LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Best way for security of my linux PC (xubuntu 14.04)?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2015, 08:14 AM   #1
james.brown
Member
 
Registered: Feb 2015
Posts: 40

Rep: Reputation: Disabled
Best way for security of my linux PC (xubuntu 14.04)?

1)Disable sudo
2)Set-up password for grub
3)Set-up password for root
4)Set-up passphrase for all operation system for encrypt home directory and all disk.
5)Set-up iptables, for block all incoming traffic, and all outgoig traffic, except 80,443 ports and skype,icq ports.

What else needs to be done in my xubuntu system?
 
Old 02-18-2015, 09:49 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,475

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
Install clamav and rkhunter and run them on a regular (daily?) basis.
 
Old 02-18-2015, 09:53 AM   #3
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 91
Disable boot from removable devices.
Set-up password for BIOS changes.
 
Old 02-18-2015, 10:22 AM   #4
james.brown
Member
 
Registered: Feb 2015
Posts: 40

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cepheus11 View Post
Disable boot from removable devices.
Set-up password for BIOS changes.
i was do it.

What else needs to be done?
 
Old 02-18-2015, 11:26 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by james.brown View Post
i was do it.

What else needs to be done?
It's a good start, but it should be noted "There is no Security without Physical Security.".
Anyone that has physical access to the storage media can bypass any such protections.
Keep updates current.

Short of a Pit Bull with a nasty caffeine withdrawal, I'd say 'check and double check', except
Quote:
Originally Posted by james.brown
5)Set-up iptables
Turn on ufw and/or install gufw
Last edited by Habitual; 02-18-2015 at 11:27 AM.
 
Old 02-18-2015, 12:37 PM   #6
james.brown
Member
 
Registered: Feb 2015
Posts: 40

Original Poster
Rep: Reputation: Disabled
Habitual, iptables scrippt for security local PC.
Quote:
#!/bin/sh

# iptables dir
IPT="/sbin/iptables"

# interface
INET_IFACE="eth0"

# ports
UNPRIPORTS="1024:65535"

start_fw()
{
# forward traffic with kernel
echo 0 > /proc/sys/net/ipv4/ip_forward

# reset rules
$IPT -F
$IPT -X

# defaults
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# allow all traffic with localhost
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# if non-localhost traffic, then block him
$IPT -A INPUT -s 127.0.0.1/255.0.0.0 ! -i lo -j DROP

# block non-identified packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

#
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#$IPT -t nat -I PREROUTING -i $INET_IFACE -s 10.0.0.1/32 -j ACCEPT

#
# SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# UDP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A INPUT -p UDP -j RETURN
$IPT -A OUTPUT -p UDP -s 0/0 -j ACCEPT

# ICMP
$IPT -A INPUT --fragment -p ICMP -j DROP
$IPT -A OUTPUT --fragment -p ICMP -j DROP

#
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type source-quench -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type source-quench -j ACCEPT

# allow ping
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type echo-reply -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type echo-request -j ACCEPT

#
$IPT -A INPUT -p icmp -m icmp -i $INET_IFACE --icmp-type parameter-problem -j ACCEPT
$IPT -A OUTPUT -p icmp -m icmp -o $INET_IFACE --icmp-type parameter-problem -j ACCEPT

#
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 6000:6063 -j DROP --syn

# $IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports #порта
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 783
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 3310
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE -j DROP --dports 10000

# DNS
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 53 --sport $UNPRIPORTS -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 53 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport $UNPRIPORTS --sport 53 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1024:65353 --sport 53 -j ACCEPT

#
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 113 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 113 -j ACCEPT ! --syn
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 113 -j DROP

# SMTP client (25)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 25 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 25 -j ACCEPT ! --syn

# POP3 client (110)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 110 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 110 -j ACCEPT ! --syn

# IMAP4 client (143)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 143 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 143 -j ACCEPT ! --syn

# SSH client (22)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 22 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 22 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 22 --sport 1020:1023 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport 1020:1023 --sport 22 -j ACCEPT ! --syn

# FPT client (21)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 21 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 21 -j ACCEPT ! --syn

# VNC client (21)
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 5901 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 5901 -j ACCEPT ! --syn

# HTTP/HTTPS client (80, 443)
$IPT -A OUTPUT -p tcp -m tcp -m multiport -o $INET_IFACE --sport $UNPRIPORTS -j ACCEPT --dports 80,443
$IPT -A INPUT -p tcp -m tcp -m multiport -i $INET_IFACE --dport $UNPRIPORTS -j ACCEPT --sports 80,443

# finger, whois, gorper, wais. Traceroute
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 20 -j ACCEPT
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 20 --sport $UNPRIPORTS -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport $UNPRIPORTS --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport $UNPRIPORTS -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 23 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 23 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 79 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 79 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 43 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 43 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 70 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 70 -j ACCEPT ! --syn
$IPT -A OUTPUT -p tcp -m tcp -o $INET_IFACE --dport 210 --sport $UNPRIPORTS -j ACCEPT
$IPT -A INPUT -p tcp -m tcp -i $INET_IFACE --dport $UNPRIPORTS --sport 210 -j ACCEPT ! --syn
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 33434:33523 --sport 32769:65535 -j ACCEPT

# DHCP over iptables.
$IPT -A OUTPUT -p udp -m udp -o $INET_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p udp -m udp -i $INET_IFACE --dport 68 --sport 67 -j ACCEPT

# network
$IPT -A INPUT -i vboxnet0 -j ACCEPT
$IPT -A OUTPUT -o vboxnet0 -j ACCEPT


}

case "$1" in
start) echo -n "Starting firewall: iptables"
start_fw
echo "."
;;
stop) echo -n "Stopping firewall: iptables"
iptables -F
iptables -X
echo "."
;;
save) echo -n "Saving firewall: iptables"
iptables-save > /etc/rules-save
echo "."
;;
restart) echo -n "Restarting firewall: iptables"
iptables -F
iptables -X
cat /etc/rules-save | iptables-restore
echo "."
;;
reload|force-reload) echo -n "Reloading configuration files for firewall: iptables"
echo "."
;;
*) echo "Usage: /etc/init.d/rc.iptables start|stop|restart|reload|force-reload"
exit 1
;;
esac
exit 0
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing Xubuntu and then Linux Mint. Now my Xubuntu is gone! antonius0809 Linux - Laptop and Netbook 5 04-11-2013 04:10 AM
My wireless networking is disabled after Upgrade from Xubuntu 11.10 to Xubuntu 12.04 vutar Linux - Laptop and Netbook 8 10-22-2012 02:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:07 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration