems. What I have not been able to find easily (and I have looked, although I have not ready everything -- there's a lot of it out there) is a guide/HOWTO for newbies about the security concerns that face them as they migrate to linux. I'm really looking for a non-technical approach here. As I learn more I'll want to get in to the nitty-gritty, but until I'm up to speed I want to have some assurance that I'm reasonably protected.

 

What I have heard is that in general linux is very secure right out of the box. However, it seems that someone is worried about security as there are firewall and and anti-virus software out there for the downloading. I think some information on what is there, how good it is, how important it is would be very helpful to the typical windows convert just working on their home machine or maybe a small home network. I realize that this would take a great deal of someone's time, but I also think there would be many out there that would really appreciate it (well at least one -- me!)

 

What kinds of things should newbies be worried about? Some questions that newbies might have:

 

If I'm running as root and connected to the internet am I at risk?

 

If I'm running as a regular user and have a terminal open where I'm logged in as root am I at risk?

 

Do I need a firewall? Newbies are going to be intimidated by talk of ipchains and machines that are dedicated to being firewalls (besides not everyone has an extra machine lying around). Most of the stuff I have read on this subject has been at a depth that is over the head of newbies, and probably beyond what the average user is willing to learn in anycase. Will any old firewall do? Shorewall comes with ML 9, but seems to be limited on easy configuration features. How does it compare with Guard Dog and FireStarter? What is stealth mode and should I care?

 

Do I need anti-virus software? From what I have read, I might not nead it, but coming from windows I feel insecure without it. I have not really gotten into this subject much, but what I have seen is vague or overly technical.

 

I have searched in this forum, and found partial answers to some of these questions, and have read a great deal of info in howtos etc., but little of it has made me feel comfortable with what I should do next. I am not and am not likely to become a system administrator on the level that most info is written. I just want to know about easily used programs (and their realtive necessity) that newbies should be concerned with.

 

Thanks for any and all advice. I know I'm asking a lot here, but I'm hoping that the answers will help not only be, but new converts in general.

 

urbanotter

[Counterspy]

1) You should never be running as root except when you need to make system changes that require root status. You should definitely never be running as root when connected to the Internet. Root access is like distributing copies of your house or car keys to everyone who walks by.

 

2) You should never be logged on as a regular user with root access in a terminal connected anywhere without ssh for the same reason as 1).

 

3) Whether you need a firewall or not depends on how you use your machine. In Mandrake 9.0, there is a security system called msec, which is behind the security level you select on the install. To see what is permitted and not permitted with msec, visit http://www.mandrakesecure.net . If you are running any kind of a server, then you need a firewall. If you have a highspeed connection, it is a good idea to have a firewall if your system is on 24/7 and/or you have a fixed IP. Shorewall is provided as a front end to make the configuration of iptables, the real firewall with 2.4.xx kernels, a little less intimidating. Other front ends that are easier than Shorewall to use are Firestarter and Guarddog. Which one you choose is a matter of personal preference. Even with a high speed connection, many people do not see the need to run any kind of firewall. I do not but then I am on dialup and do not run a server and do not connect to the Internet 24/7 and I am on the 'net intermittently at different times.

 

Much is made of stealth mode which means that all ports are invisible to the Internet. Ports being closed and visible to the net and is quite sufficient. It confirms that there is a computer at that port, but the door is locked. Firewalls are intended to ensure all vulnerable ports are at least locked. You cannot lock all ports otherwise you can't use your machine on the Internet. A variety of internet sites offer port scans to check the status of your ports. The most popular of these is Shields Up at http://www.grc.com . Most of these are geared to Windows users but can provide useful information for you and may influence your decision whether or not to run a firewall.

 

4) There is a continuing debate on whether or not you need antivirus software. These discussions get into the minutae of what a virus is and whether Linux is vulnerable. As a general conclusion, I would say that you do not need an antivirus program.

 

The vulnerability that most Linux Internet users need to be concerned with is a root kit, which gives the person installing the root kit root status on your machine, permitting them to do anything that you can do as root. Root kits are not blocked by available antivirus software as far as I know. There is a separate program called chkrootkit to verify that you have or have not had a root kit installed. This is an after the fact test, not protection. This is one vulnerablity that would justify the installation of a firewall.

 

In general terms Linux is much safer than Windows because the source is open and vulnerabilities are quickly caught and patched, but that does not mean you can ignore securing your machine completely. You should find a Linux security site or a Linux news site which gives up-to-date information on vulnerablities and the availability of updated programs that eliminate the problem. Check the Mandrake Forum at http://www.mandrakeforum.com , Mandrakesecure at the URL above. A security site that is useful is http://www.linuxsecurity.com and a general news site that gives security warnings is Linux Today at http://www.linuxtoday.com . Make it a common practice to check MandrakeUpdate on a regular basis where security and other problems can be downloaded and installed. Read back in the postings in this section. There is much useful information posted here that you will find useful.

 

Do not regard what I have written as anything close to the last word on your questions. Others may have different points-of-view that will enhance your understanding of Linux security.

 

Counterspy.

[Guest urbanotter]

Counterspy,

 

Thanks for your in depth respone. Very helpful. I look forward to other points of view.

 

I have one follow-up and an additional question:

 

Follow-up: I understand that running as root opens my machine up in many ways (most of which I'm sure I don't know about). From your response, I gather that I should unplug my cable modem anytime that I am logged in as root or have a root terminal open. (I know that I should not be so silly as to surf the web as root or check my email). How vulnerable am I when running utilities that require root permissions that must use the net such as rpmdrake or drakconnnect?

 

Additional question: What are PGP signatures, and how concerned should I be when they don't check out? For example, some files that I downloaded from PLF recently didn't check out (although I think that I didn't properly add the PLF PGP keys to my key ring -- still not really sure what that means either), and a HOWTO file didn't have a PGP signature at all. Are PLF, texstar, and the cooker sites that I can reasonably trust, or should I be vigilent with even big name sites like these?

 

Thanks again for all of your help,

 

urbanotter

[Counterspy]

1) You do not need to unplug your modem when doing routine tasks as root. You should not have a terminal program open to the world as root. There is the possibilty of confusion here over the use of the word "terminal". Many times people will refer to terminal when they mean console, or running without a graphic interface. In KDE, when you click the blackboard icon you are in effect running without KDE in the opened blackboard. You can operate only in the window at the prompts until you close the Window. You can also use full screen consoles with ctrl/alt/f1 to ctrl/alt/f6 with ctrl/alt/f7 returning you to graphic mode, uninterrupted from where you were when you switched. These options will be better described in the manuals referred to below.

 

There is minimal risk with rpmdrake and drakconnect. Look up the Mandrake doc files in your main menu and read the Starter Guide, the Everyday Applications Manual and the Command Line Manual which will explain this much better than I have.

 

2) I am going to defer to a complete discussion of PGP to this site: http://www.mandrakesecure.net/en/docs/gpg.php . Vincent Danen has written a very thorough description of PGP and how it works. As far as the signatures of various sites and programs, I have never bothered with them and have not had any bad experiences as a result in a number of years of computing. The one important signature, if it can be called that, is the md5sum of downloaded material which verifies a correct download or if the md5sums don't match, an incorrect download.

 

Counterspy

[Guest urbanotter]

Thanks again for your help. I'll check out the resources you listed.

 

urbanotter

[Guest flare]

On the point of virus scanner, it depends on what you are doing. If you Mandrake box is acting as a firewall/proxy that fronts windows machines behind then running a virus scanner on mail or HTTP traffic handled by your Mandrake server may be a requirement. On this note you may want to look at http://www.openantivirus.org/