LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 04-08-2012, 05:24 AM   #1
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 336

Rep: Reputation: 18
Hardening Debian (Wheezy) on the desktop with KDE.


I would like to ask how should Debian be hardened on the desktop? By hardened, I am referring to security on the network including the Internet.

Is it possible for an attacker to read files stored on a remote Debian system? How secure is Web-browsing? Is it possible for a malicious web-page to change settings in /etc and replace executables?


Thanks.

Last edited by edbarx; 04-08-2012 at 05:46 AM.
 
Old 04-08-2012, 11:07 AM   #2
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
Quote:
Is it possible for an attacker to read files stored on a remote Debian system?
Only if you leave all your ports open. If you are running a server make sure ssh is passphrase protected and you close unused ports. Use a firewall.

Quote:
How secure is Web-browsing?
As secure as you make it. Don't run as root. If you use Iceweasel/Firefox use NoScript and AdblockPlus to block crap.

Quote:
Is it possible for a malicious web-page to change settings in /etc and replace executables?
Only if you are running a web browser as root. Which no one in their right mind would do. Or run an irc client as root. Basically do not run any app as root that connects to the net other than the few security apps like nessus, nmap, and similar apps.

If you are using a router make sure it has a Firewall and it is setup properly, if not use something like UFW to setup iptables.

1) disable any services you do not need
2) keep your system updated, especially the kernel and web browsers
3) never run web apps as root
4) use a firewall of some type
5) do not use telnet or other protocols that send info as plain text
6) be paranoid

even though it is a bit dated the harden-doc and harden packages are still worth using.

harden-doc - Useful documentation to secure a Debian system
bastille - Security hardening tool
harden - Makes your system hardened
harden-clients - Avoid clients that are known to be insecure
harden-environment - Hardened system environment
harden-nids - Harden a system by using a network intrusion detection system
harden-remoteaudit - Audit your remote systems from this host
harden-servers - Avoid servers that are known to be insecure
harden-surveillance - Check services and/or servers automatically
harden-tools - Tools to enhance or analyze the security of the local system


You may want to take a look at:
Security and Privacy on the Internet - https://www.linuxquestions.org/quest...internet-3080/

Grokking Debian GNU/Linux - https://www.linuxquestions.org/quest...nu-linux-3073/
 
Old 04-08-2012, 12:52 PM   #3
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 336

Original Poster
Rep: Reputation: 18
Quote:
disable any services you do not need
I never succeeded to do that properly. In fact, when Lavene (a former forums.debian.net admin) was still using the mentioned forums, I tried to disable services and the result was a damaged system. Unfortunately, the only solution was to reinstall.
 
Old 04-08-2012, 01:42 PM   #4
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
First know what you are disabling, Google a process if you aren't sure what it is.

You can use sysv-rc-conf to disable them.

It used to be back in the day with Sarge and KDE I could get it down to around 45-50 running processes, now on sid with kde4 the best I can do is around 120+.
 
Old 04-08-2012, 06:49 PM   #5
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
One of the first things I do on a new install is install and configure Bastille and a firewall.
UFW is reasonably simple to use.

The ufw kde module is nice since it gives you a gui in SystemSettings.
UFW KControl Module KDE-Apps.org - http://kde-apps.org/content/show.php?content=137789

Next setup tripwire and tiger, put the tripwire data on a usb drive.

If you run Stable it wouldn't hurt to install unattended-upgrades and/or use debsecan with a script to download/install security updates.

But then again I am paranoid. :P
 
Old 04-09-2012, 12:52 AM   #6
edbarx
Member
 
Registered: Sep 2010
Distribution: Used Debian since Sarge. (~2005)
Posts: 336

Original Poster
Rep: Reputation: 18
I installed arno-iptables-firewall because I used it in the past.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logitech Z305 under Debian KDE Wheezy - IEC958 issue (sound over USB) infoslaw Linux - Hardware 0 03-10-2012 04:05 PM
[SOLVED] Newly installed debian sid & saved debian wheezy home would like to transfer files EDDY1 Linux - Newbie 11 01-20-2012 07:43 PM
[SOLVED] Java and Vuze installation on KDE Debian Wheezy sid infoslaw Linux - Newbie 11 12-28-2011 08:24 AM
LXer: Debian to offer MultiArch support with Debian Wheezy 7 in 2013 LXer Syndicated Linux News 0 08-11-2011 01:50 AM
LXer: Debian looking at a June 2012 freeze for Debian Wheezy LXer Syndicated Linux News 0 08-10-2011 10:00 AM


All times are GMT -5. The time now is 06:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration