Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm looking for a distribution which is hardened, attack resistant & currently being maintained. I have built & used HLFS, & Kevux Turtle although neither seem to be currently in development. Gentoo hardened I am very unclear about - is it in current development?
I'm using slackware atm and am not a sitting duck online 24/7 running servers so I have been surviving ok using some console, & some X apps. I did have to use a power button once this year because something got hijacked, and I'm due an upgrade. What's current & good?
I think it was already explained (even here), several times: there is no good or bad distro, there is no secure or unsafe distro, it always depends on the admin.
In general you should switch off all the services you do not need at all, use a firewall and block everything. The next step would be to allow/start/install/use/configure everything you want/need, but nothing more.
A man walks into a hardware store and says, "I want to buy a lock that will perfectly secure my house, when I install it on a wooden door beside an open window."
All mainstream distros (and commercial companies like Apple and Microsoft and IBM and so-forth ...) are always following CERT Advisories and other sources of reputable information about vulnerabilities, and promptly issuing fixes to them in the form of updates. You should very-regularly look for and apply (especially) these "security updates."
If "something got hijacked" ... if "something ever got hijacked" ... and especially if you can only refer to it as "something" ... then, yes, your situation is quite vulnerable. But there's no "distro" that will help you, because the basic vulnerability here is ... you.
(And by that I mean no offense whatsoever.)
In the real world of "The Internet," most attacks originate from routine scans of tens of thousands of IP Addresses, looking for a fairly small handful of known "fairly-stupid things that happen a lot." For instance, our servers get probed for phpinfo.php, and so do yours. There are probes looking for evidence of Plesk and other system-management tools that are used by people who don't know how to use the command-line that are known to be a very serious source of vulnerability because they are powerful and they make that power too-accessible to "any web user."
If you directly expose ssh, your machine will be attacked maybe hundreds of times per second, "throwing the entire dictionary at it" i-f the probe sees the dreaded word, login:
And so on.
Whereas, if you simply take the time to know what is really going on with your systems, and if you take readily-available steps such as I describe in this blog post to close the door (and utterly conceal it ...) from these automated interlopers, it is very probable that attacks and even probes from the outside world will ... "simply stop."
Sometimes, a company faces a deliberate, calculated attack by a knowledgeable enemy who wants to break in and steal the top-secret plans to the Death Star. But, most of the time, the attackers are no more discriminate than a cloud of mosquitoes.
But, the bottom line: it's your system, and you have to do it.
Last edited by sundialsvcs; 11-02-2016 at 09:18 AM.
I don't check for security updates often enough, but was fairly sharp about the vulnerabilities in bash, openssl, & flash. ssh isn't open to the net. I made that mistake, found the logs, and sorted it. I don't run a php server, apache, portmap, or anything else that I can avoid running. All services I try to limit to network, not web.I use web mail, and have the minimum of servers running. I'm not running inetd, samba, nfsd, sendmail, net-snmp, mysqld, saslauthd, NIS, http servers of any variety, or bind. There is consequently less to hack. I accept that I'm the issue, and take no offense, but I'm currently recovering from a stroke, and life isn't how I would have planned it.
The 'something that got hijacked was one of pale moon, java, flash(Major suspect) or their children on a dodgy website. I can't really stop the flash plugin from being a source of continual grief. Does your general confidence in distros extend to Slackware?
The wifi router runs a dhcp server and is certainly more vulnerable, but I haven't grappled with that yet.
The 'something that got hijacked was one of pale moon, java, flash(Major suspect) or their children on a dodgy website. I can't really stop the flash plugin from being a source of continual grief.
Here's wishes for a speedy recovery!
As for "Java, Flash, and so on," these are all user-land programs. They can't possibly affect the operating system unless your regular login-user is a member of the wheel group. (Enter the groups command on the command-line to find out.)
Membership in wheel makes the user effectively an administrator: able to use the sudo command without restriction. Therefore, "the root password" becomes "your password," and it's usually pretty easy to persuade someone to enter it.
As a blanket statement: always remember that a computer is really-bad at saying "yes," but really-good at saying "no." You should practice religiously the "principle of least privilege." Your everyday user account should be "strictly Billy Bozo," not "Billy Batson": you do not have the ability to say, "Shazam!"
Therefore, it is also impossible for any "rogue software," running under the auspices of your user-id, to take control of your machine, because you have voluntarily imposed upon yourself the restriction that "you can't." And, from the user-ids that can do such things, which you use only for system-maintenance purposes, you never visit web-sites.
