Linux servers are at greater risk than ever. While only a few years ago Linux users could count themselves as the “lucky few” who didn’t have to worry about malware and computer viruses, this era has unfortunately come to an end. Attackers now view Linux servers as a viable target that often provides a valuable return on investment. In March of 2018, 15,762 new Linux malware variants were developed - a significant increase from the 4,706 new variants developed in March of 2017.
Regardless of this discouraging trend, Linux still offers notable security and privacy advantages over proprietary operating systems like Windows or MacOS. Because of the availability of its open-source code and the constant, thorough review that this code undergoes by a vibrant worldwide community of developers and security experts, vulnerabilities are found and fixed very quickly and reliably compared to in the closed-source code of proprietary OSes. However, despite the notable security benefits that Linux offers due to the transparency of its source code, the OS is still vulnerable to compromise as a result of frequent misconfigurations and poorly managed services.
While all Linux distros offer inherent security advantages over Windows or MacOS, pentesters, security researchers and users who are simply looking to maximize their security, privacy and anonymity online can achieve this by choosing a specialized secure Linux distro.
Regardless of the disto you choose, there are certain behaviors and best practices that all system administrators should engage in to secure their system against malware, viruses and other exploits. Here are our top tips for optimizing the security of your Linux system in this modern, ever-evolving threat environment.
Focus On The Fundamentals First
The majority of security issues impacting Linux systems can be attributed to either misconfigurations or poor system administration - such a failure to keep up with security updates, and are not a reflection of the security of Linux source code.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) urge system administrators to prioritize patching known security vulnerabilities - especially those being exploited by foreign threat actors. Cyber criminals often begin by focusing their efforts on known vulnerabilities, as exploitation of these flaws requires fewer resources when compared to zero-day exploits (for which no patches are available) or the exploitation of vulnerable applications. LinuxSecurity.com tracks the latest Linux distribution security advisories (and has an RSS feed dedicated specifically to advisories), providing you with an easy and convenient way to stay informed of the latest updates issued by your distro.
When looking to improve the security of your system, begin by ensuring that it is properly configured and up-to-date. Implementing the other tips and tools that we suggest in this article will do very little to keep you safe if these best practices haven’t been addressed.
Control Access to Your System with SELinux
Implementing Security-Enhanced Linux - often referred to as SELinux - is a great way to increase the control you have over access to your system. SELinux is a highly fine-grained and fairly technical mandatory access control (MAC) system that restricts access beyond what traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) can achieve. For example, there is no reason that a web browser should need access to an SSH key, so in SELinux this information would not be provided to the web browser.
Stringent access controls are critical in preventing malicious actors from gaining administrative access to your system and installing rootkits or other types of malware. For this reason, SELinux has been adopted by multiple popular Linux distros including Fedora, Ubuntu and Debian, and typically enabled by default.
Prioritize Network Security
Using a VPN to encrypt data between you and your server is an excellent way to protect your privacy and anonymity online. By masking your internet protocol (IP) address, VPNs ensure that your web browsing history and other online actions are virtually untraceable. VPN use is crucial in staying safe online in this new remote work environment brought on by COVID-19.
However, boosting your online privacy isn’t as simple as implementing any VPN - the VPN that you select is extremely important. When choosing a VPN, users should evaluate a range of characteristics including speed, security, ease of use and the reliability of the encryption technology used, among other factors. Wireguard (pictured below) is our top choice. The free and open-source VPN, which runs as a Linux kernel module (LKM), aims to exceed its competitors (namely OpenVPN) in performance and power saving ability. Wireguard offers the best of both worlds - it is both user-friendly and highly effective. Wireguard’s use of versioning of cryptography packages enables the VPN to focus on ciphers believed to be among the most secure current methods of encryption.
In addition to using a quality VPN like Wireguard, users should check their routers for security bugs. New research from Fraunhofer Institute for Communication (FKIE) reveals that the firmware present in a large number of popular home routers - many of which have neve received a single security firmware update in their lifetime - is vulnerable to a wide range of serious security issues. You may discover that your router is unexpectedly the biggest security hole in your network!
Install Linux Kernel Runtime Guard to Detect Vulnerability Exploits
Linux Kernel Runtime Guard (LKRG) is a kernel module created by Openwall that performs runtime integrity checking of the Linux kernel to detect security vulnerability exploits against the kernel. LKRG attempts to post-detect and rapidly respond to unauthorized kernel modifications or changes to credentials of running system processes - protecting against exploits gaining unauthorized root access through kernel vulnerabilities, exploits escaping e.g. from Docker containers, LKM rootkits and other serious threats to the security of a Linux system. The module is capable of combating the majority of both pre-existing and hopefully future Linux kernel vulnerability exploits. LKRG provides security through diversity - without the usability drawbacks associated with running an uncommon OS.
LKRG is most useful on systems that realistically won't be promptly rebooted into new kernels, nor live-patched, whenever a new kernel vulnerability is discovered. OpenWall Founder Alexander Peslyak elaborates: “LKRG offers best-effort protection against kernel vulnerability exploits with little effort on behalf of the user - no need to configure a policy, etc. - making it especially beneficial for systems that are not expected to be consistently kept up-to-date.”
The module is compatible with a wide range of popular distros’ kernels, and can be easily installed in distros including RHEL, CentOS, Debian, Ubuntu and Whonix.
Download the Privacy Badger Extension to Secure Your Browser Against Trackers
Privacy Badger is a free and open-source browser extension created by the Electronic Frontier Foundation (EFF) that prevents advertisers and other third-party trackers from secretly tracking the web pages you visit and your actions online. Privacy Badger takes a balanced approach to Internet privacy between advertisers and consumers by blocking advertisements and tracking cookies that violate the Do Not Track header on outgoing requests - which the extension automatically adds so users conveniently don’t have to configure this setting in their browser. With Privacy Badger downloaded on your system, if it appears that an advertiser is tracking you across multiple websites without your permission, the add-on automatically prevents that advertiser from being able to load any further content in your web browser. In the eyes of the advertiser, you’ve suddenly and mysteriously disappeared.
Privacy Badger can be installed on Google Chrome, Mozilla Firefox, Opera and Firefox for Android.
While threats to the security and privacy of Linux systems are at an all-time high, Linux users are still safer online than their Windows- and MacOS-using friends. The increasingly popular open-source OS offers inherent security benefits due to the transparency of its source code and its relatively small user base, and a selection of specialized privacy- and security-focused Linux distros are available for users looking to take their digital security and anonymity one step further.
Regardless of the distro they choose, all Linux users can improve their security posture by engaging in good cyber hygiene and implementing the tips and best practices offered in this article. LinuxSecurity Founder Dave Wreski explains, “With the drastic uptick in attacks targeting Linux systems in recent years and the heightened digital threat environment due to COVID-19, now is definitely not the time to slack when it comes to system security and maintenance. The majority of successful attacks on Linux systems cannot be blamed on the OS as a whole, but rather can be attributed to misconfigured servers and poor system administration.”
Have additional questions about securing your system? Leave a comment below and get answers or ideas from a fellow community member or a member of the LinuxSecurity administrative team.