SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But I was wondering what else can be done to secure a laptop what will only be used for word processing, spreadsheets, bills, netflix, internet surfing, koodi. The laptop will not be used to download or upload torrents, nor will it require remote ssh login or anything remote related. As well the laptop will be used at public wifi spots. I know there is a 3-4 page forum post on security but it seems to cover server and some other items, I could be wrong it's just for a newbie its hard to differentiate what is applicable and what is not
Last edited by Slakerlife; 05-31-2016 at 12:32 AM.
Firewall script, rkhunter ran daily by cronjob, and clamav with clamtk set with safebrowsing definitions.
The antivirus may seem counter productive, but far from it. The safebrowsing definitions can actually help target drive by payloaders that could run regardless of operating system. Plus, these can target malware that might latch onto execution processes and eliminate it. Rkhunter will seek out rootkits and if any might pop up, they'll be removed. The firewall script is just common sense.
You may want to grab Firefox's AdBlockPlus add-on. The NoScript plugin might be useful as well, but take care as it requires a huge extra amount of legwork to customize effectively. I personally just use AdBlockPlus only.
If you want multimedia in browser, build and install FreshPlayerPlugin as well as all required and maybe optional dependencies to use Flash media. Chrome or Chromium + Pepper will be required.
Make sure you program both your wlan0 and eth0 ports into the firewall scripts also.
Also, consider using effective permissions as well for your user account. When out and on the go in public, locking down superuser through sudo might be recommended.
If needed, also secure your BIOS with a password, and if possible, lockout optical drives using this feature as well. Having a VNC client installed and useable from a remote workstation might be useful in case something goes missing.
For Web browsing I like to use Privoxy, easy to install and good for getting rid of most annoying ads, also like an IDS like snort, for increased security.
Just a suggestion, non-software related, but get an anti-peeping screen shield to keep your work private. These devices, their real name eludes me at the moment, attach to your laptop screen, like an anti-fingerprint and scratch guard on a phone, and prevent anyone from seeing your screen unless looking directly at it.
Another suggestion, don't rely on Wi-Fi hotspots. If needed, get a portable hotspot from your cellular service that can be secured with WPA2-AES encryption for your internet needs, or even use your phone if needed, but check your data plan and adjust it if needed to compensate for more data usage. Open Wi-Fi hotspots are sometimes safe, but not always, so when in doubt, roll your own. Unless the Wi-Fi hotspot uses encryption (no less than WPA2-AES) and you have to get a passkey from the shop clerk, just avoid it.
A laptop is far more vulnerable to being lost or stolen than a desktop pc or server so disk encryption is a must.
Not just for confidential documents but also passwords, wireless and ssh keys.
Encrypt the whole lot, it hurts performance a lot less than you'd expect, even in my case an Atom N450 netbook which is hardly a stormer to start with.
Make backups, not the manual kind that you forget about but automated for while you are at home or work, think rsync and cron.
Do both and now, if the worst happens, you still have your data and your data is yours only. The only thing you have to deal with now is the loss of the hardware
Open Wi-Fi hotspots are sometimes safe, but not always, so when in doubt, roll your own. Unless the Wi-Fi hotspot uses encryption (no less than WPA2-AES) and you have to get a passkey from the shop clerk, just avoid it.
Thanks reaper for all the advice, I'll try to find the screen.
So you wouldn't even use a WiFi hotspot even with a vpn?
Thanks reaper for all the advice, I'll try to find the screen.
So you wouldn't even use a WiFi hotspot even with a vpn?
Only if you don't ever store anything on your laptop.
The vpn would prevent anyone from sniffing that traffic. The unsecured wireless connection provides someone potential access to your computer, which could allow them to access what came out of the tunnel after it has been received and decrypted. (That access should be relatively difficult to pull off but that depends what you have running and listening on ports.)
Guess you could use a hotspot type distro on a cd when on the town. LPS linux or other might be worth looking at.
Some laptops do have a way to secure the system pretty well by OEM design too.
Kind of hard to encrypt after you built it but can be done. Easier to install with encrypted home or full encryption.
If you had a fast computer you could run a firewall distro on a vm and run all access across it even.
I can't say that a VPN type service is more secure or not. Never sure who is at the end of it. Opera was bought out I was told and the next day they offered a free vpn add on to their browser.
I would read up on using LUKS in readme_crypt.txt on the disk. You will need to do a separate /boot partition, but if you do separate boot with encrypted /(root), make sure /boot is not automounted in fstab, and you keep an effective permission on the mount binary to allow only root access when you perform updates.
