There is a common belief that Linux has weak security because it is freely distributed and created by a huge team scattered around the world. Is it really?

Linux is a freely available Unix-like kernel written by Linus Torvalds (1991, Finland) with the help of a large number of volunteers from across the Internet. Linux has all the features of a modern Unix system, including true multitasking, advanced memory management, and networking. Most of the basic system components of Linux were inherited from the GNU project, the goal of which is to create a free microkernel operating system(OS) with a Unix face.

The Linux OS was created by a chaotic team of Unix experts, hackers and the occasional even more suspicious person. Although the system unwittingly reflects this heavy legacy, and although the process of creating Linux looked like a disorganized volunteer effort, the system turned out to be surprisingly powerful, reliable, fast, and also free.

Today, there are many different Linux supplies and distributions, which can be divided into general-purpose and specialized distributions (for example, Linux Router - a stripped-down Linux supply for creating a cheap router based on an old PC, etc.). In this article, under the phrase<ОС Linux>Let's understand general purpose Linux distributions.

Most of the Linux kernel is written in C, making the system quite easily portable to different hardware architectures. Today the official Linux kernel runs on Intel platform(since i386), Digital Alpha (64-bit), Motorolla 68k, Mips, PowerPC, Sparc, Sparc64, StrongArm. The Linux kernel is capable of running on multiprocessor SMP systems, ensuring efficient use of all processors. Linux developers try to comply POSIX standards and Open Group, thereby ensuring software portability with other Unix platforms.

The range of applications for Linux is very wide: from creating special effects in a film<Титаник>James Cameron before Intel created Internet terminals based on this particular OS in the near future. Of course, one of the reasons for the enormous popularity of Linux is that it is free, which certainly reduces the cost of the products for which it is used. But that's not all. main reason Its popularity lies in the fact that it is a truly powerful and reliable, multi-user and multi-tasking OS.

There is a common belief that Linux has weak security. But this is fundamentally wrong. Linux is the brainchild of the global Internet and that is why security has always been given great attention during its development. It is no coincidence that in matters of security, Linux has always compared favorably with many modern operating systems, including many commercial versions of Unix.

Currently, there are two main approaches used to ensure OS security: over a weakly protected OS<навешивается>To strengthen the protective screen (firewall), or firewall, along with dozens of other protection means, is integrated at the system kernel level.

The first approach is used by Microsoft and this is confirmed by analysis of the latest versions of Windows NT. Linux developers chose the second approach (the firewall code is built directly into the Linux kernel, starting with version 2.0). The result is a powerful integrated protection system. This article is devoted to a brief introduction to this system.

When creating a security system for any OS, you need to clearly understand that it is impossible to implement a completely safe computer system in practice. You can only create additional obstacles for an attacker trying to penetrate the system. Moreover, the volume and quality of implemented protection tools depend on the area of ​​Linux use. In addition, it is necessary to take into account that with the increase in the number of installed security measures, the system becomes more and more hostile for the average user. Therefore, the main task when creating a security system is to find the balance point that will be acceptable for the Linux system management policy.

When using the protection system, you must perform simple rules: constantly monitor activity in the system using the system log, maintain the system at the most up-to-date level (installation of current versions of software that contain patches for so-called security holes discovered during operation). In many cases, this is more than enough to ensure the proper level of security.

In order to assess the effectiveness of the Linux OS security system, it is necessary to clearly understand what threats can be implemented by attackers at the OS level in a particular situation.

OS level attacks

A large number of hacker attacks occur at the OS level. This can be explained very simply: after all, by hacking the OS security, an attacker can gain access to any network resources (including databases).

Among ignorant people, there is an opinion that the most effective attacks on the operating system are organized using the most sophisticated means that use the latest achievements of science and technology, and the hacker must be a highly qualified programmer. This is not entirely true. Of course, it’s good to be aware of all the new developments in the field of computer technology. And high qualifications are never superfluous. However, the art of a hacker does not consist in destroying any, the most<крутую>computer protection. The burglar just needs to find weakness in a specific protective system and use it to your maximum benefit. At the same time, the simplest attack methods turn out to be no worse than the most sophisticated ones, since a simple algorithm is less likely to generate errors and failures.

The success of implementing a particular hacker attack algorithm in practice largely depends on the architecture and configuration of the specific OS - the target of the attack. Let's look at what mechanisms to counter various attacks are used in the Linux OS.

Traditional security methods used in Linux

Traditional methods of OS protection are mainly related to physical security. Physical security is the first level of security that needs to be provided for any computer system. Moreover, obvious methods of ensuring physical security include locks on doors, cables in boxes, closed desk drawers, video surveillance equipment, etc. To enhance these time-tested measures, you can also use computer locks of various designs, the main purpose of which is as follows:

Preventing the theft of a computer and its components;

Preventing the possibility of unauthorized persons rebooting the computer, as well as the use of their own disk drives or other peripheral equipment;

Interruption of computer operation when opening the case;

Locking the keyboard and mouse.

When installing a Linux system, you must carefully read the BIOS documentation. The BIOS is the closest layer of software to the hardware, and many Linux boot loaders use BIOS features to protect against malicious users rebooting the system or manipulating the Linux system.

Some Linux boot loaders allow you to set a password that is requested when the system boots. Thus, when working with LILO (Linux Loader), you can use the parameters (allows you to set a password for the initial boot) and (allows loading after specifying certain options in response to the LILO request).

From time to time there is a need to leave the computer. In such situations, it is useful to lock the console to prevent anyone from reading your name and work results. To solve this problem, Linux uses the xlock and vlock programs. Using xlock, access to the X display is blocked (to restore access, you must enter the registration password). Unlike xlock, vlock allows you to block the operation of individual (or all) virtual consoles of a Linux machine. When using these useful programs, you need to be clear that they do not protect against reboots or other means of interrupting the system.

Most methods by which an attacker can gain access to resources require rebooting or powering off the machine. In this regard, you need to take very seriously any signs of hacking both on the case and inside the computer, record and analyze all oddities and inconsistencies in the system log. In this case, we must proceed from the fact that any burglar always tries to hide traces of his presence. To view the system log, it is usually enough to check the contents of the syslog, messages, faillog and maillog files in the /var/log directory. It is also useful to install a log rotation script or daemon that saves logs to a specified depth (in recent distributions Red Hat The logrotate package is used for this).

A few words about local security of Linux systems. It is usually associated with two points: protection from local users and protection from the system administrator. It is no secret that gaining access to local user accounts is the first task that an attacker sets himself when trying to penetrate the system. If there are no reliable local protection measures, then, using errors in the OS and/or incorrectly configured services, an attacker can easily change the permissions upward, which is fraught with serious consequences. General rules that must be followed to improve local security are as follows: provide the minimum required level of privileges; control over the registration of all users; timely withdrawal of user accounts. You must always remember that uncontrolled accounts are an ideal springboard for penetrating the system.

Rash and incorrect actions administrators also pose a serious danger to a Linux system. Therefore, the administrator must always remember that Full time job with a superuser account (root) - a very dangerous style (as a compromise it is better to use the su or sudo commands). He should use superuser rights only to solve specific tasks; in other cases, it is recommended to use a regular user account. In addition, when executing complex commands, the administrator must use modes that will not lead to data loss. And lastly: the administrator should not forget about the existence<троянских коней>, since programs of this type, when run with superuser rights, can cause serious violations of the security system. To avoid this, it is necessary to carefully control the installation process of programs on the computer (in particular, the RedHat distribution kit provides for the use of md5 and pgp digital signatures to verify the integrity of rmp files during system installation).

Protecting Linux with Passwords

Analysis of risks at the OS level shows that the greatest danger comes from the actions of attackers related to theft or guessing of passwords. Password protection should therefore occupy a leading place in the security system of any OS.

Password security is an area where Linux differs significantly from many commercial versions of Unix and other operating systems, and for the better.

In most modern implementations Linux program passwd prevents the user from entering easily guessable passwords by warning them that the password is potentially dangerous (unfortunately, it does not block password entry). There are many programs to test the resistance of a particular password ensemble to guessing. Moreover, they are used successfully by both system administrators and hackers. The most common representatives of this class of programs are Crack and John Ripper. It is worth noting that these programs require additional processor time, but this loss is completely justified - replacing weak passwords significantly reduces the likelihood of penetration into the system.

Linux provides password protection using three main mechanisms:

1. Password encryption.

2. Mechanism<теневых паролей>.

3. The mechanism of pluggable authentication modules PAM (Pluggable Authentication Modules).

Let us briefly consider the essence of these mechanisms.

