Saturday, October 31, 2009

Linux frequently asked questions for newbies

Many Linux users pride themselves on being highly technical geeks. And, while that's great for finding people to contribute code patches to projects, it means that a lot of first-time Linux users get branded a "newbie" and are made to feel stupid when they ask fundamental questions about things we take for granted.

To be blunt, that situation sucks. If people have honest questions about Linux, we need to be helping them find answers, and we need to do so without sarcastic comments, without "RTFM" and without telling people "just use Google."

Here at TuxRadar, and in the magazine behind the website, Linux Format, we get a lot of really basic questions from new users.

We've taken the most common questions and printed them verbatim below, providing Plain English answers along the way, trying to simplify technical information as much as we can.

We didn't write the questions, so more experienced users might look at them and think "wow, that's a stupid question," but if you're a newbie asking Linux questions or if you have friends asking you questions that you don't have time to answer, we hope this information will prove useful.

For people with a little more time on their hands, we've put together a big collection of links to further articles that explain more about all sorts of Linux topics - click here to jump straight to the recommended reading section.

Over time we'll be adding more content here - you're welcome to submit questions below and we'll try to help! The permanent URL for this page is:

Jump straight to a section

General questions

What is Linux?

The name "Linux" is usually used to mean a complete operating system, like Microsoft's Windows or Apple's Mac OS X.

But really, deep down, "Linux" is just the bit that looks after your computer: it runs programs, it stores information in your RAM and on your hard disk, and it also provides support for things like connecting to a network.

Linux by itself, known as "the kernel" because it's the true core of any desktop system, isn't very interesting.

It doesn't have a graphical user interface. It doesn't let you chat to your friends online. And it certainly won't open any Microsoft Office documents!

Instead, all these services are provided by applications that are designed to run on top of Linux.

Because just giving someone the Linux kernel is pretty much useless, a lot of people have taken the time to put it together with lots of other programs, utilities, tools and documentation to produce something that is useful.

These combinations of software is called a Linux distribution (usually shortened to "distro"), and, because people choose different kinds of software or target different kinds users, there are lots of different distros around.

We have an article online that can teach you more about how the Linux kernel works - check it out!

Who created Linux?
Linux was created in 1991 as the personal project of a Finnish student called Linus Torvalds, and since then it has grown quickly as other people (and, later, companies) joined in its development.

Linux was originally written to work only on Intel CPUs, but since then has been made to work on dozens of different computer architectures - many phones run Linux, for example. 

Why is Linux free?

Nearly all the Linux distributions in the world are free, meaning that they cost $0 to install and use on your computer.

The reason for this is that all Linux distros take their software from the same pool - if one distro has a really awesome program, chances are 50 other distros also have exactly the same feature, so if a company tried to sell their version of Linux people would just go elsewhere.

The big upside to all this is that if you ever decide you don't like the direction one distro is taking, you can jump ship and try a different one - you'll find all the same software there ready for you. 

What's the difference between free software and open source?

The term Free Software was coined to mean software that came with freedoms that you otherwise would not have had.

For example, if a program is Free Software it means you can download its source code, modify it, sell it and all sorts of other good things.

But, a Free Software application doesn't necessarily have to have zero cost. This is where a lot of people get confused, so the most common explanation is "free as in speech, not as in beer."

If you're completely lost now, let us explain. You have free speech in this world. That doesn't mean you pay $0 for the right to talk, instead it means that you have the freedom to say what you want.

Conversely, if I give you a free can of beer, that beer does have zero cost - the beer doesn't have any freedoms to express its opinion!

So when people say Free Software they mean "free" as in "freedom", not "free" as in "cost". Yes, most Free Software does cost nothing, but it's not required.

Because of this mixup between free speech and free beer, another group of people came up with the term "open source".

This was originally meant to have the same meaning - that someone could download the source code to a program and do what they want with it - but a lot of people have since misinterpreted that too!

For most people, Free Software and Open Source mean exactly the same thing. Open source has slightly looser restrictions in its definition, which means that a Free Software program is also open source, but an open source program is not necessarily Free Software.

Why is Linux open source?
One of Linux's many advantages is that it is developed by thousands of programmers around the world. Intel, IBM, Oracle, Google, HP, AMD, Nvidia, Dell, Cisco, Nokia, Motorola and more all help contribute to Linux precisely because it is open. Intel wants its CPUs, its graphics chips and its network cards to work perfectly on Linux, so it writes the programming code itself and gives it away as part of Linux. As a result, you can be sure you're getting the fastest and most stable experience around!

The other advantage to Linux being open is that no one vendor can control it - no one can pull it one direction, because everyone works together.

Why is Linux popular?
There are lots of reasons for Linux's popularity, but the main one is that it gives you a huge amount of software to work with completely free of charge.

If you want to render 3D models, Linux has a program for it.

If you want to mix music or edit a podcast, Linux has a program for it. If you want to edit Microsoft Office documents, organise family photos, chat to your friends, burn CDs and DVDs, wawtch movies, edit images or do just about anything, Linux has a program for it. And it's almost certainly free!

Linux is also very popular among people who need rock-solid stability no matter what. Linux is secure by default, which means it's very, very hard for someone else to damage your computer remotely.

Most Linux users don't run virus checkers, because Linux is almost immune to these sorts of common problems.

One area where Linux's stability is very highly valued is on servers, because these usually run for years at a time without being restarted.

Finally, Linux is also extremely popular with computer programmers, because it comes with a huge range of tools for making your own programs. Most people don't need to worry about this, though!

What is the GPL?
GPL stands for "General Public License", and is a software licence that lets people download, modify and distribute the source code to a program.

The GPL is the most common licence used on Linux, which is why you get all the software at no cost and also why you can install it on as many machines as you want.

There are lots of other licences in use, but the GPL is by far the most popular.

How does Linux make money?
This is a very, very common question, but let us start by clarifying something: Linux is just some software - it won't make money all by itself.

What the question really asks is "how do people who work on Linux and other Free Software programs make any money?"

There are two answers to that question. First, many companies pay developers to work on Free Software programs, and they do that because they make money from selling support to end users.

So, while you get all the software for free, if you ever have a problem and want to pick up the phone and talk to someone, you can pay a company to provide that support to you.

As you can imagine, this is most common in big companies that need 24x7x365 technical support and will pay whatever it takes to ensure their computers work properly.

The other answer to the question is that a lot of Free Software developers don't make any money at all, at least not from their Free Software work.

But that's OK, because nearly all of them do it for fun - often they work as computer programmers in their day job, and when they get back home they want to work on something they really enjoy.

When these people get together, some really awesome software comes out!

Why is Linux different?
One of the big advantages to Linux is its openness. If you choose one distro and find it doesn't suit you in the future, you're not stuck with it.

Or if the developers behind it try to make changes that no one else likes, the users can go somewhere else to get their software - it's all shared!

This is very different to the traditional software model used by both Microsoft and Apple where they (and only they!) can provide upgrades to their operating system, and if you find the latest version of Windows runs slowly there's not much you can do!

Why is Linux a penguin?
Who is Tux?
That penguin, called Tux, is the official mascot of Linux, after Linus Torvalds became fond of penguins after being bitten by one at a zoo.

The name is quite fitting given the tuxedo-like appearance of the penguin's colours, but it also (retroactively) stands for Torvald's UniX.

Why is Linux so hard?
Why is Linux so complicated?
Lots of newcomers to Linux find it very hard at first, but that's OK - it's OK to be a newbie, because everyone was there once and we're here to help you get up to speed.

Linux certainly can't be described as "easy", but really it's only a little bit harder than Windows.

The reason it seems so complicated is because most people have learned how to use Windows previously, and Linux does many things differently from Windows which means you need to learn some of the basics again.

The main problem people have when switching to Linux is learning how to install software.

On Windows, people are very used to double-clicking setup.exe files for programs they downloaded from the web.

On Linux, this doesn't happen very often because most people install software using their package manager.

The reason for this is simple: when you install a program through your package manager, it will automatically keep you to up to date with fixes and security updates as they are issued.

It's quite like Windows Update, except it works for every program on your computer rather than just the operating system!

Is Linux worth it?
If you're asking, "is Linux really worth all the time it takes to learn?" the answer is "definitely, yes!" Put simply, Linux is completely free (and is always going to be), very secure and very fast. If you want to run Linux on a brand-new, high-speed gaming system, it'll do that just fine.

If you want to run it on a really old Pentium with 32MB of RAM, it'll do that too. Thanks to having more developers than any other operating system in the world, Linux has the power to do just about anything you need.

Everything you learn about Linux will be useful for years to come, and we think you'll feel very welcome in the Linux community!

The nice thing about free software is that it doesn't hold you back from doing anything. If you want to learn something new, just look in your package manager and you'll find some world-class software in there ready for you to use and enjoy.

The only thing holding you back from trying anything with your computer is your time!

How can I make my own programs for Linux?
We have written lots of tutorials to help people learn how to program in Linux, and there's something for all levels. Try one (or all!) of these:
If you're a complete beginner, this tutorial teaches you coding from scratch by making a game.


Why is Linux better than Windows?

There are lots of reasons that Linux is better than Windows. Here are a few:
  • Linux is free! It costs you $0 to install it on as many machines as you want. There's no Linux Home, Linux Premium and Linux Ultimate - it's all there for you to have.
  • Linux is secure! It comes configured for maximum security out of the box, which means you don't need to buy separate software such as firewalls, virus checkers and anti-malware programs.
  • Linux is fast! Whereas Windows Vista needs at least 2GB of RAM to run comfortably, Linux runs just fine on computers from five years ago. As a result, if you install Linux on a new computer, it runs blazingly fast, and won't get slower over time.
  • Linux is stable! That means it's very, very hard to crash. Ordinary users can't damage the system - in fact, they can't change anything that doesn't belong to them unless they enter the system administrator's password.
  • Linux loves your hardware! Because Linux comes with thousands of drivers pre-installed, a huge amount of hardware - even the very newest stuff - works as soon as you plug it in.
  • Linux gives you choice! If you don't like your web browser, change it. If you don't like your office suite, change it. In fact, Linux offers you alternatives for just about everything, so you can choose what works best for you.
Don't underestimate the importance of cost. It's only when people add up the cost of Windows + Microsoft Office + Security software + Games + Any other applications they buy do they realise that running Windows costs more than they realise.

Why is Linux more secure than Windows?
The main reason that Linux is more secure than Windows is because it was designed that way. You see, Linux inherited a lot of its design from an earlier system called Unix, which was designed to handle lots of users connected to the same computer all at once.

This was back before the idea of everyone having their own computer being a reality. With lots of people logged in at the same time, Unix was developed to make sure no one user could affect what other people were doing, which meant that it had to balance the computer's resources fairly and also ensure that users couldn't hack into each other's accounts.

So, way before the internet took off, Unix was designed for security. Linux, because it inherits Unix's design, was secure from the very beginning, and its paranoid nature makes it perfect for use on the internet - Linux trusts nobody, which means hackers stand a very small chance of damaging your computer.

Another reason why Linux is more secure is that it is built around the idea that a normal user shouldn't be able to break the computer.

This means that if you want to do anything that might potentially damage things - such as deleting important Linux files - you need to enter the password for the system administrator.

Even if someone managed to gain access to your account, they wouldn't be able to destroy your system because Linux wouldn't let them.

You could let a five-year-old loose on Linux for hours, and the worst they could do would be to change your desktop background!

Is Linux faster than Windows?
Yes! Linux has been tuned to run on a huge variety of computers, down to the very smallest devices - IBM once made a wristwatch that ran Linux!

Because of the need to run on so many different kinds of computers, Linux is very highly optimised - any computer with at least 512MB of RAM should run Linux perfectly, with 256MB being the minimum for general desktop use.

If you have an older computer, there are Linux distros that use extra-light versions of programs so that they can get by just fine on 32MB.

In comparison, Windows Vista needs at least 1GB of RAM to be comfortable, with many users reporting that least 2GB of RAM is needed to make Vista run at any speed.

This is probably why you don't see any netbooks with Windows Vista installed!

If you're already using Linux and want some tips on how to make Linux faster, read our article!

How does Linux compare to Windows?
How does Linux compare to Windows Vista?
How does Linux compare to Windows 7?
These are very wide questions, so let us try to narrow them down a little bit: you probably want to know, "how is Linux different from Windows?" And the answer is that there are lots of differences:
  • Linux is completely free, along with the applications that run on it. You don't need to pay protection money to Symantec. You don't need to pay for upgrades. You don't even have to pay for technical support if you don't want to, because there's such a huge community of people willing to help for free!
  • Linux is designed to scalable, which means that some of the world's most powerful supercomputers run Linux, and if it's good enough for them it's definitely good enough for your desktop!
  • Linux can run for weeks - even years - without being rebooted. It's designed so that programs don't get slower over time, which makes it a great choice for home users who want things to Just Work.
  • Linux comes in all sorts of varieties, so you can choose the flavour that's just right for you.
Comparing Linux against Windows 7 is a bit different, because when people ask this question they usually mean "what features does Windows 7 have that Linux doesn't?", and the answer is "hardly any."

