Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Secure and Manage Your Computer (Linux/Unix)

If you are permitted to access or maintain sensitive institutional data using your personally owned computer or self-managed university-owned computer, please meet the minimum expectations below.

See Your Responsibilities for Protecting University Data When Using Your Own Devices for a complete list of your responsibilities when using your own devices to work with sensitive U-M data.

By meeting the minimum expectations below, you also protect your personal data.

Minimum Expectations for a Secure Computer

Require a password for access to your computer. Follow these guidelines for a strong password.
Set your screensaver to activate after 15 or fewer minutes of inactivity, and require your password to unlock it This helps prevent unauthorized access to your computer.
Turn on your local firewall It is normally turned on by default. Current versions of Linux use the iptables firewall. Standard firewall practice dictates that you deny everything and then allow only services that you require. Consult the documentation for your system to learn how to adjust the firewall rules to ensure that only the services you require are enabled.
Disable root login / su - and implement sudo Implementation of sudo will allow privileged access as required and will log all such activity and link specific actions to specific individuals. It also avoids shared root accounts, which can make it more difficult to securely deprovision access for an individual or contain security incidents involving compromised credentials. Many Linux distributions already implement the no root login feature and force the use of sudo. If the distribution you are using does not already support sudo, install the sudo package and configure it appropriately (ensure "su -" does not switch user to root. Consider bash, vi, and other apps that can shell out to root).
Disable / remove guest and defaults accounts Best practice is to not allow guest, default, or shared accounts access to the workstation. Verify that there are no suspicious accounts in the /etc/passwd file. Ubuntu has the guest account enabled by default. Edit the /etc/lightdm/lightdm.conf file and add the following line to the end of the file:
Install U-M VPN (Virtual Private Network) software if you expect to use untrusted networks (such as guest wireless in a hotel or coffee shop) Members of the U-M community can download and install the U-M VPN or the one appropriate for their campus. See Use a Secure Internet Connection.
Use full disk encryption for laptops Full disk encryption will prevent unauthorized access to the sensitive data stored there should the laptop be lost or stolen. Install a version of Linux/Unix that supports full disk encryption.

Use a secure internet connection Secure networks include wired connections and MWireless.
Turn on the U-M VPN if using untrusted wireless networks (such as guest wireless in a hotel or coffee shop). UMHS users should use the UMHS VPN (see above). UMHS faculty and staff should use the UMHS VPN (see above).
Turn off optional network connections (WiFi, Bluetooth) when you are not using them This prevents unauthorized access to your computer through those connections.

Turn on automatic updating to keep your Linux/Unix operating system updated Most Linux and Unix distributions provide a way to update the operating system automatically via the Internet. Consult the documentation for your system to learn how to perform this operation. This provides you with security updates and other improvements.
Keep your applications updated to take advantage of security updates and other improvements Use automatic updating where available.
Configure audit logging (syslog) to help you to reconstruct a timeline of events or system activity This information is important for responding to security incidents or resolving system errors. Audit rules are specified in the file/etc/syslog.conf. Typically, the system stores sequential logs in files located in the /var/log directory.
Configure ntp time synchronization Many Internet services rely on the computers’ clock being accurate. Also, accurate time/date stamps in logged activity aids any forensics analysis and system troubleshooting. Install the ntp package. Configure the ntp.conf to use the university’s time servers at ntp.itd.umich.edu or set up a cron job using rdate to set the clock every four hours.
Only install trusted applications Only install applications from reputable software providers.
Be aware that certain types of sensitive data (such as Export Control, HIPAA, and FISMA) cannot be accessed or maintained outside the U.S. See the Sensitive Data Guide for details.
Before you sell or give away your computer, erase the hard drive securely See Remove Data from a Hard Drive.
Report security incidents If you use your computer to maintain or access sensitive institutional data and it is lost or stolen, notify the ITS Service Center.

Instructions for security settings and tips for protecting your Linux/Unix computer are available from various vendors:

Back To Top

Additional Best Practices

Consider these additional options for enhanced security for your computer and the data maintained on or accessed from it.

  • Back up your data. Always keep a backup copy of files you do not wish to lose. Hard drives wear out and fail. Devices can be lost or stolen. The university offers several file storage options you can use. Check the Sensitive Data Guide to see which services are appropriate for certain types of sensitive institutional data.
  • Choose web browser security settings that protect your privacy and enhance security.
  • Protect yourself online. Learn about strong passwords, how to protect your identity, how to avoid phishing scams, and more.
  • Put a sticker on your computer with your name and contact information. This low-tech, practical step enables somebody to contact you if they find your lost computer.
  • Register your devices. The U-M Police Department offers a free laptop and personal electronics registration program to members of the U-M community to deter theft and assist in the recovery of stolen property.
  • Traveling with technology. Take precautions when you are away from home to protect your privacy and the university's sensitive data.
  • Utilize "brute force detection" by installing DenyHosts or Fail2ban. These tools will monitor your logs for failed remote attempts and prevent brute force password attacks.
Back To Top
Back To Top