There’s a perceived notion that Linux is more secure than Windows when it comes to ransomware and other types of malware. But “safer by default” doesn’t mean safe out of the box. You still must harden the Linux surface and take the proper security measures, much like you do Windows.
In fact, whether it’s a Linux box or a Windows machine, the security principles and processes for both share a lot of commonalities. Here are four measures you should take to protect Linux from ransomware that will probably sound very familiar to Windows admins.
Just like a Windows server that has a default administrator account, Linux has a default root user. Because ransomware targets high level privilege accounts to spread its mayhem, the Linux root user is a prime target.
One approach is to rename the user account, but this still requires server admins to type in the root password. Rather than logging on as the root user, you should use the sudo command to run programs as another user. In this way, server admins can initiate admin commands without having root access. Using the sudo command allows you to disable the root login so that people are prevented from using it. Sudo is used to enforce the principle of least privilege, which states that users should have the minimum level of access they need to complete their assigned tasks—and nothing more.
The security mantra of keeping your operating systems and applications patched and up to date doesn’t just apply to the Windows world. One of the primary ways that ransomware infects a Linux server is through unpatched system vulnerabilities. Linux uses an RPM Package Manager as its package management system, which automatically verifies the integrity of the patches. You should have an update policy in place that outlines the frequency of patching, testing, and rollback procedures.
The best line of defense against ransomware is a well-designed backup strategy. Many organizations have managed to come back from the ransomware abyss by restoring their backups. The traditional 3-2-1 backup strategy that incorporates 3 copies of your data, utilizing two different storage media, with one copy offsite is a good place to start.
Of course, ransomware gangs are aware of this too, which is why they initially attempt to encrypt backups first and take them out of commission. It’s important to have ample documentation to accompany the backups as well.
Linux servers are usually deployed for a specific purpose, such as web services or database management. Unlike a Windows domain controller, DNS or DHCP server, a Linux server doesn’t have to be made available to everyone.
The more exposure your Linux server has to the network at large, the greater the chance it will be infected. That’s why you should segment your Linux servers and control the traffic flow to these critical servers. Placing them on their own VLAN is a good start. You should then zone off the Linux VLAN with a next generation firewall device that will scrub malicious code and enforce security policies for incoming traffic.
While some may argue that Linux servers don’t require as much attention as Windows servers, they are not exempt from basic security measures. Protecting Linux from ransomware isn’t too much different from securing a Windows server. Following the basic principles of cybersecurity will go a long way in securing your Linux servers from the ransomware menace.