Linux vs Windows on Security
Windows had a bad reputation back in the day. Viruses like Slammer and MyDoom really fucked with Windows' reputation. These were Windows 2000 and Windows XP vulnerabilities, still in the base of the core Windows operating system used today. These days Windows has a Firewall, User Access Control (UAC) to prevent people running as root and a little bit of sandboxing. It also has reporting tools with benefits equivalent to Linux's log files. With Windows 8 we're going to see an AppStore: a trusted location for downloading and installing software that means you won't have to "trust" random websites and their credibility when it comes to trying new things out. All of these, combined with the fact that we're all hiding behind in-house routers these days will have a huge impact on stamping out virus infection on Windows.
So can we all admit that Windows is now as secure as Linux?
I can't. Windows is slowly starting to implement the best practice that Linux got there first with but there are still some holes remaining and some technologies not yet implemented that mean Linux has closed off some attack vectors that Windows hasn't. I'm going to talk about just one.
SELinux, or "Security Enhanced Linux" is a feature of the Linux kernel that effectively allows it to act like a firewall for kernel syscalls. Programs during their normal operation say to the operating system "Read this file" or "Listen on this network port". SELinux allows applications to have a security policy associated to them, telling the OS what system calls it is allowed or expected to make and which ones it can't. A buffer overflow attack in a software program can allow arbitrary execution of commands. Someone connects to your webserver, exploits the bug and uses it to make Apache read the password file and send out remotely. SELinux can say "hey man, this is not what I expected from you. Denied!". It's a pretty cool technology and it can really make the difference to security in your public services. Until Windows gets it, Linux is still a step ahead in the underlying security technologies. It's still got fundamentally better security than Windows at a technical level.
If you'd like to learn more about SELinux the RedHat documentation is available here or here.
A Simple Security Checklist
Finally, moving away from the Microsoft grilling, here are some basics things to consider when looking at the security of your Linux machine:
- turn off services you don't use
- if you use ssh consider moving to keys rather than passwords
- learn iptables and write aggressive firewall rules
- install fail2ban alongside ssh to block brute force attacks
- look for portknocking software that prevents your server broadcasting private services
- ensure services are running as the correct users and not root
- turn on SELinux so that compromised services still can't make unexpected syscalls or requests to read files they typically wouldn't in normal operation.
- keep an eye on your log files especially the auth one.
- for laptops use full disk encryption such as LUKS
- use decent passwords
- disable root login if possible
- use VPNS on public networks if possible
- update regularly to ensure protection against the newest attacks
- password protect your BIOS and set the boot order to hard disk first
- only install software from trusted sites, use cation when copying commands from tutorials you don't understand
- audit your system regularly to look for unusual behaviour
Some of these such as the BIOS protection aren't guaranteed to prevent certain attacks but help mitigate some casual attacks. If someone has physical access to the device it can be pretty hard to prevent them abusing it. Namely this kind of attack is very hard to stop if someone has physical access.