Password encryption.

Linux traditionally uses the DES algorithm to encrypt passwords. The encrypted password is usually placed in the /etc/passwd file. When a user attempts to log into the system, the password they enter is encrypted and then compared with the entry in the password file. If there is a match, the system allows access. The password encryption program uses one-way encryption (achieved by using the password itself as the key to encrypt the password). Unfortunately, the DES algorithm is currently vulnerable to attack by powerful computers (using brute force or brute force will lead to guessing passwords in most cases). Therefore, in addition to encryption, two more powerful security mechanisms were developed for Linux.

Mechanism<теневых паролей>.

The essence of this mechanism is simple: the password file, even encrypted, is accessible only to the system administrator. To do this, it is placed in the /etc/shadow file, which can only be read by superusers. To implement a similar protection scheme in Linux, the Shadow Suite software set is used. In most Linux distributions, the mechanism<теневых паролей>not enabled by default (except, perhaps, RedHat). But it is Linux that is distinguished by the presence of a new mechanism with which you can easily organize a powerful security system. It is a plug-in authentication module (PAM) technology.

PAM mechanism.

Security modules are a set open libraries, designed to perform a set of functions (entering a password or verifying its authenticity). Any program that uses a security system can use PAM modules and provide any level of security as a result. When using this new mechanism, the programmer concentrates his attention on solving the application problem. He does not need to invent a defense system, and it is also guaranteed that he will not teach in this system<дыр>. PAM technology allows you to implement some new capabilities when creating a security system: security modules use non-standard encryption procedures (MD5 and the like); setting restrictions on the use of system resources by users (preventing the initiation of attacks like<Отказ в обслуживании>); setting to allow individual users to log in only at fixed periods of time and only from certain terminals or nodes.

Additional Linux Security Features

Data protection.

To control the integrity of data, which can be violated as a result of both local and network attacks, Linux uses the Tripwire package. When run it calculates checksums all core binary and configuration files, and then compares them with reference values ​​stored in a special database. As a result, the administrator has the ability to control any changes in the system. It is advisable to place Tripwire on a write-protected floppy disk and run it daily.

Of course, to increase confidentiality, it is useful to store data on disks in encrypted form. To provide end-to-end encryption The entire file system in Linux uses cryptographic file systems CFS (Cryptographic File System) and TCFS (Transparent Cryptographic File System).

Display protection.

Graphic display protection - important point in ensuring system security. It is aimed at eliminating the possibility of intercepting a password, reading information displayed on the screen, etc. To organize this protection, Linux provides the following tools:

xhost program (allows you to specify which hosts are allowed to access your display);

Registration using xdm (x display manager) - a 128-bit key (cookie) is generated for each user;

Organization of exchange using a secure shell ssh (secure shell) - the flow of unencrypted data is excluded on the network.

In addition, the GGI (Generic Graphics Interface) project has been developed to organize access control to the computer’s video subsystem within Linux. The idea of ​​GGI is to transfer part of the code that serves video adapters to the Linux kernel. With GGI, it is virtually impossible for fake login programs to run on your console.

Network protection. As the network technologies Security issues when working online are becoming increasingly relevant. Practice shows that it is often network attacks are most successful. Therefore, in modern operating systems, network protection is given very serious attention. Linux also uses several effective tools to ensure network security:

Secure ssh shell to prevent attacks that use protocol analyzers to obtain passwords;

tcp_wrapper programs to restrict access to various services on your computer;

Network scanners to detect vulnerabilities computer;

tcpd daemon to detect malicious port scanning attempts (in addition to this tool, it is useful to regularly monitor system log files);

Encryption system PGP (Pretty Good Privacy);

stelnet program (a secure version of the well-known telnet program);

qmail program (secure delivery Email);

ipfwadm program for configuration firewalls(firewall);

Mode for checking input connection passwords for systems that allow connection via external dial-up lines or local network.

It is gratifying to note that many of the tools listed are included in the latest Linux distributions.

Conclusion

Linux is a unique OS built on the Unix OS with a twenty-five-year history. To date, this is perhaps the only example of such a large-scale and fruitful collaboration of specialists from all over the world, united Internet network. That is why any subsystem of this OS, including the security subsystem, is of great practical interest and contains many features, some of which are not sufficiently reflected in this article.

