The Big Ol' Ubuntu Security Resource

If you've recently switched from Windows to the Linux distribution Ubuntu, you've probably experienced a decrease in spyware -- and malware in general -- on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu's default install has its flaws, like every other operating system. To combat these weaknesses, IT Security has prepared a guide to help you close your system's backdoors and protect you from some of the common Ubuntu exploits. Look at this big ol' Ubuntu security resource as an introductory guide to securing Ubuntu, along with a list of the software you'll need to stay protected. Getting Started Surprisingly, many new Ubuntu users fail to take the most basic steps toward securing their install, even when they know better. Thankfully, the list of critical changes isn't long. Making modifications may not excite you as much as, say, adding a whole new security program, but these simple changes will go a long way to closing up Ubuntu's security weaknesses. Modifying Default Settings The first set of basic critical changes requires you to modify three insecure default system settings: Reconfiguring shared memory Load your favorite text editor, open the file "/etc/fstab" and add the following line of code: tmpfs /dev/shm tmpfs defaults,ro 0 0

Disabling SSH root login Load your favorite text editor, open the file "/etc/ssh/sshd_config" and add change the following line of code: PermitRootLogin yes to PermitRootLogin no Limiting access to the "su" program Open the terminal by clicking "Applications" selecting "Accessories" and choosing "Terminal." From there enter the commands: sudo chown root:admin /bin/su sudo chmod 04750 /bin/su

Enabling Automatic Security Updates Having made the three most critical default system settings changes, you have better ensured that your Ubuntu install will start out relatively secure. But keeping it that way means being vigilent about updating your system. Because so many of us forget to update regularly, enabling automatic security updates is one surefire way to make sure it gets done. To enable automatic security updates, click on "System" select "Administration" and choose the "Software Sources" menu. From there select the "Internet Updates" tab and enable
Securing Ubuntu Linux Page 1 of 24

"Check for updates automatically" (specify "Daily"). Now every time Ubuntu issues a new security release you will be notified via the "Update Manager" icon in the system tray. From there it's up to you to click the icon and allow the Update Manager to download and install the files. Securing the Home directory The final critical change we recommend, is that you protect your personal documents by securing your home directory. The easiest way to do this is by clicking "Applications" selecting "Accessories" and choosing "Terminal." From there enter the command: chmod 0700 /home/username (replace username with the name you use to login to your computer). Now that you've successfully made these basic system setting modifications, you're ready to move on and start installing software that protects your system from being compromised. Essential Security Installs Unlike the Windows operating system, the Ubuntu Linux distribution is not ultra vulnerable to widespread virus and spyware infections, therefore the style of security used to protect one's machine is slightly different than that of a typical Windows machine. Instead of spending hundreds of dollars on sophisticated firewalls, spyware blockers and intrusion detection and prevention systems, Ubuntu users simply have to install several free programs that protect the kernel from exploits, prevent the execution of malicious code and keep programs and users from accessing areas of the computer outside of their designated access level. Important Software To keep your computer secure, install the following software: grsecurity - A complete security suite for protecting Linux's kernel. PaX - The most critical piece of grsecurity, prevents memory exploits. (Comes standard with grsecurity, you only need to install this if you have no intention of installing grsecurity.) Pro Police - IBM's solution for protecting against stack smash attacks. DigSig - Verifies the integrity of executables via user defined digital signatures before running it. If a program is modified without your consent the digital signature changes and DigSig denies the program the ability to run. Bootup Security An often overlooked yet highly vulnerable area of computing is protection for machines while they're booting up. While simply keeping unauthorized users from having access to your computer is the best policy, sometimes that isn't possible. Thus this guide, over at the UbuntuForums, gives detailed instructions for protecting your computer while it's booting up. The steps involved in this security measure are a bit more complex than the skillset of the average user, and it requires a small of amount of scripting, so we recommend that you only

Securing Ubuntu Linux

Page 2 of 24

attempt to perform this security measure if you're really comfortable with Ubuntu, and Linux in general. Second Level Security Software Installs Congratulations, by this point you have completed the mandatory steps for a baseline securing of your Ubuntu install. You can now feel reasonably comfortable in the security of your install, but there are certainly still some lingering vulnerabilities. At this point it's up to you whether you want to take your system's security to the next level by integrating a few more applications of your choice. Rootkit Protection Ahh yes rootkit, the ultimate swear word to a Linux user. Although this guide is designed to prevent attackers from installing rootkits and backdoors onto your machine in the first place, breakdowns can occassionally happen. Thus it's a good idea to regularly scan for rootkits using the following software to make sure that your computer hasn't been compromised. chkrootkit - Scans your computer for rookits, worms and LKM trojans. Rootkit Hunter - Excellent tool for detecting rootkits. Antivirus I know what you're thinking, antivirus?...This is Linux! However true that may be, it is still important to provide protection for all inbound and outbound files you might be transmitting in order to protect the less than fortunate Windows computers you might come in contact with. Clam AntiVirus - One of the most popular UNIX based antivirus solutions. Works well with email gateways. AVG Anti-Virus - Free version of a popular commercial virus scanner. BitDefender - On demand command line/shell script scanner. Panda Antivirus - Uses sophisticated software to remove viruses from workstations connected to a Linux server. Firewall Installing and configuring an efficient firewall is a great way to keep attackers out. The stricter your rule-set and security policies are, the less likely it is that an attacker will find a way to exploit your system. Firestarter - Versatile user friendly firewall. SmoothWall - Highly configurable and extremely powerful network firewall solution. HardWall Firewall - Iptables based packet filterer. Firewall Builder - Generates rule sets for popular firewalls including iptables, ipfilter and pf. BullDog - Very restrictive iptables based firewall. Recommended for advanced users only.

Securing Ubuntu Linux

Page 3 of 24

Network Tools These tools are essential for monitoring and securing your network. Nagios - Complete network monitoring suite. Network Mapper - Uses IP packets to scan the network and determine various security information on the available hosts and network nodes. Wireshark - Comprehensive tool for monitoring and analyzing network protocols. Nessus - The definitive solution for scanning networks for vulnerabilities. EtherApe - Graphical network monitoring suite. tcpdump - Simple yet powerful tool for network monitoring. tcptrace - Analyzes tcpdump output. Miscellanous In addition to the above resources, here are a few other programs we recommend for getting the most out of your computing experience. Snort - The leading open source solution for intrusion prevention and detection. OpenSSH - Allows you to secure transfer data to remote hosts. OpenVPN - Secure virtual private network. strongSwan - IPsec based virtual private network. Kismet - Wireless network detector, sniffer and intrusion detection system. GNU Privacy Guard - A superb command line encryption and digital signature tool. TrueCrypt - Allows you to create virtual encrypted disks. Thunderbird - Mozilla's secure email client. One Last Note Remember your computer (and network for that matter) can only be secure as the users allow it. Failing to use strong passwords, falling victims to social engineering scams, installing software without first verifying its integrity and over using the root account are all common ways to have your network compromised. To have a truly safe system, you must be committed to having a secure mindset and you must lay out strict guidelines for the people using your computer and or network. Otherwise one of them might misplace a password one day, and your entire client database or purchasing records will be stolen the next. Sources For more information on securing Ubuntu, check out the sources we used when writing this article. Security Guides Proactive Security Installing Security Tools Security on Ubuntu Locking Down Ubuntu Security Analysis Tools

Securing Ubuntu Linux

Page 4 of 24

Security on Ubuntu
Disclaimer I am not a security expert at all. This is written strictly from the standpoint of an end-user who has had spyware and adware in Windows and who has read other users' advice (those users may or may not be security experts) about security practices in general. This is not intended to be a comprehensive guide to what will absolutely provide you the best security or what theoretical ways your security can be breached. The point of this document is explain some basic, practical measures you can take to be relatively secure. This is targeted at home desktop users. I know a very little about that, but I know nothing about securing servers. Many of these principles can be applied to other Linux distributions as well, but the content is focused mainly on Ubuntu. What are some security best practices? I would suggest these at the very least (there are some measures you can take to go beyond this, but this is a good start):