Probably the easiest servers to maintain hardening on are RHEL/CENT - Debian - Ubuntu -Suse
The commercial distros will produce and/or distribute (if the patch comes from upstream) security patches through automated channels.
Slackware doesn't have an automated distribution channel, slackpkg is probably the tool that comes closest, but opinions vary on that question. The Slackware team produces the same patches, rebuilds the software with the patch and updates their repository and the repositories Changelog.txt. What happens next is up to you ('cause it's Slackware, what happens next is always up to you)
A quick read through this thread will give you a better idea of how all that works.
One of the nice things about CentOS (and the rest of the Red Hat family) is the use of Security-Enhanced Linux. Obviously it's available for any Linux, since it's in the kernel, but I suspect that setting it up could get a little messy!
Um, yes, I'm sure I can decrease the privileges of my user, and am probably in too many groups for various reasons.
I will look up that thread, although building from source code isn't scary once you have done LFS
Last edited by business_kid; 11-03-2016 at 03:49 PM.
Although we do have full-blown SELinux, there are also other readily-available technologies such as AppArmor that use the same underlying technologies but which offer a considerably simpler interface.
Um, yes, I'm sure I can decrease the privileges of my user, and am probably in too many groups for various reasons.
I will look up that thread, although building from source code isn't scary once you have done LFS
One simple trick is: "your userS!"
On my machines, I have one user for "system maintenance," another for "application maintenance other-than-system," a third for "farting around on LQ" , yet another when I have to be (or, to satisfy ...) "the accountant," and others (one-or-more each ...) for various client projects. (Some of these own VirtualBox virtual-machines, and all of the files relating to them.)
You get the idea: "many hats."
So, the operating system's principal job is to keep each of these various identities separate. Only one of them has "elevated system privileges." (The "application maintenance" user is special only in that it belongs to groups that no one else does.) The permissions of my various "home" directories do not allow other users to peer inside at all.
"So you wear many different hats, and each 'hat' has its own private office." And the door to each one is ordinarily locked, even though I of course possess all of the keys. (Nope: every password is different, and nonsensical, and still gets changed regularly.)
Yes, during the course of any workday, I switch between user-ids (and have multiple sessions open) quite routinely. In this way, the computer helps to protect each persona, not only from deliberate malice, but also from (well ...) my own occasional stupidity "oopsie!"
The "principle of least privilege" is further extended to a "principle of least access." When I am doing work for Client-X, it is of course critical that the environment should "see only what Client-X's computers would see," and that the affairs of no other Client should be at-all visible, let alone touchable. This is quite-easily done.
(After all, these systems started out ... in principle, at least ... in University timesharing systems peopled by "very bright students.")
Last edited by sundialsvcs; 11-03-2016 at 09:22 PM.
Marking this solved because I have enough advice to keep me busy for the foreseeable.
Many thanks to all wishing me a speedy recovery. My stroke was, I believe, a direct consequence of diert (red meat, cheese & other fats/oils) and 50 years on pretty poisonous epilepsy medication. The medication allowed me to feed a family; these are the choices you make.
Here's output from the machine in question:
Code:
bash-4.3$ groups
users root bin lp floppy audio video cdrom plugdev power scanner
I'm not sure I need to be in root's group - I forget what that was for. But I'm not in wheel. I hardly need scanner either - there isn't one! I'm in bin to humour some old utility I installed, which I forget now.
I take the point about userS. Some kind soul rejigged slackware to be (different) user-per-application and posted a link on this site, but those things never stay up to date. The trouble with users is that if you have more than one thing interacting you complicate life immensely under X; Fine, indeed nearly compulsory for a run level 3 based server stuff but awkward when you want an X based browser, printer, LibreOffice, Adobe Acrobat, gimp, & usb storage to interact with each other.
OTOH, what the hardened distros offer(ed) was Pax, GRSecurity, & SELinux. Pax & GRSecurity were not always up to date and protect the kernel; SELinux I always viewed as access control = tie your hands behind your back in case you are tempted to play with yourself :-).
The attack vector coming at me is unwelcome internet traffic which can target pale moon (updated today) and one or two other programs. Pax & GRSecurity are attempts to stop a program whose security is breached from giving mastery of the system to the hacker. Worthy endeavours, one would think, but no distribution bothers. My user can write to ~/, and external storage, but not anything system related. Nothing goes online as root.
I will inform myself some more, stay with Slackware for the moment, and take advice from this thread to improve housekeeping. I will post afresh if I run into major issues.
Last edited by business_kid; 11-04-2016 at 04:09 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.