LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Best way for security of my linux PC (xubuntu 14.04)? (https://www.linuxquestions.org/questions/linux-security-4/best-way-for-security-of-my-linux-pc-xubuntu-14-04-a-4175534408/)

james.brown 02-18-2015 08:14 AM
Best way for security of my linux PC (xubuntu 14.04)?
 
1)Disable sudo
2)Set-up password for grub
3)Set-up password for root
4)Set-up passphrase for all operation system for encrypt home directory and all disk.
5)Set-up iptables, for block all incoming traffic, and all outgoig traffic, except 80,443 ports and skype,icq ports.

What else needs to be done in my xubuntu system?

TenTenths 02-18-2015 09:49 AM
Install clamav and rkhunter and run them on a regular (daily?) basis.

cepheus11 02-18-2015 09:53 AM
Disable boot from removable devices.
Set-up password for BIOS changes.

james.brown 02-18-2015 10:22 AM
Quote:
Originally Posted by cepheus11 (Post 5319467)
Disable boot from removable devices.
Set-up password for BIOS changes.
i was do it.

What else needs to be done?

Habitual 02-18-2015 11:26 AM
Quote:
Originally Posted by james.brown (Post 5319484)
i was do it.

What else needs to be done?
It's a good start, but it should be noted "There is no Security without Physical Security.".
Anyone that has physical access to the storage media can bypass any such protections.
Keep updates current.

Short of a Pit Bull with a nasty caffeine withdrawal, I'd say 'check and double check', except
Quote:
Originally Posted by james.brown
5)Set-up iptables
Turn on ufw and/or install gufw

james.brown 02-18-2015 12:37 PM
Habitual, iptables scrippt for security local PC.
Quote:
#!/bin/sh

# iptables dir
IPT="/sbin/iptables"

# interface
INET_IFACE="eth0"

# ports
UNPRIPORTS="1024:65535"

start_fw()
{
# forward traffic with kernel
echo 0 > /proc/sys/net/ipv4/ip_forward

# reset rules
$IPT -F
$IPT -X

# defaults
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# allow all traffic with localhost
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# if non-localhost traffic, then block him
$IPT -A INPUT -s 127.0.0.1/255.0.0.0 ! -i lo -j DROP

# block non-identified packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

#
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#$IPT -t nat -I PREROUTING -i $INET_IFACE -s 10.0.0.1/32 -j ACCEPT

#
# SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# UDP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A INPUT -p UDP -j RETURN
$IPT -A OUTPUT -p UDP -s 0/0 -j ACCEPT

# ICMP
$IPT -A INPUT --fragment -p ICMP -j DROP
$IPT -A OUTPUT --fragment -p ICMP -j DROP

#
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type source-quench -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type source-quench -j ACCEPT

# allow ping
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type echo-reply -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type echo-request -j ACCEPT

#
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type parameter-problem -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type parameter-problem -j ACCEPT

#
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 6000:6063 -j DROP --syn

# $IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports #порта
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 783
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 3310
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 10000

# DNS
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 53 --sport $UNPRIPORTS -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 53 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport $UNPRIPORTS --sport 53 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1024:65353 --sport 53 -j ACCEPT

#
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 113 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 113 -j ACCEPT ! --syn
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 113 -j DROP

# SMTP client (25)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 25 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 25 -j ACCEPT ! --syn

# POP3 client (110)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 110 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 110 -j ACCEPT ! --syn

# IMAP4 client (143)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 143 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 143 -j ACCEPT ! --syn

# SSH client (22)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 22 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 22 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 22 --sport 1020:1023 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1020:1023 --sport 22 -j ACCEPT ! --syn

# FPT client (21)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 21 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 21 -j ACCEPT ! --syn

# VNC client (21)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 5901 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 5901 -j ACCEPT ! --syn

# HTTP/HTTPS client (80, 443)
$IPT -A OUTPUT -p tcp -m tcp -m multiport -o $INET_IFACE --sport $UNPRIPORTS -j ACCEPT --dports 80,443
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE --dport $UNPRIPORTS -j ACCEPT --sports 80,443

# finger, whois, gorper, wais. Traceroute
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 20 -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 20 --sport $UNPRIPORTS -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport $UNPRIPORTS --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport $UNPRIPORTS -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 23 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 23 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 79 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 79 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 43 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 43 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 70 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 70 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 210 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 210 -j ACCEPT ! --syn
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 33434:33523 --sport 32769:65535 -j ACCEPT

# DHCP over iptables.
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport 68 --sport 67 -j ACCEPT

# network
$IPT -A INPUT -i vboxnet0 -j ACCEPT
$IPT -A OUTPUT -o vboxnet0 -j ACCEPT


}

case "$1" in
start) echo -n "Starting firewall: iptables"
start_fw
echo "."
;;
stop) echo -n "Stopping firewall: iptables"
iptables -F
iptables -X
echo "."
;;
save) echo -n "Saving firewall: iptables"
iptables-save > /etc/rules-save
echo "."
;;
restart) echo -n "Restarting firewall: iptables"
iptables -F
iptables -X
cat /etc/rules-save | iptables-restore
echo "."
;;
reload|force-reload) echo -n "Reloading configuration files for firewall: iptables"
echo "."
;;
*) echo "Usage: /etc/init.d/rc.iptables start|stop|restart|reload|force-reload"
exit 1
;;
esac
exit 0


All times are GMT -5. The time now is 03:44 AM.