There seems to be a new important security patch out for Linux every month, lots of “do not use this program” warnings, too many articles and books with too little useful information, high-priced consultants, and plenty of talk about compromised systems. It is almost enough to send someone back to Windows. Can the average Linux user or system administrator keep his or her system secure and still have time to do other things? Bob Toxen is happy to say yes and here is how to do it.
This is an informative, howto article for securing a linux box.
However, the article BEGS the question, “Is this article ready for the average user?”
Many of the instructions Mr. Toxen gives require a CLI. Ergo, my mother (forget my grandmother) won’t be able to secure her linux box with these techniques.
The article is referring to the average Linux user, not the average computer user.
That said, if the level of the Average User has fallen so low that they can’t read and follow simple English instructions, then they shouldn’t be allowed to touch an administrative account in the first place.
funny thing that about cli, as i recall reading on arstechnica or something that people find cli easyer to understand then gui after they get some basic pointer on how the flow of things work.
you have a inherent feedback system in that you get a blinking pointer the moment the command is done.
and its allso much simpler to do something from reading a book as you just have to type in what the text says, rather then looking at a series of images large images with drawn on numberd arrows pointing out the sequence of clicks.
you can even verify that the command is typed correctly before giving it the ok.
only thing coming close in a gui is a wizard and we all know how fun it is to do those over and over. last thing i want to do is access a wizard to change a ip address when a simple command can do the same. or having to click down 3-4 layers of gui to do so…
hey, isnt thinkgeek selling a mouse mat that have the most common unix commands printed on it? evne color coded to show commands that can potentialy trash your system if your not careful?
the thing is that the commandline have a task history, a feedback system and task management all rolled into one.
want to perform a automated task in the background while doing something else? put & after the command and forget about it.
waiting for a command that takes its time to complete? ctrl+z should suspend the command (alltho not all like that, but thats mostly those that need input from something) and then type bg and the command should continue its work in the baground whiel you can do other stuff.
and all this time you can scroll up and check what you have done before. so if you forget some output it will most likely be up there. to do the same in a gui you will have to leave the output window (most likely some message or the programs main window) open while you work on the other stuff.
and most shells allow for creation of shell scripts. at their most basic they are just a series of commands that you want to have performed one after another. how do you do that in a gui? record mouse movements and clicks? and what if you have to add a task in the middle of that? record multiple independent mouse actions and then string them together with another, higher level, mouse recording?
never underestimate the cli
yes it may look complicated at first, but trust me, so is the gui for the total newbie.
only thing these days is that there is no such thing as the total newbie, unless your a 60-something farmer in the middle of nowhere.
There doesn’t appear to be anything in that article that I would need to think about as a Ubuntu (and likely any other distro) user. And I’m fairly sure that a Linux From Scratch user or similar would have a pretty good idea of how to configure for security anyway.
Agreed. After looking at the article, I can’t argue about the points made, but “…ready for the average user” is somewhat misleading. Really, Linux distro’s “out of the box” do have too many things turned on by default, etc…but it’s still usually “good enough” for the HOME user, espcially if behind a router that’s configured properly.
Most of these ponters are useful for an administrator on a network that has public (or corporate) access. I think that the pointers are also helpful for and “average” user who brings his/her laptop on the road and is in the habit of plugging into networks and also using the wireless in public places (as I’m doing now).
But compared to WHAT? Windows? Is he making a comparison here? AT LEAST Linux (out of the box) HAS permissions and also usually a user/root dichotomy so that the user isn’t running as root. MOST Windows people ARE root, and the “average” user doesn’t even know it.
So, good article, bad title…I agree…
One more comment. Linux security IS an issue. I think too many people are a little too complacent just because they think that Linux is very secure. It has problems like any other operating system, of course…
Sorry, but I don’t think desktop users need to worry too much about local user priviledge escalation; which is usually the nasty linux security issues: If your local users are trusted, they won’t privy escalate and if you are the only local user you are trusted.
But yes, keeping up to date is moderately important. More important is probably the last part about not running unneeded network services and not running them in stupid ways…
“There seems to be a new important security patch out for Linux every month, lots of “do not use this program” warnings, too many articles and books with too little useful information, high-priced consultants, and plenty of talk about compromised systems. It is almost enough to send someone back to Windows. Can the average Linux user or system administrator keep his or her system secure and still have time to do other things?”
Are you for real????? I have Windows using customers bringing compromised Windows boxes in all the time, yet none of my Linux using customers have had a single problem. Please don’t allow intros like the one above to bias the reader, intentionally or not, prior to even seeing the article. Just keep it simple…… Please!
I agree with you. I haven’t had issues with “to many program warnings”, “high priced consultants”, etc. For one thing developers such as Novell charge less than Microsoft for support as well include more support out of the box than MS does for Windows users. As for down time well I haven’t experienced it since the system updates with out requiring reboot like most Windows distributions. Since my friends, family and others I know have switched to Linux they are less stressed probably due to lack of viruses, spyware, etc.
The author also seems to skim over distributions such as SuSE Linux, Mandriva Linux (note to author it’s no longer called Mandrake), etc. For example he mentions that SuSE Linux has YaST and stops there. YaST during the installation of the OS and software will prompt the user to choose between automatic updates done in the background or let the user manually install updates. It’s a one click option, no confusion and no complicated command script knowledge is required. Actually most of the methods in SuSE Linux and Mandriva Linux can be accomplished in their user friendly GUI control center, which coming from years of being a former Windows user found very easy to understand.
The average Windows user and the average Linux user are very different animals. Likewise, the number of Windows deployments is much greater than the number of Linux deployments. Please don’t allow your skewed perceptive to overanalzye comments directed to a wide audience.
The article is decent, the article introduction is pure flame bait. It is nice to see that Thom continues the fine tradition of trolling initiated by his mentor, Master troller Eugenia.
Before you censor this, ask yourself whether this statement is anywhere more accurate than your own introduction. Its intended to get your blood boiling, just like your very own page-hits let’s-start-a-flamefest inducement of an introduction.
Sonny, if you would get your eyes out of your butt, then you’d know that I only copied/pasted the introduction. I didn’t write it myself.
And no, I’m not voting your comment down, I’d like all the readers to see the stupidity that is your comment.
tooo DAMN funny…..
open mouth, insert foot….
thom i am liking you more and more as time goes on….
I found this article very informative, but I kept on asking myself ‘surely they’re referring to system administrators rather than the average user?!’ I’m talking in terms of both the level of security required of a system and the level of expertise needed to make sense of the article.
Quite often of late a lot of articles on OSNews.com are misrepresented by their titles and blurbs. I understand that you there’s revenue to be gained from click-throughs and advertising, but that’s at the cost of editorial credibility. Would OS News like to comment?
Would OS News like to comment?
The original author had an intention with the introduction, who am I to change that because some people have toes the size of Manhatten?
Nothing will change on OSNews, so expect more teasers to be not to everyone’s liking.
Shoot, my bad. I made the wrong assumption that the title was provided by OS News. Please mod down this and my previous comment.
Yeah, except that the original author provider a context for his headline in the rest of the article and thus provided enough nuance. Additionally, taking cover in the fact that other provide equally misleading headlines is just as disappointing.
If you are an editor, as you claim to be, your job is to edit for clarity and thoroughness. But you are no such thing. You are a young kid with a big ego as revealed by your attempt to elevate yourself by using language such as “sonny”.
If one day you want a job a bit more consequential than “OSNEWS editor”, you would do well to work towards fairness and objectivity. In doing so, taking your the comments of your readers to heart would be a welcomed first step.
If you are an average desktop user with no knowledge of security, then you are using Fedora or Ubuntu (not sure about those other distros like Linspire/Xandros et all). When you see the little icon that says “updates are available”, click it.
That merits an OSNews article?
It does not? Does this article merit your arrogance?
>require a CLI. Ergo, my mother (forget my grandmother) won’t be able to
I think it has more to do with the ability to make the material engaging, than the basic intellect of the audience.
If people speak, they’re doing an awful lot more processing than the relatively simple CLI.
Bad Article Titles – Are They Ready for the Average Flamewar?
This guys is saying, “don’t trust your distribution to have good security settings, audit the system yourself.” The suggestions this guy makes are either obvious or pointless. Those find commands will merely create large text files full of files that should be world-readable. If he wants to write a really good article, he should write a script that does what he says (including the “check for anything that…” stuff) and post it.
The worst thing to do in the security/quality business is to overwhelm the user with false positives. The user will be trained to ignore the real problems. Ergo the compulsive “Next” clicking in Windows wizards.
…a year ago on osnews, anyone who pointed out that Linux may not be quite read for the “average” user would have been verbally abused.
At least now, when some tech-head writes a Linux article (purportedly targeted at the “average” user), everyone is quick to point out how user-un-friendly this all is.