Because anyone can create an open source project to do whatever they want, nearly all of Windows 7's "new features" have existed on Linux for a long time. Touchscreen support? Done. Multi-core optimisation? Done.

Faster booting? Done. Gadgets? Done. SSD support? Done. And these feature aren't just half-baked hacks - Intel works on the code to make Intel CPUs work better, and no one knows CPUs better than they do.

We have an article online that provides a comparison between Windows 7 and Linux - you should read that to learn more.

What can Linux do that Windows can't?
This is a tricky one to answer, because, in the spirit of openness many Linux programs have been made to work on Windows.

Firefox and, for example, are the primary web browser and office suite on Linux, but both have Windows versions.

That said, there are lots of programs that come as standard on Linux that will be completely new to Windows users - here are some examples:
  • Tomboy is a note-taking application with a difference: it links your notes together just like Wikipedia.
  • Compiz is a super-shiny graphics engine that can put your desktop on a cube, make windows float and wobble, and more.
  • Gnome Do is a learning program launcher that lets you control your computer just by typing.
  • Tasque is a to do list manager that automatically syncs your jobs with a web server.
But ultimately the only limit to what Linux can do is you! You don't need to pay for a separate CD and DVD burner, because Linux comes with one.

You don't need a seperate program like Photoshop for creating images, because Linux comes with one. The magic is that Linux comes with all these things out of the box - you don't need to buy software to make your computer do what you need, because it's the default under Linux.

Will Linux beat Windows?
We think it's only a matter of time. Several years ago, Microsoft made a big mistake: it said that no one would choose over Microsoft Office 2003, because was only as good as Office 95.

Now, clearly Microsoft wanted to understate how powerful is, and also it has moved in the years since that comment, but the real problem for Microsoft is that even if were only as good as Office 95, that's more than enough for most users.

Most people just want to write some letters and maybe manage their home expenses, and has done that just fine for years. Why would anyone want to pay for Microsoft Office?

You see, Linux users who want all the very latest and greatest features can have them - there's no shortage of innovation on our platform.

But most people just want computers that work, and Linux already does that, for free, and it's more secure and faster.

We believe it's only a matter of time before people get off the Microsoft treadmill for good.

Where's my C:\ drive?!
Does Linux store its files like Windows does?
Linux stores its files a little differently from Windows. In older days, Windows used "C:\" to represent the first hard disk.

The first floppy disk, on the other hand, was "A:\" - that doesn't exist any more, but the old "C: drive" name still remains.

In Linux, everything falls under one tree-like hierarchy, starting with the root directory: /. User files are kept in "/home/username", making directories like /home/paul and /home/andrew.

Any USB flash drives you plug in with appear in /media.

Similarly to Windows, Linux has the idea of a desktop where you can drop files that you use frequently.

It also has a Documents folder where you can store your files if you want to, but many people just end up putting things in their home directory.

When you install software, Linux will ensure the files get to the right places - you don't need to worry about the Linux equivalent of the Program Files directory, because it's all handled by your package manager.

We have an article online dedicated to teach people how the Linux filesystem works - check it out!


Is Linux compatible with Windows?

Can Linux run Windows programs?

Will Linux run Microsoft Office?

Can Linux run Windows games?

Does Linux support iTunes?

Can Linux play World of Warcraft?

By default, Linux runs only programs that were made specifically for Linux. Fortunately, there are tens of thousands of these, so it's not usually a problem! But if there's a Windows program or game you really want to run, you need to use a special compatability layer called Wine: this is designed to enable many common Windows programs, such as Microsoft Word, Spotify or Half-Life 2, to run on Linux.

Many apps work out of the box with Wine, often faster than they do on Windows. Others work less well, and still others don't work at all - you need to try it and see. Work is always taking place to improve Wine and make it compatible with more Windows apps, so each time you get a new distro you should try your old apps again to see if they have started working.

More specifically, yes, Wine can run Microsoft Office and World of Warcraft, but iTunes is a bit unstable. If you're looking for a good equivalent to iTunes on Linux, try Banshee, Rhythmbox, Amarok or Songbird.

Generally speaking, games on Linux won't look quite as good as they do on Windows - some graphical effects in World of Warcraft, for example, don't work on Linux yet. That said, work is taking place to make Linux every bit as good at gaming as Windows is.

Take a look at our article showing you how to run Windows software on Linux.

Will Linux run on a Mac?
Yes, Linux runs just fine on a Mac. The Ubuntu distribution has a great tutorial online about how to switch to Ubuntu from a Mac - you can read it here.

Will Linux run on a netbook?
Believe it or not, the first netbooks created ran nothing but Linux, so, yes, Linux absolutely works well with netbooks!

Intel itself puts a lot of effort into developing Linux for netbooks, so you'll find that Linux runs absolutely fine on all netbook models around. There are even some distros specially designed for netbook use, such as Ubuntu Netbook Remix.

Does Linux support NTFS?
Can Linux read FAT32?
Yes, out of the box.

What can Linux do on a Playstation 3?
The original Playstation 3 allows users to install another operating system, which basically means Linux. This option was removed in the Slim version of the PS3, but continues to work fine for the original models.

If you install Linux on your PS3, it becomes a full desktop computer - you just need to plug in a keyboard and a mouse and you're done!

How do Linux drivers work?
Linux supports more hardware than any other operating system in the world. Yes, that includes Windows.

Better yet, it does this by including support for these devices as standard, which means if you plug a new network card into your PC and start Linux, it should be automatically detected and configured - you don't need to download any drivers.

If some very new hardware is released, the Linux developers try to get support for it into the next release, so you may need to upgrade to a newer distro.

Will Linux work with my ISP?
Some ISPs may tell you that they don't support Linux, but what that means is that if you call their technical support line they can't help you.

However, nearly all ISPs work just fine with Linux because Linux is designed to support just about everything out there.

Generally, we tell people who want to be absolutely sure they'll be able to get their connection working that the best bet is to use an ISP that gives you a wireless router.

This is very common with DSL providers, and it means that any device - Linux or otherwise - can connect to the internet just fine.


Why does Linux not get viruses?

Why is Linux virus-free?

Does Linux need antivirus software?

There are several reasons why Linux is safe from viruses. For example:
  • As mentioned already, Linux doesn't let users damage the system by modifying important files. This is how viruses work: when they run, they copy themselves deep into the system so they can wreak havoc on your work. With Linux, this can't happen - a virus can't infect your system because it can't modify the files without your permission.
  • Unlike Windows, Linux doesn't let you double-click on files you downloaded from the web to run them. This is the source of many Windows problems - someone creates a virus-infected executable file called hello.txt.exe, and when users see it they think it's just called hello.txt because Windows hides the .exe extension. When they try to open the "text" file, they actually run the program. With Linux, you would see a warning message saying, "this file is executable. Do you want to display its contents or run it?"
  • Because Linux has so many different choices for programs, it's much harder for hackers to exploit particular situations. For example, even if it's possible that an Ubuntu user running Firefox could be infected with a virus somehow, that same virus might fail for users running Fedora and Konqueror, or OpenSUSE and Epiphany. As a result, the number of people that can be target with a Linux virus is smaller, so many hackers just don't bother.
There are many virus scanners available for Linux, but most of them are there to scan for Windows viruses.

The reason for this is that even though your Linux box is immune to nearly every virus in existence, it's possible that a Windows user could give you an infected file which you then pass on to someone else - it won't hurt you at all, but if you can clean the virus it helps protect those poor Windows users a bit more!

Does Linux need a firewall?
It doesn't need a firewall, but it's always smart to have extra protection. However, if you're thinking, "great, I should go out and buy Symantec Ultra Firewall Plus Premium Pack 2010", please don't: your distro probably already comes with a firewall, it just doesn't need to shout about it with splash screens and such.

How can I reset my password?
If you have forgotten your user password, then there are two ways of resetting it. First, if you created a root user password, then just login with the username "root" and your root password.

Then you should be able to amend the password for your normal user account to something that you can remember.

Alternatively, if you have no root password set, you need to reboot your PC and use the boot load to make the change.

So, when Linux asks you what you want to boot up, press "e" choose the line starting with the word "kernel" then press "e" again, then put the word "single" at the end of the line and press Enter to make it boot up.

When it's finished, run the command "passwd" to change the root password.


What is a distro?

A Linux distribution - usually just called "distro" - is a collection of software that aims to solve the needs of one or more kinds of computer user.

Many distros are for general desktop users, and come with a friendly user interface, office software, games and more.

Some are targeted just at system administrators, and so are optimised for use as web servers or database systems. Still others are for power users, that offer lots of control over system configuration.

Generally it's best to start with something very general, such as Fedora or Ubuntu, and go from there.

What is the difference between Linux distros?
All Linux distros take their software from a shared pool, then apply any customisations they want before passing the results off to users. The most noticeable differences are:
  • The choice of desktop: KDE and Gnome are the most popular, but Xfce and Enlightenment are also well used.
  • Many distros want at 512MB of RAM, but some distros are able to work on much less powerful computers - some even run very nicely on just 32MB of RAM!
  • Some distros include support for proprietary codecs by default, such as playing MP3s and DVDs. This is against the law in some countries, so many distros don't do it as standard. Instead, users are given the option to download the extras.
  • Most distros have a distinct look and feel, often changing the default desktop theme and wallpaper or adding sound effects.
  • The most important thing is the choice of applications, because there are so many to choose from and most users really just want to get busy with their computer. So, distro makers choose what they think is the right blend for you.
If you'd like more information, you should read our article on how to choose the best Linux distro for you.

What is Ubuntu?
Ubuntu is one of the most popular distros at the time of writing. It's famous for its brown colour scheme, which might sound a bit dull but actually it's one of the slickest-looking distros around - a huge amount of work has been put into make everything work out of the box.

Ubuntu also has the largest user community of any distro, and has lots of websites devoted to providing news, support, documentation and friendly chat.

New releases come out every six months, and have a version number Year.Month. So version 8.10 was released in October 2008 and 9.04 was released in April 2009.

Every two years, a Long-Term Support (LTS) Ubuntu is released, which is supported for at least three years - that means the Ubuntu developers will provide security patches for it.

Ubuntu comes on a single CD, which means it doesn't come with a lot of software by default. But that's OK, because it has over 18,000 packages available for download over the internet.

It also only comes with the Gnome desktop - if you want to use KDE or Xfce, you need to use special Ubuntu respins called Kubuntu and Xubuntu respectively.

There's even a special Ubuntu version just for netbooks, called Ubuntu Netbook Remix.

What is Fedora?
Fedora is a well-known Linux distribution that's really targeted at powers users. It usually has features before any other Linux distro, which makes it popular among people who want the absolute cutting edge software - many of the more well-known Linux geeks, even Linus Torvalds himself - have said they prefer Fedora.

It is released twice a year, although smaller releases are made throughout the year for more specialist needs (known as "custom spins").

Fedora is best known as the distro behind Red Hat Enterprise Linux, which is the largest enterprise-ready Linux distribution around, and means that Fedora benefits from all the work that goes into making RHEL as good as possible.

What is OpenSUSE?
OpenSUSE is a popular Linux distribution that aims at a wide variety of Linux users. It is released every 8 to 10 months, and is one of the most heavily customised Linux distributions.

This is largely because the company behind OpenSUSE, Novell, employs developers that work across several key free software projects, and they usually work extra hard to get new features into OpenSUSE when new versions of the distro come along.

One of the big advantages to using OpenSUSE is that it has a central system administration tool called YaST that handles everything from setting up your mouse to running a web server.

But one of the big disadvantages to OpenSUSE is that it has so many customisations that people sometimes feel they need to learn it all from scratch!

What Linux is best?
Which Linux should I use?
Which Linux distro is right for me?
Every user is different, but fortunately all the distros are free to use so you can try all the popular ones and see which one suits you best!

To help you get started, we put together a guide to choosing the best Linux distro for you - we suggest you start reading there.


What are packages?

Linux software is nearly always distributed as packages, which are like setup.exe files on Windows or disk images (DMGs) on Mac OS X.

The difference is that a software package on Linux can contain a program, but might just contain software libraries that don't do anything by themselves - they just provide functionality that other programs can use.

The nice thing is that if one package needs five others to work, your distro knows that and will automatically install everything required to make the software work.

