Hi,

I've a problem to solve and I hope some of you may help me.

A friend of me, who are basically ignorant with computer, have high security concern about his computer. I convinced him to quit Windows and go to Linux.

The perfect distro form him is Ubuntu, but Ubuntu don't have a security level like openBSD. and I'm not a full skilled computer security technician myself.

So, I try to figure out what would be the most secure computer/network configuration simply available.

My idea is :

modem connect to a router, connect to a computer with a secure distro like openBSD with a bridge network connection to another computer with Ubuntu on it.

would it be a good idea? would the bridge connection would stop any potential intruder, because they would be stop by openBSD, or should I learn how to make a firewall with a computer?

thank you

Your point of view seems to be based on the premise that security is a product. It's not. It's a process, and it's one that never ends. So the first thing you need to do if you really want to help your friend is get rid of the idea that he will be secure because you installed a certain operating system.

What would probably benefit your friend the most is some good instruction on your part on how to go about his Internet activities in a safe manner. You don't need to turn his computer into a digital fortress, a few basic steps can go a long way. Yet you haven't mentioned what threats you are trying to protect your friend from. Without that information, it's not possible for anyone to give you good recommendations about what measures you can take.

hi win32sux

thank you for replying.

I know, I reed some text on the internet before posting this and this is what I understand, that's is it a process who never end. The problem is that I cannot be his security administrator. I'm not good enough, and I tell to myself that if I do so, I will have to let a port open to remote control and that is a possible security breach.

I know, I didn't mention it. Let say he is a political activist. And I don't have a clear and direct confirmation of who or what are attacking his computer. But he got number of hard disk crash and many unusual virus, like a dead skull flashing on his monitor.

To make it short, I want to protect his computer against sabotage. I don't really know who attack even if I suspect it, but it's why I feel I should turn his computer into a digital fortress.

OpenBSD may have the reputation of being pretty secure, but I wouldn't say that it's a system for everybody.

I think that as long as your friend gets away from Windows he already has improved a lot. After all, viruses are usually targeted at windows, thus won't work if he uses Linux or a BSD.

Maybe you could use Fedora. In addition to the security any Linux-system gives you it also has SELinux integrated and enabled by default.

As for the flashing skull: I believe this must be something he has been sent through email, as it is unlikely that somebody would find out his IP and would inject something into his computer that way.

Also, simply adding a router will increase security a bit, as it's an additional step an outside intruder would have to go through.
But anyway, I think his problem are viruses, probably received through email.
This shows a clear lack of education on how to use a computer in a secure way, which includes not to open any file that is labelled "hot chicks dancing naked"...

If your friend has a high speed connection, I would recommend getting a NAT router, even for a single computer. It will prevent new connections from being made to non-forwarded ports.

I'm not sure what you mean by security level. I did see a ranking that is used in government, but one would really have to study the details on what it means. For example, IIRC one grade seems to deal mainly with the ease of installation installing certain services using a GUI. IMHO, this is worthless because you shouldn't have those services running on the same machine & a server shouldn't be run graphically. Another level would be met if roles & classification levels were enforced.

One Linux distro that met this grade used hacked vmware running selinux clients. The purpose was to allow having only one computer on the desk instead of several. No communication is allowed between the different clients.

----

Nothing about security is easy. Ease of use and security tend to be inversely proportional.
You do need to secure some services such as ssh & mysql. The manual for mysql has a chapter on this.

Rather than scanning for viruses ( an obsolete term anyway ), you should run rkhunter & chkrootkit.

By not running as root, you have a big advantage over many windows users. Another is the lack of activex controls & other COM units which launch binary programs inside of html pages or documents.

The reliance on a distro's open source packages will protect you because the code is vetted. Many windows users will locate freeware & shareware and install it, relying on blind faith. Many problems that Windows users solve this way can be solved in linux with a few lines of bash code instead. ( I've seen admins installing a server download and use a program to bulk rename files )

---

Good Luck!

thank you to all people who reply. I will study those possible solution (google search!) before asking new question.

but, for now, I reed about selinux, and install it on my laptop (ubuntu 9.04), did that gave me a superior security? because as a "desktop user", I saw no change, but I got no way to verify.


"rkhunter & chkrootkit" wow, great, thank you Jschiwal
by the way Jschiwal, I appreciate your explication, but the first part of your post still unclear to me, even if I reed it a 4-5 time. don't be surprise if I answer about it when I'll have understand it

As a regular user you shouldn't notice any difference when your system has SELinux. Ideally SELinux comes with a policy which is fine-tuned so that all tasks can be handled as usual, but stuff that's not supposed to happen is not allowed.

"not allowed" in the context means control beyond the capabilities that Linux itself offers you.
By labeling more or less everything in your system (files, users, ports, network-packets, processes, ...) you can get permissions beyond the regular octal permissions. Although ACLs already extend this quite a bit SELinux can still offer more.

For example it can prevent programs from opening sockets. If a program is not supposed to open a socket, but suddenly tries to, it's a policy-violation and thus will be prevented.
This measure is, as said, beyond what Linux itself can do for you, as Linux-permissions mostly are reflected by the regular file-permissions. Once a program is running it inherits all permissions of the user, and in case of root that is the full package.
With SELinux the program has a "domain" it runs in, and this domain has a certain set of allowed actions, the actions needed to fulfill the task of the program.

I hope this helps a bit to confuse you even more about the whole subject.

Edit: You do have a way to verify if SELinux is active.
Open a console-window and type sestatus
You should see something similar to this: