Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Almost everything I can find about securing Linux is for servers. My take-away from several books and articles on Linux security is that antivirus programs are pointless and firewalls are practically useless. Aside from those two things, security books focus on protecting the desktop from ignorant/malicious users at the keyboard.
What are the attacks and what is effective in protecting data on a Linux personal computer from online compromise (short of an air gap)?
For particular tools (e.g. firewalls), it would be helpful to find a detailed recipe and explanation of why each setting is useful.
what is effective in protecting data on a Linux personal computer from online compromise (short of an air gap)?
Next to what you rely on architecture-wise in terms of separation of privileges and strong authentication for unprivileged users one of the common access controls is the firewall, so it isn't completely "useless". And the phrase "online compromise" reminds me more of the SONY or last.fm remote type of compromise but that may be my interpretation (do correct).
This is IMHO a list (not exhaustive) of stuff everyone must do:
- maintain (configure, update, backup) and properly harden (services, accounts, access controls, audit) all networked devices and at all times,
- use whole disk, partition, file, network connection encryption,
- choose applications that provide end-to-end encrypted communication,
- strengthen applications by disabling problematic features and adding ones that add control,
- do not provide information publicly voluntarily that can be misused,
- do not share passwords between any accounts and use strong passwords,
- do not save passwords on devices or in applications without device or application (master) password encryption,
- use two factor authentication wherever possible,
- use common sense (that what looks too good to be true usually is),
- be aware of anything happening out of the ordinary esp. accessing social media accounts, banking, shopping,
- be interested in how common attacks work,
- never leave devices unattended or unlocked,
- avoid public wifi networks.
Not sure if this is a good start for discussing things. And I'd say half of it is OSI level 8 anyway ;-p
Making a home system secure is not unlike making a server secure. You learn and use as many "best practices" as you can.
It would be great if you ran a dedicated firewall at the perimeter of your home like Untangle maybe.
Even if you use all the known best practices you could still be hacked. The problem with attacks is that the users rarely know about them. Long gone are the days of stupid hackers. The current model is automated and advanced and has a huge database behind them to use for clues.
I will agree with all above and emphasize a couple of points on firewalls. Linux, with its iptables, can have a pretty effective firewall if set up properly. Learning how to use iptables is not difficult. A start, if you have an old computer lying around that still runs is to set it up as a separate firewall with one of the systems freely available (I use IPCOP) and then ALSO program a specific firewall on each of your computers, assuming you have more than one. UFW/GUFW is also a good start for a firewall for a single machine. Most firewalls take the approach of blocking everything inbound, allowing everything outbound, and then allowing inbound traffic that is in response to the outbound. From there you get very specific about what you allow in and out.
As far as viruses go, the reason there is little concern is because there are few viruses and other malware in the wild that affect Linux, partially because it is a smaller target and the primary option (Windows) can be so lucrative so easily. There are programs for Linux, however. I believe Comodo produces one and I think AVG has a Linux version of theirs. Even if a Linux system is hit it is difficult to cause any real damage because of the permission structure. Of course that assumes proper and frequent backups. Encryption is also so easy that important parts of a system or the entire system can be protected to military top secret standards as alluded to above, veracrypt for example.
So doing any/all of these things will help and is advisable and is almost effortless. The most important thing, and the most probable vehicle for problems, is to avoid bad human practices. Any chain is only as strong as its weakest link and in computers that weakest link is always the user.
So there is little if any difference between securing a server and securing a desktop. Good practices, firewalls, and some checking for malware if desired is really what is needed. By the way, most people in the Linux community seem to feel that malware checkers/removers are run in Linux to protect Windows users who may get files from a Linux machine.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I've rkhunter and tiger running and I like that they are set up to email me alerts so tiger emails me now and again to tell me which processes have been listening on which ports. So far I've not had anything suspicious (well, apart from Chrome and Chromium listen) but it's interesting to know and reminds me to remove avahi-daemon if I inadvertently install it.
The most important thing, and the most probable vehicle for problems, is to avoid bad human practices. Any chain is only as strong as its weakest link and in computers that weakest link is always the user.
I'm starting from the assumption of a competent user in a physically secure location.