These extra packages are known as "dependencies" because the software is dependent on those packages to work.

To make the job of finding and installing software packages more easy, nearly all Linux distributions come with special software called a package manager.

These let you search for software then install the bits that interest you. So, if there's something you want to install, just look in your package manager!

Where does Linux install programs?
Linux software installation is a bit different to that on Windows and Mac OS X. Rather than putting all a programs files in one place, the files get placed in several locations depending on their usage.

For example, the executable files, libraries, help files and shared data files are all likely to go in different places.

Fortunately, this isn't a problem: it's the job of your package manager to remember where it put those files, so when you remove some software all those extra files will go.

How do I install new software?
Where can I find new software?
The answer to both these questions is "in your package manager." A package manager is basically a huge repository of programs that you can install on your Linux PC.

You can search by name or category (and often by popularity as well) to find the apps you want. The nice thing about installing software through your package manager is that it will also help you install updates when they become available.

How do I know which Linux programs are best?
Well, a good place to start is with our group tests:

What is Compiz?
Compiz is an advanced graphics system for Linux that adds 3D to your computer desktop and so enables all sorts of clever effects.

From wobbly windows through desktop cubes to windows burning up when minimising, Compiz has all sorts of neat effects that make Linux look incredble.

There are some helpful reasons for it, too, but mostly its about making your desktop look slick! If you want to make your desktop look even better, try decorating it with one of our free Linux desktop wallpapers!

What is Gnome?
Gnome is one of the two most popular desktops for Linux. It tries to remain uncluttered with options, it has very strict user interface guidelines to ensure that programs are easy to use, and it places a strong emphasis on keeping out of your way so you can get stuff done.

Gnome comes with a huge number of programs and games, but is most commonly used with Firefox and

What is KDE?
KDE is the other of the most popular two desktops for Linux. It has been designed for maximum flexibility: if you take the desktops of two veteran KDE users, you'll probably find they are completely different!

But that means you get your computer, your way - just as you want it. KDE comes with many, many programs for doing just about everything, and you should definitely try its KOffice office suite.

If you're a KDE user, you should read our guide to making KDE 4 faster and better - it's full of helpful tips!

Can Linux open Word documents?
What is is the most popular office suite on Linux, and reads Microsoft Word, Excel and PowerPoint files perfectly.

Can Linux run Firefox?
Yes! In fact, most distros ship with Firefox as standard, ready to run. It looks and works just like Firefox for Windows, and all the same extensions work just fine on Linux.

Does Linux have games?
Many distros come with a small number of games to get you started, but there are thousands more you can play. If you have a particular hankering for a Windows game, you may find it works fine under Wine.

Does Linux have a registry?
Linux doesn't have a registry like the one you're used to with Windows. Instead, most applications store their configuration files somewhere in your home directory. If you use Gnome, you may find the gconf-editor program comes close to approximating the Windows registry.

Do Linux users need to defrag the hard disk?
We get asked this question all the time, and the answer is simple: no. Linux is smart enough to automatically defragment your hard disk as it goes, which means it never really gets fragmented in the first place!

You don't have to do anything: just use your computer normally and Linux will take care of the rest. Sometimes - particularly if your PC shuts down unexpectedly (ie, if you lose power suddenly!)

Linux may need to run a filesystem check, which is usually shortened to "fsck". This will only take a few minutes on the very latest distros and ensures that your system is restored back to the most stable state.

Recommended reading material

We've published lots of articles designed to help people get more from Linux, so have a read through these and see which ones interest you the most:

10 reasons why Windows 7 could fail

October 22nd is the big day for the official release of the latest iteration of the Windows operating system. Many have dubbed it the savior that will bring the glory days back to Redmond.

Many have said that it will pretty much wipe clean the foul stench left behind by Windows Vista. I, and a few others, think that Windows 7 will not be the success most pundits are proclaiming. How can I say that? I will give you 10 reasons why Windows 7 could easily fail.

1: It’s too much like Vista

I have yet to run into a PC user who actually likes Vista. Oh, there maybe a few scattered fanboys out there who have decided that Aero is the prettiest of all interfaces and that the User Access Control is the be-all-end-all of security.

The truth of the matter is, Vista is a horrible operating system. And what’s going to surprise the public is that Windows 7 is a lot like Vista.

Oh sure, Microsoft has made a lot of changes under the hood. But average users won’t know that. They will see the Aero interface and the UAC and turn their noses up at the latest offering. And why not? Microsoft should have made a complete 180 from Vista.

Instead of improving on Vista, it should have picked up XP (the best of the Microsoft OSes) and given it a boost to hardware recognition and maybe added a prettier interface.

Unfortunately, Windows 7 is going to suffer simply because it looks and acts too much like Vista.

2: It will cost too much
People are going to be turned off by the cost of the operating system itself, as well as the cost of the minimum hardware requirements.

Yes, if your hardware can run Vista, it can run 7. But most people are still running XP, and that hardware won’t cut it with Windows 7.

Last I checked, we’re still in an economy that has people cutting back. Having to drop extra scratch on both an operating system and a new machine is going to be at the bottom of the list for most people. And most businesses are still clinging to XP.

3: XP is still too popular
Picking up where #2 left off… Windows XP is still the king of Microsoft operating systems. According to a survey done in February 2009, more than 71% of all business machines are still running XP.

A Forrester survey had suggested that Windows Vista would overthrow XP as the business operating system of choice.

That never happened. And the only way Microsoft will pull XP off of business machines around the world is when it reaches its end of life for support.

But did that actually stop users from using Windows 2000 altogether?

No. In fact, some people are still clinging to that version of Windows. But overall, XP is still the keeper of the crown for Windows operating systems.

4: The editions are too confusing
Which version of Windows 7 do you want? Oh, you thought Professional sounded like the best, only to find it doesn’t have features you need… so maybe it’s on to Ultimate.

And Starter sounds like it would be a good version to start with — as in “new to Windows” or “cheapest version.” But no, Starter is for netbooks. So you have to look at it like this:
  • Starter is for netbooks.
  • Premium is for those who want next to nothing.
  • Professional is for those who need to work from home and office.
  • Ultimate is what Windows should sell and nothing less.
I remember when Vista came out. Trying to get the version that included my name nearly required the creation of a matrix or a spreadsheet, and still many people came out with the wrong version.

5: No upgrades are available for XP (and Europe)
Hello XP users, you can’t upgrade. Only a clean install for you. Which, of course, is smart anyway — but that means you have to pay full price.

