Protect Your Computer - Linux Security

This material is based on a presentation given by Brian Edmonds of UBC's Computer Science Department, who has graciously allowed us to use it here.

Disable Unused Services

Most Linux distributions come with more daemons enabled than most people need. Edit /etc/inetd.conf and comment out those services you don't need - imapd, talkd, popd, rusersd, shell, login, netstat, systat should all be disabled. You should also disable ftpd and telnetd and replace them with secure services such as sshd and scp if you need to provide remote access services. When you have edited inetd.conf, save the file and use kill -HUP <pid> (where <pid> is inetd's process id) to have inetd reread the configuration.

Next, use 'ps aux' to find daemons such as sendmail, named or nfsd with normally run outside of inetd. Unless you absolutely need to provide SMTP, DNS or NFS services, it is a good idea to disable these daemons. As root, use kill <pid> to kill these daemons and edit your system's rc/init scripts to prevent them from being restarted when your computer next reboots.

Also check whether you are running any unnecessary RPC services - the command rpcinfo -p will give you a list of what RPC services are running. In general, if you don't know what the service does or if you don't need it, disable them. If the only RPC service running is portmapper, disable the portmap daemon.

Finally, run `netstat -a $|$ fgrep LISTEN' and look for unusual ports. Unless you're very familiar with Unix, you may have trouble figuring what daemon is using which port. The tool lsof may be handy if this is the case.

If you do plan on running HTTP/FTP/telnet services, make sure you keep the daemons updated. Learn how your vendor provides software updates! Many packages have security problems which are only discovered after release, and Linux vendors will release new versions to fix these.

Use Secure Authentication

Most authentication protocols in use today (telnet, ftp, POP, rlogin, etc.) transmit usernames and passwords across the network over clear, unencrypted channels. This means that an attacker could obtain your username and password by "sniffing" the network. On ResNet, this concern is somewhat lessened because the ResNet network is (theoretically) immune to sniffing, but there is a risk that if you connect to a compromised computer, your password for that computer could be captured. So, in general, it is a good idea to use secure authentication wherever possible.

The Netinfo and Interchange hosts support SSH, which is used for secure, encrypted logins. Other departments may also use SSH, though you may have to contact the departmental system administrator to find out for sure.

There are currently two versions of the SSH protocol available - SSH1 and SSH2. The original SSH protocol (SSH1) is more widely supported, especially on-campus, though you may need to download both versions.

Once you have downloaded the source, unpack, compile and install it using the following commands:

tar -xzof ssh-x.x.xx.tar.gz (where x.x.xx is the version you are using)
cd ssh-1.2.26
sh configure
make
make install (as root)

You may also wish to install SSH version 2 after version 1.

Check the ssh man page (man ssh) for more information on using SSH.

The scp command allows you to copy files like rcp. You should use this instead of FTP, where your username and password can be intercepted.

SSH can also be used to set up a secure POP tunnel for checking mail. Normally, POP (the protocol used when checking mail) transmits username and password information in cleartext - SSH allows you to redirect your POP connection through a secure, encrypted tunnel.

Packet Filtering

Packet filtering allows you to control what packets reach your machine from the network, thus ensuring remote users can use only those services you intend to offer. It can also help prevent attackers from determining what services are running on your machine via portscans, etc.

Note that packet filtering requires a solid understanding of TCP/IP and Unix services.

For Linux 2.0.x, packet filtering is configuring using the ipfwadm tool. For Linux 2.2.x, use ipchains. For more information see X/OS IP Firewall Administration.

Page last updated on April 7, 2025

UBC Information Technology

6356 Agricultural Rd
Vancouver, BC Canada
V6T 1Z2

Related Sites

Need Help?

UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.