Icon: Screen-friendly stylesheet Screen-friendly page

Setting up a New Unix Workstation

Sitation: Being Your Own System Administrator

If you've just inherited a Unix machine or built your first Linux workstation for your own personal use, there's a good chance you're feeling a little overwhelmed trying to cover all the bases of operating system security.

Every operating system has some inherent security flaws in the shipped version, and Unix is no exception. Unfortunately, there are so many Unix and Linux variants that it is nearly impossible to give a step-by-step guide to setting up your new workstation without knowing the specifics of your computer. Nonetheless, there are some basic steps that will point you in the right direction.

Basic Unix/Linux Security

  1. Before You Connect to the Network:
    • Pick a good root password. Only the system administrator should know the root password.
    • Shut down any services you don't need. This gives attackers fewer ways to attack your workstation.
    • Grant sudo access to trusted users. Sudo allows you to give limited superuser (root) access to trusted individuals. Not only is the level of access customizable, but sudo leaves a trail in the logs, making it easier to see who's doing what to the machine.

  2. After You Connect to the Network:
    • Patch your operating system. This is always the first thing you should do when you connect to the network.
    • Install log monitoring software and configure it to email reports to your system administrator. Your log files are your best line of defense in tracking down problems, and are almost always changed during a break in. Emailing your logs to another computer ensures that you always have an unedited copy, no matter what happens on your computer.

      Most Unix and Unix-like operating systems allow you to specify an email address to receive system log information on a separate machine. This can usually be found in the syslog.conf file or something similar. Many system administrators choose to install third party log monitoring software for a more robust feature set. These software packages typically allow you to receive log reports at a separate email address as well.
    • Install TCP Wrappers. Most Linux distributions come with this package, while most vendor unixes do not. TCP Wrappers act as a sort of guest list for your services, keeping track of which IP addresses have connected to your machine and allowing "friendly" machines in while rejecting unknowns.
    • Use Secure Shell (SSH) and Secure Copy (SCP) instead of telnet, rcp, rlogin, and the like. SSH and SCP encrypt all packet transfers, helping to keep your data, including your passwords, safe.

Where to get help

The CITES Help Desk does not support Unix or Linux, but they can point you in the right direction. Depending on your University affiliation (faculty/staff or student) and who owns your workstation (you or the university), they will probably send you to CITES Systems Management Group or Departmental Services. Both groups offer hands-on help for an hourly fee.

CITES SMG also maintains short security primers for most varieties of Unix.

CITES Security Menu