And guess what, European countries: Because you won a suit against Microsoft that prevents it from shipping Internet Explorer with Windows, you get no upgrade version for Windows 7.

Yes Microsoft is going to offer EU the full version for the upgrade price, but that price will still wind up being close to the full version price, if history repeats itself.

6: It’s no good for netbooks
The Starter version of Windows 7 is a joke. Yes, Microsoft did remove the “three apps at a time” restriction. But there are other limitations (beyond the hefty hardware requirements) that make it a poor candidate for netbooks:
  • No streaming media
  • No desktop customizations
  • No legacy app support
The first point is the real killer. Because most users don’t want to clog up their limited drive space with multimedia, not being able to stream media means they won’t be enjoying their tunes while they work. Too bad, Windows 7 users!

7: Single sign-on apps will fail
As it stands now, applications using biometric, smart card authentication and/or VPN authentication will fail unless they’re upgraded.

This could be a bad problem if the applications were created in house, or if they aren’t upgradeable.

The real problem is that many of the companies that create applications that use (or depend upon) single sign-on have not made the leap to Windows 7 support.

So if a business depends upon single sign on, Windows 7 is going to be a big problem.

8: There are better alternatives
You knew this was coming. Both OS X and Linux have made strong headway in the market. With modern releases of Linux getting better and ever-more user friendly, the race is on to see what’s going to happen.

And every time Microsoft makes a misstep, it’s another gain for the competition. Windows Vista was a huge misstep, and it’s going to take more than a rework of that disaster to keep the competition at bay.

As more and more people become disillusioned with Windows, they’re going to look for alternatives. I have good news for you disillusioned Windows users: Ubuntu 9.04 is one of the most user-friendly Linux releases to date.

And with OS X Snow Leopard’s addition of Exchange support, Microsoft should really be concerned.

9: XP Mode may not help you
If you want to run applications that ran on Windows XP but not on Vista, you will have one solution — virtualization.

Here’s the problem: If you want to do this, you need a machine with at least 2 Gigs of RAM and a processor that supports on-chip virtualization. XP Mode consists of two pieces:

Virtualization software and a fully licensed version of Windows XP. Windows XP does not ship with Windows 7.

You will be able to download it for free if you have a licensed version of Windows 7 Professional, Ultimate, or Enterprise.

The big issue is the on-chip virtualization. Scott Woodgate, director of Windows enterprise and virtualization strategy, said this about which chips include virtualization support: “Some PCs have it and some don’t…

It’s not as clear as it should be relative to which PCs have support and which don’t.”

10: You’ll have to contend with DRM
Yes, DRM is the bane of users’ existence, and Windows 7 includes it. One little bit of DRM is a piece of code whose purpose is to ensure that no “prohibited device” is connected to the machine.

By “prohibited device,” I mean a device that could be used to record the output. Digital outputs are polled every 30ms, and analog outputs are polled every 150ms.

Other “features” also use or require DRM, and most of these are in place in case Hollywood needs them. In other words, Microsoft is giving the recording industry a bit of leverage against the user, should they need it.

This will not sit well with the user base, should it show its ugly head.

Your turn
Read enough to make you think twice about migrating to Windows 7?

Perhaps not. But with the Windows 7 pitfalls, one of these issues might bite you — making you wonder why you bothered to “upgrade.”

What’s your take on Windows 7? Join the discussion and share your thoughts.

Setting up your own DNS part 1: Getting started

For a caching-only setup then DNSMasq is better than this whole setup but I just wanted to view other alternatives too.
I have been playing with Linux for the last 15 years, but lately I have taken it to a whole new level. On my laptop I have set up a dual boot with Windows XP and Kubuntu, and after almost half a year of running this combination, I am amazed at how few times I have actually booted into Windows XP.

Had it not been for the video editing, the second part with Windows XP would not have existed. There are a few other programs I am using under Windows XP, but they are happy to run in VirtualBox without any need for rebooting.

I have had a server in the house on and off over the years, but after moving to Brazil, it became a real need.

The server is used for developing websites, testing different installations, caching updates for the workstations in the house, sharing files and sharing our laser printer as well as a number of other small things. It is also a way for me to learn more about networking, Linux servers etc.

Learning is also one of the reasons why I would like to set up a small caching DNS that also resolves the stuff.

I have on my local network. This task has been a challenge, but with the help of a lot of different online documentation, friends that have given me tips about this and that, I have managed to get it to a point where I can truly say it is working.

So I thought I would try to gather the information here, both to help others and for me to remember what I actually have done.

One thing has to be said loud and clear: This server is not exposed on the internet. It sits behind a firewall and is only used by us locally. No ports have been opened up for access from the outside and there is no need to update the rest of the world with the stuff running on our local network.

Before I started, I had to make a few decisions. One of them was that I wanted to use a real domain for this, so I chose to use a subdomain off my domain –

This way, if I ever need to set up a lan at another site, I can simply name it and avoid any conflicts.

But for the examples, I have substituted this with so that nobody by accident uses my domain.

Other things I decided on either at the installation of Ubuntu server or before the configuration of the DNS:

Name of server: argoz
IP of server:
IP of gateway:
DNS1: (OpenDNS)
DNS2: (OpenDNS)

There are a few DNS packages to choose from, but I chose to go for bind9 as this seems to be the most common one and it can do everything from small stuff to really big stuff.

Installing it is as easy as typing
# sudo apt-get update
# sudo apt-get install bind9

on the command line. Follow the prompts, and you have the basic install with a standard configuration. Note that the install has to be done with sodu/root privileges. Either use sudo or become root temporarily.

Editing configuration files in Linux can be a daunting task for a person that is new to the whole concept. I do it when I have to and have done it a lot over the years.

But unlike some people that almost fall in love with the command line interface (CLI), I like it less and less as the time passes.

I prefer to use my time on other things than administrating and configuring the server. Once it is done, it should just work. And this makes CLI very difficult because I never remember the commands when I need them.

So I have to search the internet every time.

When I have to do it, my editor of choice is nano. So to edit a file, I type
# sudo nano filename.txt

The reason for the sudo is that most of the files that needs to be edited will be outside of the home directory and because of this, not possible to edit with normal user privileges.

Adding sudo and giving your password takes care of that.

Checking basic server configuration
First of all, it is a good idea to check that the standard stuff of the server has been configured correct after bind9 has been installed.