A major problem with security advice is that there is no prioritizing. Most of what I see amounts to "do everything you can think of," with no evaluation of the relative importance of things.
The literature on firewalls, is a good example of unhelpfulness. I've looked at several books and articles on firewalls and specifically iptables. They give detailed listings of the features, but no explanation of WHICH features are important for particular use cases and WHAT settings are most appropriate. More than anything, I'd like a tutorial with that kind of information.
The literature on firewalls, is a good example of unhelpfulness. I've looked at several books and articles on firewalls and specifically iptables. They give detailed listings of the features, but no explanation of WHICH features are important for particular use cases and WHAT settings are most appropriate. More than anything, I'd like a tutorial with that kind of information.
The most standard "use case" for a desktop is allow all outgoing, drop all incoming unless part of a outgoing connection.
However, linux making its terminal so accessible, you may wish to at least allow port 22 for ssh access
This is a iptables script (placed in /etc/init.d/iptables) I made awhile made that does exactly that.
Feel free to examine / use it. To better understand, you should look up man iptables and look at the flags used.
These scripts can get a lot more complicated, allowing for very diverse use cases. But at a simple level, most computers should be using this. Especially if you connect to public wifi.
Code:
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: $portmap
# Should-Stop: $portmap
# X-Start-Before: nis
# X-Stop-After: nis
# Default-Start: 2
# Default-Stop: 1
# X-Interactive: false
# Short-Description: Iptable setup
# Description: Sets iptable rules
#
### END INIT INFO
#!/bin/bash -
ipt=/sbin/iptables
loadrules() {
if [ -e /etc/iptables_ruleset ]; then iptables-restore < /etc/iptables_ruleset && exit 0; fi
$ipt -F
$ipt -X
# Policies and Chains
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Allow loopback access
# Allow Related and Established connections - Definitions of each
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
iptables-save > /etc/iptables_ruleset
}
removerules() {
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
}
restartrules() {
rm /etc/iptables_ruleset
loadrules
}
case "$1" in
start)
loadrules
;;
stop)
removerules
;;
restart)
restartrules
;;
*)
echo "Usage: $0 start|stop|restart" >&2
exit 3
;;
esac
I don't understand why a firewall is needed? If you're not running any servers then there's nothing listening to open a port, surely?
"Server" should be clarified to a process that is listening on a certain port.
The importance of a firewall in this case is in case some service starts listening to the world and you are not aware of it, you need to opt-in to allow access, not opt-out.
This also applies to computers that are exposed to possibly unknown users (public wifi)
A example I just ran into. Turns out Steam opens up listening ports upon opening! These are accessible by anyone that can reach the computer.
I believe they're used for connecting steam instances together (streaming, etc)
I have a laptop and I might use steam while connected to a public wifi. While it's probably possible to turn off the listening services, trust that steam has 0 exploits, or not use steam on a public wifi, I'd rather have a simple firewall I can either disable on my decision or make limited opening to ports.
I don't understand why a firewall is needed? If you're not running any servers then there's nothing listening to open a port, surely?
273, do you use email? Do you get notified when mail arrives? Are you on a network, either Windows or Linux or whatever? Do you get weather alerts? Is your computer clock updated periodically to keep it accurate? Do you use a web browser? What about IM? Do you have MySQL or PostGres running on your computer, even if only for your own use? Have you ever checked to see what ports may be open? How long ago? Does you computer respond to pings? There are many, many things that can open ports without you knowing it, even momentarily. A firewall, although considered a matter of security is also, and perhaps more importantly, a matter of control and knowledge. With a good firewall you can make certain nothing is listening and no ports are open at any time. Without a good firewall, in my opinion you are just whistling in the dark because you don't really know and wouldn't if something did happen. Did you know, for example, that on most Linux distributions you have a firewall running all the time? It is a kernel module and commonly the program iptables or something similar like UFW/GUFW controls it. The firewall is set up with default policies to apply if no other rules are applied. If no rules have been added, i.e. if the user has not 'turned on' the firewall, those policies are to accept any inbound packets and any outbound packets. Whether there is anything 'listening' on a port, i.e. whether the port is open, is another question. Actually if you do nothing to communicate with another computer at any time, knowingly or unknowingly, being certain with iptables (i.e. the kernel module) is simple - just change all the policies to DROP. Then nothing goes in or out. You may be surprised, though, at what doesn't work right on your computer, then.
There is a story of a man who kept snapping his fingers. A friend asked him why. To keep away elephants was the reply. But there are no elephants within a thousand miles his friend assured him. See how well it works? Not running a simple but effective firewall because you don't run a server is sort of like the man snapping his fingers.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I'm completely aware that some processes may be installed which listen as I'm notified when they do.
Code:
# Checking listening processes
OLD: --WARN-- [lin003w] The process `vlc' is listening on socket 8080 (TCP on every interface) is run by myuser.
Yes, I could run a firewall instead but, as mentioned, things like Steam streaming would then stop working until I had messed with them. Also, as mentioned, a firewall is stopping listening processes so there could still be a process "phoning home" that a firewall wouldn't stop and I wouldn't see in my Tiger Auditing Report.
I know, defence in depth and all that but I would expect any malicious server for Linux to include a firewall rule anyhow.
From your last post I really think you would profit from reading up a bit more on various firewalls as implemented. Iptables is the one I am most familiar with. It has three permanent chains in the filter table: INPUT, OUTPUT and FORWARD. Packets going out ARE inspected if you tell the firewall to do so. You can use any number of things to determine to block a packet on its way out, as well as in, as well as being forwarded. There are other tables in the firewall that examine and process the packet at other stages of the process. So you can, if you wish, have very fine grained control over what goes in, out or through. The purpose of a firewall is to keep things working that should be working and stop anything else so your comment about Steam is not necessarily accurate. Using a firewall is, of course, strictly up to the user for whatever reasons the user chooses, but I do think it would be wise to understand what they do and don't do. Of course, as I said, that is strictly up to you for whatever reasons.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by agillator
From your last post I really think you would profit from reading up a bit more on various firewalls as implemented. Iptables is the one I am most familiar with. It has three permanent chains in the filter table: INPUT, OUTPUT and FORWARD. Packets going out ARE inspected if you tell the firewall to do so. You can use any number of things to determine to block a packet on its way out, as well as in, as well as being forwarded. There are other tables in the firewall that examine and process the packet at other stages of the process. So you can, if you wish, have very fine grained control over what goes in, out or through. The purpose of a firewall is to keep things working that should be working and stop anything else so your comment about Steam is not necessarily accurate. Using a firewall is, of course, strictly up to the user for whatever reasons the user chooses, but I do think it would be wise to understand what they do and don't do. Of course, as I said, that is strictly up to you for whatever reasons.
I wouldn't profit from reading about firewalls because my point is that for a normal desktop system spending hours setting rules for everything then, when installing another program, setting more rules seems massive overkill. An that is the only way that a firewall is really going to be of much help. In the most part people will set up some rules to allow listening for things they need then leave it at that -- meaning that outbound connections can still take place by any process at any point. Also, because of the way Linux works, it's likely that any malicious server process would have been installed deliberately by a person with root access because it was disguised as something else -- with that in mind the process could easily disable or bypass the firewall. Then there's the situation that most home users are sitting behind a NAT of some kind usually with some kind of simple stateful firewall built in -- heck, read some posts here to find out how many people struggle to connect to server processes they want to expose to the internet.
To me, at least, installing a firewall on a desktop system for a "normal user" is likely not particularly meaningful for the kinds of reasons stated above. That doesn't mean I don't think you should configure a firewall nor does it mean that I think firewalls can't help I just think for the most part there's not much benefit.
Making a home system secure is not unlike making a server secure. You learn and use as many "best practices" as you can.
It would be great if you ran a dedicated firewall at the perimeter of your home like Untangle maybe.
Even if you use all the known best practices you could still be hacked. The problem with attacks is that the users rarely know about them. Long gone are the days of stupid hackers. The current model is automated and advanced and has a huge database behind them to use for clues.
^ This.
Even simply visiting sites can one get infected. Exploits are getting too advanced. I think the Desktop environment is not even able to cope up (think X server).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.