Despite the frantic propaganda of solutions<от Microsoft>, OS of the Unix family, which includes Linux, are becoming increasingly widespread and are capturing those areas of microcomputer application for which the reliability of the system as a whole is important, meaning not only failure-free operation for a long time (months and years), but also protection from unauthorized access.

Linux has developed a powerful integrated security system that can ensure the security of systems operating in various environments (from home computers to banking systems). Thanks to the very spirit of Linux development, various security patches appear much faster than in commercial operating systems, making Linux an ideal platform for building reliable computing systems.

OS security experts believe that the future lies with pluggable authentication module (PAM) technology developed in the Linux OS. Once again Linux is ahead and waiting for the whole world to follow.

Of course, we can say that Linux more safe(protected) than Windows. Safety V Linux built-in, and not screwed somewhere on the side, as is implemented in Windows. Safety systems Linux covers the area from the kernel to the desktop, but there are chances for hackers to damage your home directory (/home).

Your bytes of photos, home videos, documents and credit card or wallet data are the most valuable piece of information contained on a computer. Of course, Linux is not susceptible to all kinds of Internet worms and viruses for Windows. But attackers may find a way to access your data on your home directory.

Having prepared your old computer or HDD formatting before selling, do you think it will be enough? There will be a bunch modern instruments for data recovery. A hacker can easily recover your data from your hard drive, regardless of the OS you were using.

On this topic, I recall the experience of one company in repurchasing used computers and disks. In the course of their activities, they rendered a verdict that 90% of the previous owners of their computer did not properly take care of cleaning their storage media before selling it. And they extracted very sensitive bytes of data. It’s scary to even imagine that somewhere in the bins of your hard drive there will be information to log into your online bank or online wallet.

Get started with Linux security basics

Let's step to the basics (), which will suit almost any
Linux distributions.

Let's encrypt the file system in Linux for more complete Linux security

Custom passwords won't solve the problem if you really want no one to be able to read your home directory (/home) or specific size bytes You can do it in such a way that even a user with the highest root privileges will not be able to poke his nose into it.

Delete sensitive files so that no one else can recover them

If you decide to sell or give away your computer or storage media, don't think that simply formatting it will permanently delete your files. You can install the secure-delete tool on your Linux, which includes the srm utility, designed to safe removal files.

Also, do not forget about the firewall in the Linux kernel. All Linux distributions include lptables, which is part of the kernel. Lptables allows you to filter network packets. Of course, you can configure this utility in the terminal. But this method is beyond the capabilities of many, including me. So I install and configure it as easily as if I were playing a game.

Like all operating systems, Linux is prone to the accumulation of all sorts of junk when running various applications. And it's not his fault Linux, since various applications, for example, browsers, text editors and even video players, do not operate at the kernel level and accumulate temporary files. You can install the BleachBit utility for universal garbage removal.

Anonymous surfing, hiding your IP - very important for the security of your identity under Linux

In conclusion I want to tell you anonymous web surfing. Sometimes it happens that it is necessary, as I do when, secretly from my wife, I visit sites with erotic content. Of course I was joking.

It will be difficult for attackers to reach you if they cannot determine your location. We cover our tracks with a simple setup of two utilities working together called privoxy and tor.

In my opinion, following and configuring all these rules will keep you and your computer 90% safe.

P.S. I'm using a cloud called dropbox. I store my old and new, not yet published articles in it. It is convenient to have access to your files from anywhere in the world and on any computer. When writing articles for a website in text editor, I save mine text documents with a password and only after that I upload it to the dropbox server. You should never neglect extra security, which will only play into your hands.

At the annual LinuxCon conference in 2015, the creator of the GNU/Linux kernel, Linus Torvalds, shared his views on system security. He emphasized the need to mitigate the effect of certain bugs with competent protection, so that if one component malfunctions, the next layer covers the problem.

In this material we will try to cover this topic from a practical point of view:

7. Install firewalls

Recently there was a new vulnerability that allows DDoS attacks on servers running Linux. A bug in the system core appeared with version 3.6 at the end of 2012. The vulnerability allows hackers to inject viruses into download files, web pages and open Tor connections, and hacking does not require much effort - the IP spoofing method will work.

Maximum harm for encrypted HTTPS connections or SSH - interruption of the connection, but an attacker can place new content in unprotected traffic, including malware. A firewall is suitable to protect against such attacks.