The first file to check would be the basic networking configuration on your server:
# sudo nano /etc/network/interfaces

Mine looks like this:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static

Yours might differ, but this one should get you what you need.

Your server needs to know a DNS in order to look up requests. Of course, as you will have a DNS running locally, you just have to point it to itself.
# sudo nano /etc/resolv.conf
My server only has two lines here. One for the DNS, the other for the domain.

The hosts file could do the job as a simple “DNS”, but as we are setting up a complete DNS, it is better to keep it clean:
# sudo nano /etc/hosts

Something similar to this is ok, nothing else should be needed:       localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

The place for bind9 configuration files can differ a little between Linux distributions. On Ubuntu servers they are located in /etc/bind with the zonefiles placed under /etc/bind/zones .

The standard install of bind9 on Ubuntu server is to act as a caching DNS. But for this to work, you need to tell it where to look for an adress that it can not resolve locally.

So you need to edit a file called named.conf.options .
# sudo nano /etc/bind/named.conf.options

Here you have to add at least two DNS’es. I added the two from OpenDNS first, and then the two from my ISP just to be sure:
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

The zone files
Before we can start editing the zonefiles, we need to let bind9 know where they are. This is as easy as editing a file called named.conf.local .
# sudo nano /etc/bind/named.conf.local

Here you need to add the names for the zone definitions of your forward and reverse DNS lookups. The first one will be the name of your domain plus .db.

The other will be rev. plus the IP address of your server in reverse minus the last number plus .

It is not as difficult as it sounds, but maybe easier to show you how mine looks:
// Do any local configuration here

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

# This is the zone definition. replace with your domain name
zone "" {
        type master;
        file "/etc/bind/zones/";

# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in $
zone "" {
     type master;
     file "/etc/bind/zones/";

As the domain I wanted to use for my network is, the zonefile will be called

And as my IP address for the server is, the reverse zone name will be

Creating these two files are as easy as editing them the usual ways:
# sudo nano /etc/bind/zones/

Mine looks like this – I’ll do the explanation later:
$TTL 1h      IN      SOA (

 )      IN      NS

www             IN      CNAME

localhost       IN      A

argoz           IN      A
aslan           IN      A
phoenix         IN      A
alambil         IN      A

As I am not an expert in DNS, I will stick to explaining the things you need to change to make it work. The rest, you can copy as it is here. is the domain. Take extra care not to forget the last period! is the full name of the server. is the mail address to the administrator with a period instead of the @ sign on a different server.

2009072804 is a serial number that should change every time you change this zonefile. A very common way to do this number is to use the date in reverse order and a two digit number at the end.

In most cases, you will not need more than 99 changes during a 24 hour period.

I added a few special names to the list and I also added some of the other PC’s in the house just to be able to address them by name, not only by IP.

Also note – I do not have an in-house mail server (yet) so there is no MX record.

The last thing you need to do is to set up the reverse zone file:
# sudo nano /etc/bind/zones/

Again, here is what this looks like on my server:
$TTL 1h
@ IN SOA (

                IN      NS
100              IN      PTR
30              IN      PTR
40              IN      PTR
50              IN      PTR

After setting up the previous file, this one becomes a bit more clear. As with the other file, remember the trailing periods. And also remember to change the serial number if you open and change this file again later.

The last thing you need to do is to restart bind9 to get the whole thing to work:
# sudo /etc/init.d/bind9 restart

And then you can test your DNS with this command (substitute the domainname with your own):
# dig

I am sure there are still errors in this setup, but it is working for me. I can do a dig and get a respons that seems to be ok.

Was this helpful? Any tips on how to improve things?

20 Linux Server Hardening Security Tips

Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers).

The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.

#1: Encrypt Data Communication
All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
  1. Use scp / ssh (rsync) / sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools.
  2. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.
  3. Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).
  4. OpenVPN is a cost-effective, lightweight SSL VPN.
  5. Lighttpd SSL (Secure Server Layer) Https Configuration And Installation

#1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer.

The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:

# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve

#2: Minimize Software to Minimize Vulnerability
Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software.

Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.

# yum list installed
# yum list packageName
# yum remove packageName


# dpkg --list
# dpkg --info packageName
# apt-get remove packageName

#3: One Network Service Per System or VM Instance
Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised.

For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on.

See how to install Virtualization software:

#4: Keep Linux Kernel and Software Up to Date
Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions.

All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.

# yum update


# apt-get update && apt-get upgrade

You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email.

Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.

#5: Use Linux Security Extensions
Linux comes with various security patches which can be used to guard against misconfigured or compromised programs.

If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs.

For example, SELinux provides a variety of security policies for Linux kernel.

#5.1: SELinux
I strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes.

Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.

#6: User Accounts and Strong Password Policy
Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy.

For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember.

Use tools such as "John the ripper" to find out weak users passwords on your server. Configure to enforce the password policy.

#6.1: Password Aging
The chage command changes the number of days between password changes and the date of the last password change.

This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration.

To disable password aging, enter:

# chage -M 99999 userName

To get password expiration information, enter:

# chage -l userName

Finally, you can also edit the /etc/shadow file in the following fields:

  1. Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
  2. Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
  3. Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
  4. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

I recommend chage command instead of editing the /etc/shadow by hand:

# chage -M 60 -m 7 -W 7 userName

Recommend readings:
#6.2: Restricting Use of Previous Passwords
You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused.

#6.3: Locking User Accounts After Login Failures
Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file.

It also can be used for maintains failure counters and limits.To see failed login attempts, enter:

# faillog

To unlock an account after login failures, run:

# faillog -r -u userName

Note you can use passwd command to lock and unlock accounts:

# lock account
passwd -l userName

# unlocak account
passwd -u userName

#6.4: How Do I Verify No Accounts Have Empty Passwords?
Type the following command

# awk -F: '($2 == "") {print}' /etc/shadow

Lock all empty password accounts:

# passwd -l accountName

#6.5: Make Sure No Non-Root Accounts Have UID Set To 0
Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd

You should only see one line as follows:

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

#7: Disable root Login
Never ever login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.

#8: Physical Server Security
You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen.

Set BIOS and grub boot loader password to protect these settings.

All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server. See also:

#9: Disable Unwanted Services
Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up.

Type the following command to list all services which are started at boot time in run level # 3:

# chkconfig --list | grep '3:on'

To disable service, enter:

# service serviceName stop
# chkconfig serviceName off

#9.1: Find Listening Network Ports
Use the following command to list all open ports and associated programs:

netstat -tulpn


nmap -sT -O localhost
# nmap -sT -O

Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.