Don't change any default settings with regard to networking unless you know what you're doing. If you decide to allow remote logins, for example, expect that people (people with malicious intent) will try to log in remotely and take control of your computer. Use strong passwords for all users. Strong passwords tend to be longer than six characters and a mix of numbers, letters (both upper- and lower-case), and symbols. Strong passwords do not contain birthdates, addresses, or words in the dictionary. Don't install software from untrusted sources. Don't just download any .deb you come across through an internet search, unless you know it can be trusted. Generally, it's a good idea to stick to software you can install through Ubuntu's online repositories. If you want to know how to install software, read this guide. It used to be the case just a couple of years ago that a malicious .deb was unheard of. They still are not common, but they definitely exist. So install software only from trusted sources. Use your common sense. Ask other Ubuntu users if you have any questions about the reputation of a source. Wait for multiple confirmations. Use the NoScript extension in Firefox. Of course, if you don't have Firefox, you may be able to achieve a similar functionality in your preferred browser, but the general idea is the samea way to block JavaScript, Java, and Flash on all websites except those you explicitly approve. Most of Firefox's exploits are JavaScript-based. They tend to get patched pretty quickly, but why wait even the one day to a week it takes for a patch to come out? Back up regularly. This goes for your important personal files and your system files (you can make an image of your entire installation if you want). Don't be dumb. That's right. You can have your firewall all set up and encryption, etc., but if you're dumb, the battle is lost. A lot of security breaches come through social engineering. Don't give your password away. Don't click on links in emails. Don't open attachments from people you don't know. Don't be dumb.
Page 5 of 24

Securing Ubuntu Linux

So, do I need a firewall, anti-virus, anti-spyware tools? By default, Ubuntu ships with no open ports on public interfaces. In other words, a "port scan" would show all closed ports, nothing open. As a result, putting up a firewall would provide no more security than not putting one up. Remember that open ports provide services that hackers can connect to, and only if they can connect to these services can they be potentially abused and exploited. A firewall, however, adds the benefit of peace-of-mind from accidentally installing a server program that opens up a port by default. Also, it satisfies curiousity by logging potential "hits." Linux comes with a very strong, secure, and powerful firewall called iptables, but it is relatively difficult to use from a new user's standpoint. As a result, there are many graphical tools that give you a simple user interface for configuring iptables, such as Firestarter for GNOME or Guarddog for KDE. There are many more in the repository, too. Remember these all use iptables in the background, so find your favorite interfacethey all offer the same great protection. [These last two paragraphs contributed by jdong from the Ubuntu Forums. Thanks, jdong!] Conventional wisdom in the Linux community says that there are either no or very few Linux viruses out in "the wild," and that most are just proof-of-concept theoretical viruses. Some people recommend installing a virus scanner like ClamAV in order to protect your Windowsusing friends from Windows viruses you might accidentally send them. I don't really see how that's an issue, though. If you have an attachment you created in Linux, why would it have a Windows virus in it? If your computer has been compromised in such a way that you don't have control over what you send other people, then you have a lot more to worry about than spreading viruses to your Windows-using friends! I've never heard of any self-propagating viruses in Linux... ever. Still, if you're superparanoid, stick to software in the repositories. And if you don't trust even the software in the repositories, why are you installing Ubuntu at all? The operating system and the software are packaged by the same people. Some real dangers out there are rootkits and cracking. It doesn't happen often that a Ubuntu user gets a rootkit installed or has her computer cracked, but both have happened, and I've seen threads about them in the Ubuntu Forums. There are rootkit detectors in the repositoriesrkhunter and chkrootkit, for example. I'm not sure what to do about cracking except some of the advice I gave beforestick with the default network settings unless you know what you're doing, and use strong passwords. Is Ubuntu's security model stronger than Windows'? Right now, as of Windows XP (and in Windows Vista and 7, though it has UAC, which is a little better, though many Windows users disable the UAC prompts), Windows defaults to the first user being the computer administrator, so the user is able to accidentally (or, God forbid, through accidental approval/installation of a malicious program) modify systemwide settings.

Securing Ubuntu Linux

Page 6 of 24

Windows XP allows you to make it more secure by creating limited user accounts and using the Run As... option to run only particular tasks or programs as administrator (similar to the su feature in most Linux distributions). Run As... is crippled in its implementation, though. If you use Run As... to install Windows Updates, the updates do not install properly. Also, you have to find the particular launcher files (extension of *.cpl) for Control Panel applications in order to use the Run As... option on them. The way to run Explorer (the file browser) as administrator from within a limited user account isn't simple. Unfortunately, in addition to Run As... being crippled, many third-party (not Microsoft) software companies design their applications to be run as administrator (since that is the Windows default, which is Microsoft's fault). Here is the Hall of Shame for programs that need to be run as administrator in Windows in order to function properly. This has improved greatly in Windows 7. Even though it is not the default setup in Windows, you can use a limited user account as your main account, and you will automatically be prompted for an administrator account password authentication if you try to install software or do any other action that requires modifying system folders. Contrary to what some Linux advocates keep repeating, it is not that difficult to secure Windows. I've outlined here the steps to do that. Ubuntu's default user operates as a limited user most of the time but has the ability (since she belongs to the admin group) to temporarily assume administrator (also known as root) privileges for particular tasks, and this setup is not only the default setup, but it is also fully functional. So running as a limited user takes care of everything? Not exactly. This is a common argument made by Linux users, that if you run as administrator, your whole system can be borked, but if you run as a limited user, only your personal files can be damaged. While that's somewhat true, personal files are usually more important to a user than system files. After all, I can reinstall Ubuntu in half an hour and have it running again the way I want it to within two hours. If I lost all my personal files, it would take me months to recreate a lot of them, and some I would not be able to recreate at all. This is why it's really important to back up whatever files are important to you. Isn't using sudo essentially the same as running as root? This is a common misconception about sudo among Linux-using non-Ubuntu users. When you run as root, anything you do has system-wide privileges. You can do anything. You have free reign over your entire system. This would be akin to walking around with everything you own, including all your money in cash on your person. When you run as an admin in Ubuntu, you're almost always a limited user. If you preface a terminal command with the word sudo or preface a graphical command with gksudo or
Securing Ubuntu Linux Page 7 of 24

kdesu, you allow yourself (and only with password authentication) to temporarily assume root privileges for that one task. This would be like having your belongings in a safe with a combination lock or keeping all your money in a bank, where you can access your account through an ATM card and PIN code. There is a fifteen-minute "timeout" for sudo. If you launch one command with sudo, you'll be prompted for a password, and within the same shell, you won't be prompted again for other sudo commands for the next fifteen minutes. If you want, you can change the sudo timeout to something lower so that you'll always be prompted for a password on every sudo command. So anybody can assume root privileges with a password? No. Only users in the admin group. The first user created during the Ubuntu installation will belong to the admin group. Any other users would have to be added to that group manually by the first user or another user in the admin group. This whole sudo business makes no sense and isn't user-friendly You're entitled to your opinion, of course, but many people consider Mac OS X to be one of the most user-friendly operating systems around, and it uses sudo. Where can I read more about sudo? http://help.ubuntu.com/community/RootSudo Recovery mode makes me root user. Isn't that a security risk? Well, if you have several people using your computer, you can put small obstacles in their way by setting a root password, setting a Grub password, or setting a BIOS password. Still, anyone who has physical access to your computer and a little know-how practically has root access anyway. She can boot a live CD and mount your partition or even just physically remove the hard drive from your computer and put it in another computer. There's a certain amount of trust you automatically give anyone by allowing her to sit at your computer. Is there any way to be 100% sure my computer will never be cracked into? If you follow the instructions at the top of this page, you probably will not have your computer cracked. When you're connected to the internet, though, you are always vulnerable to security breaches of some kind. The only thing you can do is try to reduce your vulnerability. And I've read from a few security experts on the Ubuntu Forums that if someone is really determined to crack into your computer and capable, she pretty much will eventuallyit's just a matter of time. The more obstacles you can put in the way of that happening, the more time it will take. Of course, disallowing remote logins is a big help. What's the most important part of OS security? The user. It's always the user. I'd rather have a smart user running as administrator on a Windows computer with no firewall, no anti-virus, and no anti-spyware than a dumb user running as limited user on a Ubuntu computer with a firewall, anti-virus, and a rootkit
Securing Ubuntu Linux Page 8 of 24