Block access using Firewall

Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend allowing only really necessary traffic and completely blocking all others.

For packet filtering, most Linux distributions have an iptables controller. It is usually used by advanced users, and for simplified setup you can use the UFW utilities in Debian/Ubuntu or FirewallD in Fedora.

8. Disable unnecessary services

Experts from the University of Virginia recommend disabling all services that you do not use. Some background processes are set to autoload and run until the system shuts down. To configure these programs, you need to check the initialization scripts. Services can be started via inetd or xinetd.

If your system is configured via inetd, then in the /etc/inetd.conf file you can edit the list background programs“demons”, to disable the loading of the service, just put a “#” sign at the beginning of the line, turning it from executable into a comment.

If the system uses xinetd, then its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying disable = yes, as in this example:

Service finger ( socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes )
It's also worth checking for persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or /etc/inittab directories. After the changes have been made, run the command under the root account.

/etc/rc.d/init.d/inet restart

9. Protect the server physically

It is impossible to completely protect against attacks by an attacker with physical access to the server. Therefore, it is necessary to secure the room where your system is located. Data centers seriously monitor security, limit access to servers, install security cameras and assign permanent security.

To enter the data center, all visitors must go through certain authentication steps. It is also strongly recommended to use motion sensors in all areas of the center.

10. Protect the server from unauthorized access

An unauthorized access system or IDS collects system configuration and file data and further compares this data with new changes to determine whether they are harmful to the system.

For example, the Tripwire and Aide tools collect a database of system files and protect them using a set of keys. Psad is used to monitor suspicious activity using firewall reports.

Bro is designed to monitor the network, track suspicious activity patterns, collect statistics, execute system commands and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility checks your system against a database of known vulnerabilities and can identify unsafe settings in applications.

Conclusion

The tools and settings listed above will help you partially protect the system, but security depends on your behavior and understanding of the situation. Without care, caution and constant self-education, all protective measures may not work.

What else we write about:

Tags: Add tags

We continue to get acquainted with the documents published by the British government commission Communications-Electronics Security Group, which recently named the Ubuntu distribution the most secure operating system for the end user.

Although Ubuntu distribution received very flattering ratings from security experts; there were also plenty of complaints about Ubuntu. Let's look at how we can eliminate some potentially dangerous places in the Ubuntu security system and turn the distribution into an impenetrable fortress for network scoundrels.

Point 8 of the document “End User Devices Security Guidance: Ubuntu 12.04” is called Policy Recommendations and contains specific advice for administrators of computers running Ubuntu.

Disable shells by default

Remove shell access: Configure user add programs (such as useradd) to use /bin/false as the default shell. To do this, you need to make changes to the configuration files /etc/default/useradd and /etc/adduser.conf.

Separate partitions for /tmp and /home with a ban on running files

For the /tmp and /home directories you need to set separate partitions and in configuration file/etc/fstab prevents these partitions from running any files, allowing only reading and writing. This is done using the options “noexec,nosuid,nodev”.

Find and close all writable directories outside of /home and /tmp

Sometimes it turns out that file system There are places outside the /home and /tmp directories where an unprivileged user can create and run files. Finding such places is quite easy. Of course, the command must be run as an unprivileged user:

Find / -type d -writable

After detecting potentially dangerous directories, change the owner group or access rights to prevent the possibility of writing and execution.

Limit your use of scripting languages

Scripting languages ​​(such as Python, for example) are used by the operating system to provide normal functioning and cannot simply be uninstalled. However, scripts create an additional danger by allowing an attacker to download and execute own programs. The solution is to configure AppArmor accordingly. It is necessary to allow only system scripts to be launched (from /bin, /usr/bin, etc.), and prohibited in all other directories (/home, /tmp, etc.). Using Python as an example:

#File: /etc/apparmor.d/usr.bin.python2.7 /usr/bin/python ( #include /usr/bin/python2.7 mr, deny /home/** rw, deny /tmp/** rw, deny /some/user/writable/directory/** rw, /** rw, )

Proper firewall setup in Ubuntu

The firewall should be configured to block all incoming connections, allowing only those that are explicitly made available to external users. The following example denies all incoming connections via iptables, except access to ssh (port 22):