#9.2: See Also

#10: Delete X Windows
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server.

You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:

# yum groupremove "X Window System"

#11: Configure Iptables and TCPWrappers
Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel.

Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet.

You can prevent many denial of service attacks with the help of Iptables:

#12: Linux Kernel /etc/sysctl.conf Hardening
/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:
# Turn on execshield
# Enable IP spoofing protection
# Disable IP source routing
# Ignoring broadcasts request
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
#13: Separate Disk Partitions
Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:
  • /usr
  • /home
  • /var and /var/tmp
  • /tmp
Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:
  1. noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
  2. nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
  3. nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit).
Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):
/dev/sda5  /ftpdata          ext3    defaults,nosuid,nodev,noexec 1 2
#13.1: Disk Quotas
Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps:
  1. Enable quotas per file system by modifying the /etc/fstab file.
  2. Remount the file system(s).
  3. Create the quota database files and generate the disk usage table.
  4. Assign quota policies.
  5. See implementing disk quotas tutorial for further details.

#14: Turn Off IPv6
Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits.

Currently there are no good tools out which are able to check a system over network for IPv6 security issues.

Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:
#15: Disable Unwanted SUID and SGID Binaries
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug.

All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:

#See all set user id files:

# find / -perm +4000

# See all group id files
# find / -perm +2000

# Or combine both in a single command
# find / \( -perm -4000 -o -perm -2000 \) -print
# find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.

#15.1: World-Writable Files
Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:

# find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

You need to investigate each reported file and either set correct user and group permission or remove it.

#15.2: Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group

# find /dir -xdev \( -nouser -o -nogroup \) -print

You need to investigate each reported file and either assign it to an appropriate user and group or remove it.

#16: Use A Centralized Authentication Service
Without a centralized authentication system, user auth data becomes inconsistent, which may lead into out-of-date credentials and forgotten accounts which should have been deleted in first place.

A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data.

You can keep auth data synchronized between servers. Do not use the NIS service for centralized authentication. Use OpenLDAP for clients and servers.

#16.1: Kerberos
Kerberos performs authentication as a trusted third party authentication service by using cryptographic shared secret under the assumption that packets traveling along the insecure network can be read, modified, and inserted.

Kerberos builds on symmetric-key cryptography and requires a key distribution center. You can make remote login, remote copy, secure inter-system file copying and other high-risk tasks safer and more controllable using Kerberos.

So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted. See how to setup and use Kerberos.

#17: Logging and Auditing
You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory.

This is also useful to find out software misconfiguration which may open your system to various attacks. See the following logging related articles:
  1. Linux log file locations.
  2. How to send logs to a remote loghost.
  3. How do I rotate log files?.
  4. man pages syslogd, syslog.conf and logrotate.

#17.1: Monitor Suspicious Log Messages With Logwatch / Logcheck
Read your logs using logwatch or logcheck. These tools make your log reading life easier. You get detailed reporting on unusual items in syslog via email. A sample syslog report:

################### Logwatch 7.3 (03/24/06) ####################
        Processing Initiated: Fri Oct 30 04:02:03 2009
        Date Range Processed: yesterday
                              ( 2009-Oct-29 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host:

 --------------------- Named Begin ------------------------ 

 **Unmatched Entries**
    general: info: zone Transfer started.: 3 Time(s)
    general: info: zone refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
    general: info: zone Transfer started.: 4 Time(s)
    general: info: zone refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)

 ---------------------- Named End ------------------------- 

  --------------------- iptables firewall Begin ------------------------ 

 Logged 87 packets on interface eth0
   From - 1 packet to tcp(8080)
   From 59.www.zzz.yyy - 1 packet to tcp(22)
   From 60.32.nnn.yyy - 2 packets to tcp(45633)
   From - 5 packets to tcp(8000,8080,8800) 

 ---------------------- iptables firewall End ------------------------- 

 --------------------- SSHD Begin ------------------------ 

 Users logging in through sshd:
    root: 6 times

 ---------------------- SSHD End ------------------------- 

 --------------------- Disk Space Begin ------------------------ 

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda3             450G  185G  241G  44% /
 /dev/sda1              99M   35M   60M  37% /boot

 ---------------------- Disk Space End ------------------------- 

 ###################### Logwatch End #########################
(Note output is truncated)

#17.2: System Accounting with auditd
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon.

You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:
  1. System startup and shutdown events (reboot / halt).
  2. Date and time of the event.
  3. User respoisble for the event (such as trying to access /path/to/topsecret.dat file).
  4. Type of event (edit, access, delete, write, update file & commands).
  5. Success or failure of the event.
  6. Records events that Modify date and time.
  7. Find out who made changes to modify the system's network settings.
  8. Record events that modify user/group information.
  9. See who made changes to a file etc.
See our quick tutorial which explains enabling and using the auditd service.

#18: Secure OpenSSH Server
The SSH protocol is recommended for remote login and remote file transfer. However, ssh is open to many attacks.

See how to secure OpenSSH server:

#19: Install And Use Intrusion Detection System
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

It is a good practice to deploy any integrity checking software before system goes online in a production environment.

If possible install AIDE software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system.

Snort is a software for intrusion detection which is capable of performing packet logging and real-time traffic analysis on IP networks.

#20: Protecting Files, Directories and Email
Linux offers excellent protections against unauthorized data access. File permissions and MAC prevent unauthorized access from accessing data.

However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer's hard drive to another system to copy and analyze the sensitive data. You can easily protect files, and partitons under Linux using the following tools:

#20.1: Securing Email Servers
You can use SSL certificates and gpg keys to secure email communication on both server and client computers:

Other Recommendation:

Recommend readings:

  1. Red Hat Enterprise Linux - Security Guide.
  2. Linux security cookbook- A good collections of security recipes for new Linux admin.
  3. Snort 2.1 Intrusion Detection, Second Edition - Good introduction to Snort and Intrusion detection under Linux.
  4. Hardening Linux - Hardening Linux identifies many of the risks of running Linux hosts and applications and provides practical examples and methods to minimize those risks.
  5. Linux Security HOWTO.
  6. Linux Security HOWTO.
In the next part of this series I will discuss how to secure specific applications (such as Proxy, Mail, LAMP, Database) and a few other security tools. Did I miss something? Please add your favorite system security tool or tip in the comments.