detector. Dumb users click on anything, somehow manage to install untrustworthy software even without administrative privileges, and use easy-to-guess passwords. As an illustration, take a look at this excerpt from the Seinfeld episode "The Robbery," in which Jerry buys a secure "operating system," and Kramer plays the "dumb user." ELAINE: [from the bathroom] JERRY! [enters the living-room] Jerry, oh, hi, welcome back. How were the shows? JERRY: Great, I had fun, where's the TV, where's the VCR. [Elaine looks guilty] What? ELAINE: They were stolen. JERRY: Stolen? When? ELAINE: A couple a hours ago, the police are coming right over. JERRY: Stolen? ELAINE: [Kramer enters the apartment] Someone left the door open. [it's clear that she means Kramer; she walks to the bathroom] JERRY: [to Kramer] You left the door open?! KRAMER: Uh, Jer, well ya know, I was cookin' and I, I uh, I came in to get this spatula...and I left the door open, 'cause I was gonna bring the spatula right back! JERRY: Wait, you left the lock open or the door open? KRAMER: [bobs his head guiltily] The door. JERRY: The door? You left the door open? KRAMER: Yeah, well, I was gonna bring the spatula right back. JERRY: Yeah, and? KRAMER: Well, I got caught up... watching a soap opera...[with a broken voice] The Bold and the Beautiful JERRY: So the door was wide open? KRAMER: Wide open! JERRY: [Elaine enters the living-room] And where were you? ELAINE: I was at Bloomingdale's...waiting for the shower to heat up.

Securing Ubuntu Linux

Page 9 of 24

KRAMER: Look, Jerry, I'm sorry, I'm uh, you have insurance, right buddy? JERRY: No. KRAMER: [looks shocked] How can you not have insurance? JERRY: Because...I spent my money on the Clapgo D. 29, it's the most impenetrable lock on the market today...it has only one design flaw: the door...[shuts the door] must be CLOSED. Text transcription from SeinfeldScripts.com

Securing Ubuntu Linux

Page 10 of 24

The 6 Best Ways to Secure Windows

July 29th, 2009 Introduction Step 1. Install Windows updates automatically Step 2. Make your primary account a limited user account Step 3. Use Firefox with the NoScript extension Step 4. Read up on social engineering and how to avoid being the victim of it Step 5. Do not pirate software, music, or movies Step 6. Avoid all antivirus or security suite software

Introduction Out of the top three consumer-oriented software platforms (Windows, Mac OS X, various Linux distributions), Windows is my least favorite operating system, but Im no Windows hater. A lot of times I hear Mac and Linux users saying they switched because they were tired of viruses and malware in Windows. While its true that Mac OS X and most Linux distros make it easy to keep your operating system secure with their default settings, you can make Windows just as secure, and thats what this six-step guide is for. If you follow these instructions carefully, you should pretty much never get malware (spyware, adware, viruses, trojans, rogue viruses, worms) in Windows. The screenshots use Windows 7, but the same principles apply to Windows Vista and Windows XP as well. The steps may just be slightly different (especially for Windows XP). If youre still using Windows 98, pay for an upgrade to Windows 7; or if youre too cheap for that, just switch to Linux. Theres almost nothing Windows 98 can do that Linux cant, and Windows 98 no longer receives security updates (it also has no limited user accounts). You can click on the screenshot thumbnails if you want to see larger versions.

Step 1. Install Windows updates automatically In early 2009, there was a lot of paranoia about the Conficker worm, which was supposedly going to do scary things and which had already infected 10 million computers. Which users had to worry about Conficker? The Windows users who did not install Windows updates. A full month before that iteration of Conficker became active, Microsoft had already released a patch for the flaw Conficker exploited. Windows Updates can be just annoying prompts to install a new version of Windows Genuine Advantage. More often than not, though, they are actual security updates that patch flaws and security holes in the Windows operating system. It is a good idea to set these updates to install regularly.
Securing Ubuntu Linux Page 11 of 24

Go to the Start Menu > Control Panel > System and Security

Then under Windows Update, select Turn automatic updating on or off

Make sure updates are set to install automatically. Then click OK.

Securing Ubuntu Linux

Page 12 of 24

Step 2. Make your primary account a limited user account Have you ever had your Windows installation infected so thoroughly (registry, dlls, startup programs, other system files) that it was apparent it would take less time to reinstall Windows than it would to try to clean out all the malware that destroyed Windows? Are you kicking yourself because the infection came through one or two clicks of the mouse? Well, thats because Windows, by default, makes the primary user a full system administrator. In newer versions (Windows Vista and Windows 7), there is something called User Account Control. Its that annoying Are you sure? Are you sure? prompt you get that you end up conditioning yourself to always click Yes to. By using primarily a limited user account, you can feel free to click on what you want and not worry about infecting system files. When you want to finally install software, you can do so by temporarily authenticating as the administrator account. First, were going to create a new administrator account.

Under System and Security in the Control Panel, select User Accounts and Family Safety and then Add or remove user accounts

This is that annoying User Account Control prompt I was talking about before. Click Yes.

Securing Ubuntu Linux

Page 13 of 24

Click Create a new account and then make sure the new account is going to be an Administrator account and click Create Account. With the soon-to-be-regular account called Susan, Im going to be naming the new administrator account SuperSusan so I know its a special account I shouldnt be using on a regular basis. And, by the way, even Microsoft recommends you use a standard (or limited) user account. You can click on Why is a standard account recommended? for more details about that.

Now click on the newly-created administrator account name and then select Create password

Make sure your password for this new account is significantly complicated. It should contain no dictionary words or personally identifiable information (birthdays, social security
Securing Ubuntu Linux Page 14 of 24

numbers). It should have numbers, lowercase letters, uppercase letters, and punctuation in it, though. So you dont forget your password, go ahead and write it down on a sticky note somewhere near your computer. The greatest threat to your security is an online threat, not another family member. Besides, anyone with physical access to your computer and a little knowhow can easily reset your password, anyway. When youre done, click Create password

Log out of your normal user account and log in as the new administrator account. It is not enough to switch users in this case. Make sure you properly log off.

Go to Start Menu > Control Panel > User Accounts and Family Safety > User Accounts

Securing Ubuntu Linux

Page 15 of 24

Click on Manage another account

Click Yes and then select your normal user account

Click Change the account type, select Standard user (also known as a limited user), and then click Change Account Type.

Securing Ubuntu Linux

Page 16 of 24

Log out of the administrator account and log back into your normal (now standard or limited) user account. You should never have to log in as the administrator directly again. Step 3. Use Firefox with the NoScript extension I see a lot of confused Windows users wondering which web browser is the safest. Is it Opera? Is it Chrome? Is it Firefox? Internet Explorer? Safari? The truth is that if you use any modern web browser with its default settings, theyre all about the same in terms of safety. They all have pop-up blockers that block 95% of pop-ups. They all have warnings about potential spoofing websites. They all get regular security updates when flaws are discovered, and every browser has flaws. There is no perpetually invincible web browser. If you use Firefox in combination with the NoScript extension, thats about as secure as youre going to get, though, since NoScript by default blocks JavaScript, Flash, and just about everything else interactive on websites unless you explicitly whitelist specific sites. Think of your computer as an exclusive nightclub. Do you think its easier to secure your party by having a bouncer outside the club who screens all incoming guests, or by allowing anyone inside the club and then having bouncers inside trying to drag people out? Well, NoScript is your bouncer outsider. Itll block everything, and then its up to you to let trusted websites in on a case-by-case basis.

Securing Ubuntu Linux

Page 17 of 24

To install NoScript, in Firefox, go to Tools > Add-ons and then click on Get Add-ons and then Browse All Add-ons

Youll be taken to the Mozilla add-ons website. Search for noscript.

Securing Ubuntu Linux

Page 18 of 24

Once youve found it, click on Add to Firefox and then Install Now (after a three-second delay, the button will appear as clickable).

Youll be prompted to restart Firefox to activate the NoScript extension. Go ahead and restart Firefox.

Securing Ubuntu Linux

Page 19 of 24

Now youre web browser is as secure as possible. Of course, this may seem annoying at first. Convenience and security are always at odds. It may be convenient to have thousands of dollars of cash on you at all times, because its always easily accessible, but if you get mugged or pickpocketed then all of your money is gone. Its slightly less convenient to keep most of your money in a bank, but its a lot safer in the bank (and also insured up to a certain amount, in case the bank gets robbed). For the first two weeks you use NoScript, it may seem pointless. It may seem as if youre just whitelisting every single site you visit. Dont give up. After a while, youll realize youve whitelisted just about every site you do visit regularly, and then you can spend a lot less time whitelisting (or keeping blacklisted) potentially shady websites you stumble upon on a less regular basis.

Step 4. Read up on social engineering and how to avoid being the victim of it Have you ever heard the term trojan virus, gotten scared, and thought I hope I never get one of those? Well, the good news is that you dont ever have to get a trojan. Trojans dont just happen. You choose to install them yourself. Trojans are becoming increasingly the most popular kind of malware, and they can thrive on any operating sytem (Windows, Mac, Linux), because they exploit a security flaw the operating systems cannot patchthe user. Thats you. You are potentially the biggest security hole for your computing experience. Trojans and phishing scams rely on something called social engineering, which is just a fancy term for tricking someone into lowering security guards. It can be someone calling up and pretending to be your IT support department in order to get your password. It can be someone pretending to be your bank to get your private personal information. It can be a pop-up window pretending to be an antivirus scanner thats found malware on your computer (and if you pay the scammers $50, theyll remove the non-existent malware for you or actually install real malware now that youve been tricked into installing it).

Securing Ubuntu Linux

Page 20 of 24

You wouldnt hand your car keys over to fake valet. Dont hand over the keys to your computer to a fake anything (fake pirated commercial program, fake warning about malware, fake credit card company request for information verification).

Do yourself a favor. The absolute most important step to take in securing your computer is making yourself an educated user. Google the term social engineering and read the first ten results of that search thoroughly.

Step 5. Do not pirate software, music, or movies Im not saying if you pirate software, music, and movies that you will definitely contract malware, but by not pirating all that stuff, you lower your chances significantly of installing a trojan or some other kind of malware. If youre hard up for cash, the best way to look for trustworthy free stuff is to look for open source stuff. The website Open Source Windows has lots of great free (and malware-free) software. No pop-ups. No trial periods. No scams. No activation keys. No exhorbitant costs. You can also find some more-obscure open source projects at Source Forge.

Securing Ubuntu Linux

Page 21 of 24

Heres an example of installing an open source instant messaging client.

Note that for the script that automatically starts downloading the file (without manually clicking the download link), youll have to whitelist the site from the NoScript icon. Youll also have to do this the first time you watch a video at YouTube or Hulu or the first time you try to book airline tickets on a site like Expedia or Priceline.

Securing Ubuntu Linux

Page 22 of 24

Once youve saved the file to your downloads folder, in order to install itnow that youre a standard (or limited) useryoull have to right-click the file and select Run as administrator

Youll then be prompted for the super-user or administrators password you set earlier. Enter that and you can continue. In addition to open source software, there are also writings, pictures, and music released under freer-than-traditional-copyright licenses. You can find more information about this at Creative Commons.

Securing Ubuntu Linux

Page 23 of 24

Theres also free (and legal) music at Jamendo. Really, though, if you need commercial music, Amazons MP3 store has reasonable prices, and even several hundred free sample tracks.

Step 6. Avoid all antivirus or security suite software Although this doesnt directly make your Windows installation more secure, it is a good idea for several reasons: If you already have solid security in place, pretend security (Norton, McAfee, AVG, Avast, MalwareBytes, Kapersky, etc.) just takes up extra hard drive space and sometimes extra system resources. This means you have less storage space for your actual files (music, movies, documents, pictures). It can also mean your computer doesnt run as fast as it would otherwise. So-called antivirus and antispyware programs encourage complacency. Rather than being proactive about security by locking down the system and educating the user on how to avoid social engineeringbased attacks, these placebos make people think theyre protected while wasting space, resources, and possibly money. If you constantly rely on these security suites to protect you, youre more likely to fall for rogue viruses pretending to be antivirus scans. There are two ways antimalware tries to protect youby keeping a list of known offenders and comparing files to that known list, and by trying to guess what might be an offending file or application. The list of known offenders can never keep up with actual new offenders. And guesses lead to a lot of false positives, making users unnecessarily paranoid (about tracking cookies, for example). Of course there are always folks who will say But I want to just run it just in case. In this case, there is no just in case. If you follow all five of the previous steps carefully, antivirus will do nothing to protect you. And if you refuse to follow all five of the previous steps carefully, antivirus will also do nothing to protect you. It would be like a soldier suiting up with heavy armor and kevlar and then adding a razorthin layer of tissue to the top as just in case protection against bullets. If you have armor and kevlar, thats the best protection you have against bullets. The tissue wont be offering additional protection. And if you dont have the armor and kevlar, again the tissue wont offer additional protection. The armor and kevlar in this analogy are the first five steps in this tutorial. The tissue is antivirus software, security suites, and all that other garbage that offers you no protection. Hopefully youve found this tutorial helpful. As you can see, security woes are no reason to switch away from Windows. If you have a genuine interest in exploring Mac OS X or Linux, though, I think youll find them both rewarding computing experiences in their own respective ways.

Securing Ubuntu Linux

Page 24 of 24