Agreed there Paul! I’ve been getting the feeling the attitude towards *nix in general finally shifting to something a bit more realistic…
Perhaps finally people are realizing that the “Average” user is going to respond with a whole bunch of four letter words when you feed them commands like:
find / ! -fstype proc -perm -4000 ! -type l -ls > find_uid.log
find / ! -fstype proc -perm -2000 ! -type l -ls > find_gid.log
ANYONE who thinks that is “Ready for the average user” deserves a good *WHAP* upside the head, even if it is something the user “Only has to do once”
There used to be an old saying about the Mac, that “The first week you own it you’ll be amazed by what it can do, for the rest of your life you’ll be amazed by what it can’t do…”
I think linux has assumed that mantle with a minor modification: “The first week you own it you’ll be amazed by what it can do, for the rest of your life you’ll be amazed by what it can’t do without endless hordes of cryptic entries from the command line.”
Re: “I think linux has assumed that mantle with a minor modification: “The first week you own it you’ll be amazed by what it can do, for the rest of your life you’ll be amazed by what it can’t do without endless hordes of cryptic entries from the command line.”
Not all distributions require use of the command line otherwise called Bash or the Terminal. Several distributions are just as easy to use as Windows XP is. The reality is that Linux is just the kernel and not all Linux distribution developers have “ease of use” at the top of their list when packaging the distribution with their own tools. Though claiming that using Linux (as in general to all distributions) requires cyptic commands is a clear indication you either have no idea of what you’re commenting on or are severely misinformed.
Though claiming that using Linux (as in general to all distributions) requires cyptic commands is a clear indication you either have no idea of what you’re commenting on or are severely misinformed.
You did READ the article in question, right. Ok Mr. Smart guy, how many distro’s let you view the set-UID and set-GID status of programs in one list without going to the command line?
The article is full of examples on how NOT to tell a ‘average user’ how to do things, much less go into things the average user really has no business DOING IN THE FIRST PLACE… Don’t tell them CHMOD from the command line, show them how to do it from Konqueror, Galeon, or whatever flavor GUI file manager they are using. He talks about securing Apache, something I would not even expect the “average user” to even be RUNNING in the first {censored} place… The average user should never have to even THINK about doing something like “/etc/rc.d/rc3.d/*sendmail* restart” or dealing with the postfix vs sendmail thing, and yet since most every damned mail client relies on one of the two instead of handling it ITSELF you need to dig in to configure the thing to “secure it”…
The article aside, the first time the ‘average’ user tries to get a driver working they’ll curse you out like a sailor, say “{censored} this” and go back to XP or go buy a Mac. The FGLRX or NV drivers for example (which it seems 90% of the distro’s don’t even come with by default), yes both have added a GUI panel once you get them running… But when you have a package manager that ‘installs’ the package then the user has to go in and do “lsmod -grep nvidia” then switch to root, do “init 3” to switch the runlevel, then rmmod nvidia just in case a kernel module is present… etc, etc, etc, you get the idea…
Cracks me up on here, if this article was another about flaws in Windows , so many would be saying great piece , blah blah.
But dare to suggest any weakness in Linux, people bitch saying bad article and should be pulled etc etc.
No OS is safe and there all have good and bad points and as always if a use knows his system, you can prevent against most of it, even with windows dare I say it.
Chill out…
Well, duh. Its quite a known fact this website has an anti-Linux_desktop agenda as well as a pro-Apple agenda. Basically Apple can’t do bad here. Kinda like Slashdot is on Apple and Google.
It seems a good article for the most part, but he sure dismisses PHP quickly. The impression I get is more that he has a personal problem with it then any real justifiable reason to declare that it should never ever be used no matter what. I mean, thats a pretty damn strong thing to say.
why ? is your mother retarded ?
does she not know how to read the fucking manual ?
take her pc off her, she is too fucking dim to own one
Regardless of the OS it’s running, a PC will generally be a lot safer if you have a firewall of some kind between you and the internet. That can be a little hardware box (a fairly good choice for nontechnical home users) or a dedicated machine — it really doesn’t matter.
It’s a lot harder for a thief to break into an individual house if they can’t get past the community gate…
This headline is…
1) intentionally misleading and false
2) designed to attract readers not tell the truth
3) drama and FUD
This is what i and many others have come to expect from OSnews as of late.
Linux security is a nonissue for the average user, but it becomes an issue if that user also administers their own machine.
In a business context, assuming the presence of a competent admin staff, most “users” won’t be impacted by security issues at all.
Let’s try to keep the terminology straight.