# allow all outgoing and deny all incoming/ sbin/ iptables -F / sbin/ iptables -X / sbin/ iptables -P OUTPUT ACCEPT / sbin/ iptables -P FORWARD DROP / sbin/ iptables -P INPUT DROP # allow incoming ssh/ sbin/ iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow stateful return traffic/ sbin/ iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allow any traffic on the lo interface/ sbin/ iptables -A INPUT -i lo -j ACCEPT / sbin/ iptables -A OUTPUT -o lo -j ACCEPT

We save the settings in the configuration file /etc/fw-rules and do not forget to block access to it by outsiders:

Iptables-save > / etc/ fw-rules chmod 400 / etc/ fw-rules

All that remains is to force the system to load the rules every time it is turned on. To do this, create a file /etc/init/netfilter.conf with the following content:

Description "netfilter firewall" start on (starting networking) pre-start script iptables-restore< /etc/fw-rules end script

Ready. Now you can relax the buns.

Date published: Thursday, December 18, 2008
Translation: Kovalenko A.M.
Transfer date: August 7, 2009

There is a general belief that if one switches to using a Linux distribution, such as Ubuntu on a desktop computer, then security issues will resolve themselves. Unfortunately, this does not happen in reality. Like any operating system today, Ubuntu also has potential targets for exploits. Buffer overflow, stack overflow, dirty code, user errors - and this is an incomplete list of threats that could be continued. To counter these and other possible threats, I'll show you how to follow simple steps that will ensure you're using smart strategies to run Ubuntu safely.

Anti-virus protection?

One of the most common debates is whether or not to use virus protection on Linux computers. My opinion is this: rootkits and viruses that target Linux actually exist. On the one hand, they are a pale shadow of the sheer volume of exploits targeting Microsoft Windows, which makes it clear that the deceptive sense of security that comes from such statistics lulls people's vigilance.
On the other hand, and I want to emphasize this, the idea of ​​scanning the contents of your computer to look for dangerous viruses is a very sound one. Using removable media, disks, email - each of these actions may well lead to Windows users accidentally receiving viruses. Please note that I am not advocating undue suspicion, but I am warning anyone whose home network is entered unannounced of the dangers.
Therefore, I must give you advice that logically follows from the above - use some program (for example, ClamAV) to perform a weekly virus scan. Although now we live surrounded Windows computers, doing a weekly scan is actually an important operation that everyone should not only remember, but should definitely do.

Protection from malicious software?

A significant threat from malicious software still exists. In light of this, the mere refusal to install or launch unknown applications can be of great help. It is very unwise to install a suspicious program that you do not know on any platform by blindly installing newly discovered software without examining it first. Because, as in the case if it uses a closed program code- you won’t even be able to find out what this program actually does to your computer.
Articles on this topic:

• Making it easy to write SSH and SFTP scripts using Python
• Firefox + Greasemonkey Turbocharge e-commerce site from the client side
• Linux Command Line Interface for Beginners, or, Don't Be Afraid of the Linux Command Line!
• Graphical remote computer management for Linux, part 3

A similar threat exists from web browser So I believe that by simply disabling Java and not blindly installing Firefox extensions without learning them first, you can pretty much avoid any future threat of installing malicious software from that side as well. By combining both of these recommendations, you will be convinced that even if one day malicious software becomes a problem, it will be much easier for you to diagnose how it got onto your computer.

Firewall protection options

As with any Internet-connected operating system these days, for Ubuntu OS, using a firewall is a must. For Ubuntu users this means using IPTables over UFW (Uncomplicated Firewall).
It's sad that the idea of ​​using a firewall, like most ideas invented by engineers, is not considered "simple" by ordinary users, and all because the firewall requires the use of the command line. This apparent gap in usability led to the development GUI- Gufw.
Gufw provides very simple options to enable/disable IPTables settings on all modern Ubuntu installations. Gufw also allows you to literally "one-click" port management using pre-configured or advanced port forwarding options.
Using this type of protection will provide an appropriate level of firewall security almost immediately upon first launch. Unfortunately, a firewall itself doesn't do anything about traffic passing through your network or even the Internet. To summarize, a firewall is more of a gatekeeper than a motorcycle cop, catching potential threats to your network.