I would read up on using LUKS in readme_crypt.txt on the disk. You will need to do a separate /boot partition, but if you do separate boot with encrypted /(root), make sure /boot is not automounted in fstab, and you keep an effective permission on the mount binary to allow only root access when you perform updates.
I will for sure look at the disk encryption, hopefully the readme crypt file has some good instructions, I will for sure get this laptop working this week
I was also wondering for the firewall script suggestion you gave it, you are referring to the one from alien bob website right? Or was there another one
1) Encryption - If your installation is new(er) and you have no personal information on the harddrive I'd consider a re-install with LUKS, also suggested earlier. You can use a USB Key for LUKS key for the passphrase, but please don't leave it in the computer, remove it from the USB and keep it on you key ring after you start the laptop. COMMON SENSE will never replace all the security systems in the world. Heck, even if you have some personal data, back-it up and re-install with LUKS for all you systems.
2) User NOT ROOT logins. Please don't use your laptop as Root, create a very limited user account that only is a member of the security groups that you need when in the public spaces, and another for when at home, and another for when you want sudo access to make system wide updates or changes. Don't use ROOT login in any public wifi or open wifi setting. If you must use system wide changes, then do them with sudo. You'll need to setup a sudoer's configuration but there are plenty of examples in the Slackdoc wiki of how to do.
3) Antivrus - In addition to RKHunter weekly consider ESET 4 Linux. I used ClamAV for a long time, but it failed me with a Ransom-Ware attack on a Windows machine, so I went looking for something better and found ESET 4 Linux outperformed detections of malware/virus according to ShadowServer.org. Purchased a two-year ESET license and "feel" much safer, it starts at bootup and is always on! ESET always comes out as the top zero-day detector for Linux, ClamAV not so good (and adding SaneSecurity patches to ClamAV are complicated while not sure they improve ClamAV detections as high as ESET). Additionally, ESET rates higher over longer testing periods for both Linux and Windows virus/malware detection, you need both if you plan to run any Windows applications under WINE. ESET is easy to install/setup, integrates with KDE's menuing and is always monitoring without any slowing of my Intel Pentium D. It also uses 1/4 the memorey of ClamAV, only 104M. ESET is running in the background and updating three times a day and it refreshes the database after every sleep to be sure it is current.
4) Firewall - As already suggested make sure to setup a firewall. If AlienBob's tool is confusing (doubtful), you can use Slackbuilds to install the Firewall Builder package and do object oriented firewalling.
5) Shutdown any services you aren't using following the Slackdoc wiki suggestions. Actually with Linux many of the suggestions you read about that seem oriented toward a server are just as applicable to a desktop, because Slackware can be either server or desktop and both are present in every installation.
One service you might want to disable by default during the final parts of the installation is Secure Shell Daemon (sshd). Unless you are logging into your machine remotely, leave it disabled.
Granted thing like printing (cups), audio (alsa and pulse), and such ease of use daemons (services) should be enabled, unless you know you'll need it, don't enable it.
Another reputable and free antivirus/antimalware is Sophos:
Just to bust a myth, many people will say you don't need AV for Linux, and in general you might not, but many malware programs are starting to target a wide variety of systems and operate in new ways that aren't specific just to Windows OS. Many operate as "drive by downloads" using Java, Flash media, ads, pop-ups, and even in-browser extensions. Not all of them are .exe, .com, and such Windows only extensions for runtimes and executables.
Mac-OSX is probably one of the best known use-cases where malware targeted low-level functions of the system and was very devastating. Mac-OSX at the time, claimed to be virus/malware-proof.
Many viruses and malware can also look for the existence of the package WiNE which is a Windows Compatibility Execution Layer for UNIX and UNIX-like operating systems. Or unknowingly, you might open an email, and forward a virus along, or worse, a worm.
Yup, AlienBob's Firewall Generator. Make sure though you edit the connection to include both wlan0 and eth0. I think the correct syntax is eth0,wlan0.
So I did install the firewall but I have a question, how can I find out if the firewall is working? As well after I chroot the file do I need to start it manually?
Did you put the rc.firewall script into /etc/rc.d? Did you chmod +x rc.firewall as root?
Type ls -l
-rwxr-xr-x 1 root root 2403 Feb 2 2016 rc.firewall
Anything in rc.d that starts with -rwx at the beginning is going to start when you boot up your laptop. If you chmod -x rc.firewall that would prevent the firewall from booting up with the laptop if it was set to execute (x).
As root type: nmap -sT -O 192.168.1.2
It checks 1000 ports and tells you if you have any open.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
