Security Help for Linux System Administrators
by Martin Houston
There are now two mailing lists on the net for the purpose of discussing
issues of the security of Linux systems: preventing abuse by a systems
own users and by outside hackers. The linux-security (Moderated by Olaf
Kirch and Jeff Uphoff) list is for general discussions about Linux
specific security problems; security holes in the Linux NFS
implementation for example. The moderators have asked that security
issues that are generally applicable to Unix systems as a whole not be
discussed as there are more general Usenet conferences that are
The linux-alert mailing list is for the broadcast of alerts about serious
security flaws that have been discovered and need prompt action from
system administrators. You will be relieved to know that traffic on this
list is very light. I would recommend that anyone in charge of a linux system
that a large number of users or the general public over the net has access
to at least subscribes to the linux-alert list and scans the archives of
the more busy linux-security.
How to join the lists
Send mail to Majordomo@linux.nrao.edu with a body of:
subscribe linux-alert (your full email address here)
subscribe linux-security (your full email address here)
To stop receiving mail from the list just repeat the process but say
"unsubscribe" instead of "subscribe".
Availability of list archives
The archives of the Linux-security mailing lists:
are now available via anonymous FTP under:
Also linux-security and linux-alert archives are now available at sonic.net.
A few points to ponder
The availability of all source means that with a vigilant and
professional system administrator Linux can be used for very secure systems.
Having source means that security fixes can be circulated and applied
quickly to plug any holes that could allow people to break into systems.
Common sense rules apply if you are looking after a Linux system used by others:
Use good, easy to remember but hard to guess passwords. The mnemonics
of a phrase with some numbers and special characters. For example "A very
hard to guess password" would be "avh2gpw!".
Look after physical security of the central machine. All your fancy
measures will come to nothing if somebody walks up with a Linux boot disk
and is able to mount your hard disk from it as root.
Never try software of dubious origin as root of a critical system. Linux
and Linux capable computers as so cheap that you should have a test system
to try new software out on first. A safe(ish) rule is to stick to programs
off a distribution CD rather than from the net but apply any patches that
are known about from the security archives.
Be careful about who you trust; in the sense of which machines you permit
to have user equivalence with you. This is important as your security
arrangements are only as good as the weakest of other systems that
you trust. There is a new security tool called SATAN that among other things
warns here trust relationships may be dangerous.
Don't be too paranoid. So far the Linux world is remarkably free from the
mindless vandalism of viruses and destructive hacking. Maybe this is a
natural consequence of the sharing nature. Sharing equals trust, That trust