OpenVPN and OpenSSH

Despite the fact that most enterprise users need to use OpenVPN to connect to their enterprise network, I've been disappointed that most people don't consider OpenSSH as an alternative for home workers who need to connect to secure non-VPN networks.
Without going into details of the implementation of these two programs, I will say that the idea is that the user can securely connect to a remote computer/server, access remote shares/email/documents, etc. without worrying that its traffic along the entire path (there and back) will not be compromised by an attacker.
As for OpenVPN, this software allows corporate users at home to connect to a virtual private network Their company's (VPN) is as simple as it gets. From there, they can access their work computers, manage documents, or simply check email. The bottom line is that workers outside the local office can safely use the security protocols that IT staff have established to connect to the enterprise network from outside, while being somewhere outside corporate network, either home Office or any other insecure network.
Setting up an OpenVPN connection is quite simple, you just need to install the network-manager-openvpn package from your Ubuntu repository. After this and installing other dependencies, simply click on the network manager icon (network-manager) and start the process VPN settings. In today's latest release of Ubuntu, 8.10 ( approx. translator: at the time of translation of the article, the latest stable release of Ubuntu is 9.04), users can immediately use VPN connections after installing the OS, having previously configured them.

Strengthening Remote and Local Security

Now let's go home. Personally, I partially use OpenSSH to connect from home to wireless network my own coffee shop. Using OpenSSH allows me to work with Internet applications such as Evolution (email client), Firefox (web browser), etc., which I would not otherwise use in a coffee shop to transfer information.
OpenSSH also provides an excellent ability to share files and folders between computers on your local network. However, using sharing together with No-IP ( approx. translator: a service that replaces a computer's dynamically assigned IP address with some permanent name accessible via the Internet), you can share files and folders consistently, no matter where you are at the moment. And no matter where you are, at home or on the other side of the globe, you get the same reliable file sharing.
Let's summarize all of the above. SSH and VPN are virtual secure bridges from computer to server or from computer to computer. But no matter how secure these tools may seem, this does not mean that when browsing the Internet or sending an email, the data remains safe in transit. You may want to implement some additional SSL functionality so you can use HTTPS for web browsing and SSL security for email back and forth.

Securing your Ubuntu computer for local use

By far, the single, and perhaps biggest, security risk to your computer generally lies between the monitor and the chair. Users, especially on shared computers, provide more problems safer than any viruses or malware that accidentally entered your computer.
Since we cannot control what other users do on a shared computer, I offer a list of some useful tools and techniques that will best prepare you to respond to any reckless behavior committed by other users.
Advice: Keeping updates under control. Failure to keep the Ubuntu system up to date will lead to many problems in the future; it is better to get several errors if regular updates are performed. Security updates are paramount.
Advice: Blocking other users. You can get an immediate advantage by hiding a previously working working Ubuntu installation from a less experienced family member or friend. The best way to do this is to add a restricted account regular user for all those who besides you work at the computer. From the Users and Groups Administration menu, under your own superuser account, simply disable any options you want to disable for the newly created limited user account.
Advice: Securing Your Home Directory. More for privacy than security, without the headache of using encryption, you can easily and simply change user privileges for directory access, for example by running chmod command 0700 /home/$USER in the terminal. Assuming you are the only one with super user/root rights on a given computer, no one else can see the contents of your directory. If encryption is a must, then there are some great HOWTOs, the best of which is . Yes, this is very difficult to do.
Advice: OpenDNS for basic content filtering. One of the best ways protect users of your Ubuntu system from accessing potentially fraudulent sites or hosts with malicious software is to use OpenDNS. Change DNS settings in your network can be performed either on each computer individually or on the gateway acting as a router.

Ubuntu is only as secure as you make it

Using the tips I've given above, you will surely be on your way safe use Ubuntu. But despite these recommendations, you can always run into trouble.
Since Linux is indeed a very powerful system, anyone with root privileges should be aware that there are commands or shell scripts that can be run in a terminal and cause significant harm when executed. One type of such harm is the loss of data.
And one more thing - instead of rushing around the forums, looking for a solution to a problem that arose on its own, it is better to always consult a trusted source before running code that you are unfamiliar with. This advice alone will do wonders in ensuring that Ubuntu is used safely.
Thanks for the article Datamation
And to ensure the safety of the area around your real house real protection will be spoiled. The house will be protected from unauthorized entry by a chain-link metal mesh stretched around the perimeter of the site.