LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-23-2014, 02:10 PM   #1
Amanda_L
LQ Newbie
 
Registered: Oct 2013
Posts: 21

Rep: Reputation: Disabled
How to lock my Linux box?


I was thinking what is the best way to secure my Arch install, but many tutorials devirge from the others, which makes decision making a hard thing.
Right now I don't have a firewall configured, but I intend to do so. I visit a lot of websites that might want to harm my install, and I have a "nerdy" friend who claims all he needs to invade my install is my IP adress, which I hardly doubt he can.

I intend to use ufw with DENY to all incoming. I tested it and everything I have (Steam, for instance) worked just fine. But I read ufw is not that good and that I need more tweaking in order to be completely protected.

So, what do I do? What programs to use? How to properly lock down my install to the point where only Linus or a very acknowledged programmer might be able to invade Linux installs just by getting your IP when you visit their pages?
 
Old 01-23-2014, 05:49 PM   #2
ukiuki
Senior Member
 
Registered: May 2010
Location: Planet Earth
Distribution: Debian
Posts: 1,030

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
By lock you mean not letting anybody use your computer? That can be achieve by a screensaver+password feature for example, or to put a password to access the BIOS and or computer.
Now when it comes to security we do block the remote access to it by installing a firewall, it is a good thing that everyone should have to have a minimum protection, here in this link you can find valuable information about all that.

Regards
 
1 members found this post helpful.
Old 01-23-2014, 06:44 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,114

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
With physical access to your computer, there's no way you can lock things down. The best you can do is encrypt your data so that crooks short of the NSA won't be able to read it even if they can access it.

Ignoring the physical access method to breech all your security, about the only way to be truly secure is to disconnect from any and all networks. But that is impractical for 99.99% of computer users. You will be more secure with an external, dedicated, hardware, physical firewall device than you will be with firewall software running on the box you are trying to protect. That's expensive and overkill for 99.99% of computer users.

So to be somewhat practical (for home users), I would say put yourself behind a good quality NAT router (helps a little, but not for the really bad guys), shutdown all services on your box except SSH, keep SSH updated and configured securely, and configure it to only allow pubkey authentication (no password authentication allowed). Configure it to only allow one user - YOU - to have access. Only allow a bare minimum number of userids on your system, and make them "no password" so you can't login to them. For the ones that have to be logged in to, enforce very strong passwords. If you must run network services, run them only on the localhost interface and access them from the outside by tunnelling in over SSH. Encrypt all your user data. Be diligent about backups - do them frequently, automated (with verification), and store the backups (encrypted) off-site. Have multiple layers of backups so you never have to depend on the most recent one as your only one.
 
2 members found this post helpful.
Old 01-23-2014, 08:44 PM   #4
Nbiser
Member
 
Registered: Oct 2012
Location: Maryland
Distribution: Fedora, Slackware, Debian, Ubuntu, Knoppix, Helix,
Posts: 302
Blog Entries: 7

Rep: Reputation: 44
It depends on whether you are talking about physical or internet security. Physical security is quite easy: all that you have to do is encrypt your hard drive and give your cmos a password, and also use a cmos password for access to your computer.

As far as security on the internet goes, a good firewall is just about the best you can do, as the other posters have said.

Cheers,
Nbiser
 
1 members found this post helpful.
Old 01-23-2014, 11:04 PM   #5
Amanda_L
LQ Newbie
 
Registered: Oct 2013
Posts: 21

Original Poster
Rep: Reputation: Disabled
ukiuki, I was talking about online security with Linux
Thanks for the link. I'll give it a read.

haertig, thanks. I already encrypt my drive with twofish-xts-plain64 and 64-bit (random characters) password. I also keep backups of my MBR and /boot partition.

Could you point me to how to do what you said?

Nbiser, what are good firewalls and how to configure them properly? (Don't need to explain the whole thing, just point me to the right directions). I use ufw with 'deny all incoming'. How better than that can I get?
 
1 members found this post helpful.
Old 01-23-2014, 11:17 PM   #6
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US, Earth, end border$! ◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest, has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,094
Blog Entries: 2

Rep: Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840Reputation: 840
I've been using and liking Firewalled and Gufw, hope it's OK to run more than one or two...
http://www.thegeekstuff.com/2010/02/...nux-firewalls/
 
1 members found this post helpful.
Old 01-23-2014, 11:33 PM   #7
Amanda_L
LQ Newbie
 
Registered: Oct 2013
Posts: 21

Original Poster
Rep: Reputation: Disabled
I'm not sure if using two firewalls would increase security, so personally I wouldn't. Unless I studied how both behaved and did some penetration tests so see if any breach is present.

I'm starting to consider using iptables, with no GUI. But if 'ufw + deny all' is enough then I'm going with that.
 
1 members found this post helpful.
Old 01-24-2014, 02:36 AM   #8
mariose
Member
 
Registered: May 2013
Location: South Africa
Distribution: Debian
Posts: 176
Blog Entries: 1

Rep: Reputation: 7
Hi,

You may want to look into DansGaurdian or Squid which should be available in your package repositories.

There is also an OpenDNS alternative www.opendns.com

Regards
Marios

Last edited by mariose; 01-24-2014 at 02:36 AM. Reason: URL mistake
 
1 members found this post helpful.
Old 01-24-2014, 02:37 AM   #9
mariose
Member
 
Registered: May 2013
Location: South Africa
Distribution: Debian
Posts: 176
Blog Entries: 1

Rep: Reputation: 7
This will help you http://www.opendns.com/home-internet.../opendns-home/
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
deian yum lock [ ERR] Reading state information E: Could not get lock /var/lock/aptit jayakumar01 Linux - Server 1 12-05-2011 12:26 PM
Num lock OFF and Caps & Screen Lock ON at Linux startup. Reversing? peteyperson Linux - Newbie 2 02-28-2009 12:44 PM
Accessing WevDav directory on linux box A from linux box B using Ant script. panayoti Linux - Newbie 0 10-08-2006 12:44 AM
ERR Can't get lock mail box in use ukrainet Linux - Newbie 1 11-29-2004 08:34 AM
Screen Lock for Black Box Chijtska Linux - General 3 02-10-2002 12:01 AM


All times are GMT -5. The time now is 10:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration