General computer security recommendations, primarily for Linux
Reviewed by John Sopko 4/27/2012
Whether we like it or not, we need to worry about the security of our computing environment. There are people who would take advantage of our computer systems if they had any, or more complete, access to them. This could range from the use of computer resources they have no right to access to the willful destruction and/or appropriation of the information we all have online. In order to maintain the necessary level of security in our computing environment, there are some things we all have to take responsibility for. Even though you may not feel like you personally have much to lose if someone had access to your account or files, you have to realize that as soon as someone gains ANY access to our system, it’s much easier for them to gain access to ALL of it. So when you are lax with your own account, you are endangering the work and research of everyone else working here.
Below are some general security guidelines. Please see the UNC campus security site for extensive information and help with computer security including references to University Policies and guidelines on computer security.
Your password is the fundamental element of security not only for your personal account, but for the whole UNIX system that we share. Without an account and password a person has NO access to our system. If someone discovers (or you tell someone) your password, not only will they have access to your personal files, but they will have a much better chance to launch attacks against the security of the entire system. Accordingly, password security should be a concern of every user. It is important that your password is *yours and yours alone*. Never tell anyone your password. If someone needs access to some of your files, you can change the permissions and/or set up a new group to control access see AFS file security information. To keep people from discovering your password, don’t choose one that is easily guessed. The ‘passwd’ command will not allow you to choose passwords which are too simple, but it cannot prevent you from choosing a password someone might guess from knowing you (or finding out about you), such as your birth date, spouse’s name, your street name, license plate, etc. Don’t use passwords derived from any personal information about yourself. See the password security help page for more information.
Probably the most common danger to anyone’s account is simply leaving the workstation while still logged-in, either to go grab something to eat, or because you thought you had logged out. It only takes a few minutes at an unattended terminal in order for someone to be able to gain access to your account whenever they want. So if you’re going to be leaving your terminal, log out, or at least lock the screen. And when you do log out, take an extra second to be sure that you really are logged out. Don’t walk away until you see the login prompt screen, because the logout may hang for some reason and and leave your system accessible.
File and Directory Protection
Even without your password, it’s possible for other users to gain access to your files and directories (and even your account) if your permissions aren’t set correctly. If you mistakenly allow other users write permissions for critical files, they can easily break in to your account. Specifically, it is very important to keep files such as .cshrc, .profile, and .login protected. Also, any other files that these source or call need to be protected as well. Giving other users write permissions on any files or programs that you execute invites their replacement by ‘trojan horse’ programs, which could cause damage to your files, or even try to get your password from you and pass it along to an intruder. Periodically do an ‘ls -alc’ command in your home directory and make sure your initialization files have appropriate permissions and modification times that make sense. Besides write access, the other issue to think about is whether you want other users to be able to read and/or execute your files. See how to secure your directory for more information.
Setting your Path
Users also need to be careful about which directories they have in their default path, because of the possibility of executing trojan horse programs, as mentioned above. If you have in your path any directory which is publically writeable, or even writeable by anybody other than yourself, you may fall into this trap. If you have one of these directories in your path before some directory(s) of system commands, a potential intruder could place a trojan horse program of the same name as a system command in that directory. Then when you try to execute the system command, you get the trojan horse version. The program then has the same access to your files as you do: It could delete your home directory, change permissions on sensitive files, or maybe even trick you into entering your password, which it would send on to the intruder. To guard against this, avoid putting any publicly writeable directory in your path, or if you really have to, make sure that all of the system directories and your own directories appear before any that are writeable by anyone else. You should also put the current directory (the “.” entry) at the very end of your path to avoid the possibility of executing a trojan horse from the current directory. In addition, you should beware of unexpectedly being asked for your password, as there are very few programs that require this.
Detecting Unauthorized Access of your Account
There are basically two ways to tell if someone has used your password. The individual may alter, remove, or add files and in some cases sub-directories in your directory. You should be aware of what is in your directory, and notice when files appear or disappear. In particular, be on the lookout for files and directories with names chosen to keep them obscure. For example, do an ls -la and look for entries that begin with a dot and be sure there are no unusual items. Intruders will often name a directory ‘…’ (dot-dot-dot) which to the untrained eye is easily overlooked when you do an ls. Only an ls with the -a option will show these dot files. Also do an ls -lat which will sort your files by modification date, and look to see if any files have changed at times you can’t recall modifying them. Second, you can tell if a user logs in as you. When you log in, Linux will print the time of your last login. Please check that each time you log in, and notify the facilities staff if the time reflects an unauthorized access. You can also check your last logins by means of the ‘last’ command. See the man page for details.