GNU/Linux
While GNU/Linux distributions vary widely and providing a single set of instructions is mostly impractical, you can use the following general guidelines to ensure that your GNU/Linux desktop or laptop distribution is secured correctly.
Please bear in mind that some of these settings, if adjusted inappropriately, might impact the system's functionality. You should always consult your system administrator or IT support before applying them.
GNU/Linux Configuration Tasks
- Use Secure Settings when Creating Login Accounts
- Always set a strong account password. Most distributions' setup and user management tools include a password strength "meter" that appears when setting or updating passwords. Max it out!
- Enable the Application Firewall
- Most GNU/Linux client distributions include a firewall by default. This may be the direct management of iptables, a variant of firewalld, or some other tool. Check your distribution's documentation to make sure that it's enabled.
- Disable Automatic Login
- While automatic login is convenient, it can also allow an attacker with physical access to your computer to access all of your files.
- Verify that Your Screen is Locked after Inactivity
- This is another item that is configured by default on most distributions, but it never hurts to check.
- Automatically Lock the Login Keychain
- Each graphical desktop environment (such as GNOME, KDE, Xfce, LXDE, Unity, Cinnamon, MATE, etc.) has its keychain management system, and many of them support automatically unlocking a default keychain when you log into a graphical environment.
- Check your distribution's documentation to see if this functionality is supported and, if so, how to secure it.
- Install Software Only from the Distribution's Official Repositories
- New GNU/Linux users coming from Windows often want to pull up a web browser to install new software. Resist this urge! Virtually all GNU/Linux distributions include a built-in software management system, similar to an app store, with a selection of peer-reviewed and securely signed software.
- If you do decide to install software using web browser downloads or with a third-party repository, make sure that the software vendor is a known and reputable source, and that all software packages are signed with valid signatures published by the vendor.
- Consider Encrypting your Home and Swap Partitions
- Many distributions support doing this quickly and easily during setup, though doing so after installation can be a technically challenging operation.
- In most cases, this requires you to enter an extra password during boot (there are ways to avoid this, and some distributions implement them automatically for you). Doing so will prevent any unauthorized persons from accessing your data, even if they manage to steal your machine.
- Don't hesitate to get help from a friend, or your tech support (or both) if you feel uncomfortable with tackling this yourself.
- If you encrypt your home partition after setup, make sure to have a current backup of your data first.
This article was updated: 04/8/2020