LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (http://www.linuxquestions.org/questions/debian-26/)
-   -   Hardening Debian (Wheezy) on the desktop with KDE. (http://www.linuxquestions.org/questions/debian-26/hardening-debian-wheezy-on-the-desktop-with-kde-938723/)

edbarx 04-08-2012 05:24 AM

Hardening Debian (Wheezy) on the desktop with KDE.
 
I would like to ask how should Debian be hardened on the desktop? By hardened, I am referring to security on the network including the Internet.

Is it possible for an attacker to read files stored on a remote Debian system? How secure is Web-browsing? Is it possible for a malicious web-page to change settings in /etc and replace executables?


Thanks.

craigevil 04-08-2012 11:07 AM

Quote:

Is it possible for an attacker to read files stored on a remote Debian system?
Only if you leave all your ports open. If you are running a server make sure ssh is passphrase protected and you close unused ports. Use a firewall.

Quote:

How secure is Web-browsing?
As secure as you make it. Don't run as root. If you use Iceweasel/Firefox use NoScript and AdblockPlus to block crap.

Quote:

Is it possible for a malicious web-page to change settings in /etc and replace executables?
Only if you are running a web browser as root. Which no one in their right mind would do. Or run an irc client as root. Basically do not run any app as root that connects to the net other than the few security apps like nessus, nmap, and similar apps.

If you are using a router make sure it has a Firewall and it is setup properly, if not use something like UFW to setup iptables.

1) disable any services you do not need
2) keep your system updated, especially the kernel and web browsers
3) never run web apps as root
4) use a firewall of some type
5) do not use telnet or other protocols that send info as plain text
6) be paranoid

even though it is a bit dated the harden-doc and harden packages are still worth using.

harden-doc - Useful documentation to secure a Debian system
bastille - Security hardening tool
harden - Makes your system hardened
harden-clients - Avoid clients that are known to be insecure
harden-environment - Hardened system environment
harden-nids - Harden a system by using a network intrusion detection system
harden-remoteaudit - Audit your remote systems from this host
harden-servers - Avoid servers that are known to be insecure
harden-surveillance - Check services and/or servers automatically
harden-tools - Tools to enhance or analyze the security of the local system


You may want to take a look at:
Security and Privacy on the Internet - https://www.linuxquestions.org/quest...internet-3080/

Grokking Debian GNU/Linux - https://www.linuxquestions.org/quest...nu-linux-3073/

edbarx 04-08-2012 12:52 PM

Quote:

disable any services you do not need
I never succeeded to do that properly. In fact, when Lavene (a former forums.debian.net admin) was still using the mentioned forums, I tried to disable services and the result was a damaged system. Unfortunately, the only solution was to reinstall.

craigevil 04-08-2012 01:42 PM

First know what you are disabling, Google a process if you aren't sure what it is.

You can use sysv-rc-conf to disable them.

It used to be back in the day with Sarge and KDE I could get it down to around 45-50 running processes, now on sid with kde4 the best I can do is around 120+.

craigevil 04-08-2012 06:49 PM

One of the first things I do on a new install is install and configure Bastille and a firewall.
UFW is reasonably simple to use.

The ufw kde module is nice since it gives you a gui in SystemSettings.
UFW KControl Module KDE-Apps.org - http://kde-apps.org/content/show.php?content=137789

Next setup tripwire and tiger, put the tripwire data on a usb drive.

If you run Stable it wouldn't hurt to install unattended-upgrades and/or use debsecan with a script to download/install security updates.

But then again I am paranoid. :P

edbarx 04-09-2012 12:52 AM

I installed arno-iptables-firewall because I used it in the past.


All times are GMT -5. The time now is 05:58 AM.