LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Bodhi
User Name
Password
Bodhi This forum is for the discussion of Bodhi Linux.

Notices


Reply
  Search this Thread
Old 07-07-2020, 01:43 PM   #1
derezion
Member
 
Registered: Aug 2018
Distribution: Bodhi
Posts: 55

Rep: Reputation: Disabled
What should I do on a fresh install of an Ubuntu based OS, especially security wise?


It's a relatively fresh install. I installed Bodhi Linux 5.1 five days ago. So far I've enabled ufw (Uncomplicated Firewall), applied updates, created a standard user, and installed a rootkit scanner.

What is there left to do to secure my system? I'm considering installing ClamAV but that would be a whole other question.

Last edited by derezion; 07-08-2020 at 04:20 PM. Reason: typo
 
Old 07-07-2020, 01:55 PM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,891
Blog Entries: 3

Rep: Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439
I presume you are asking about a desktop and not a server or router? If so, I'd look very closely at using AppArmor and make sure all your main desktop programs have proper profiles, not the lame, virtually non-functional ones that come out of the box.

Packet filtering in that context is rather futile and the AV scanning is rather like closing the barn door after the horse has gotten out.
 
Old 07-07-2020, 02:09 PM   #3
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 1,125

Rep: Reputation: Disabled
Also, see Security in Ubuntu Community Help Wiki.
 
Old 07-07-2020, 03:01 PM   #4
derezion
Member
 
Registered: Aug 2018
Distribution: Bodhi
Posts: 55

Original Poster
Rep: Reputation: Disabled
Yes, I'm talking about the desktop. I used to always see AppArmor messages when I ran mainline Ubuntu (and Lubuntu too, I think.)

That site looks helpful. I don't know if I've ever been to https://help.ubuntu.com/community/Security
 
1 members found this post helpful.
Old 07-07-2020, 04:27 PM   #5
onebuck
Moderator
 
Registered: Jan 2005
Location: Summer Midwest USA, Central Illinois, Winter Central Florida
Distribution: SlackwareŽ
Posts: 13,576
Blog Entries: 34

Rep: Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768Reputation: 2768
Moderator Response

Moved: This thread is more suitable in <Bodhi> and has been moved accordingly to help your thread/question get the exposure it deserves.

Last edited by onebuck; 07-07-2020 at 04:30 PM. Reason: typo
 
1 members found this post helpful.
Old 07-07-2020, 05:09 PM   #6
Kiezel
Member
 
Registered: Jan 2020
Posts: 106

Rep: Reputation: 86
You might find this article interesting, that I've written about security in Linux Mint and other Ubuntu derivatives:
https://easylinuxtipsproject.blogspo.../security.html
 
2 members found this post helpful.
Old 07-07-2020, 06:14 PM   #7
questionsBot
Member
 
Registered: Jun 2020
Posts: 94

Rep: Reputation: Disabled
ExpressVPN has a great linux app. I use that on my system. I think VPNs are a vital thing anyone with the net should use nowadays. Just make sure there is a zero log VPN like Nord or something. ExpressVPN has some logs to troubleshoot the network but claim they have no ips or user accounts linked to them. Nord I think is log free.

I also use an app called Cryptomator. It is a Vault/Crypt app that allows you to on the fly encrypt the contents of directories, by mounting the dir as a drive. You work on the drive as normal with your files, and it encrypts it into a vault dir on your hdrive. It seems to work very well I have been using it for a long time on windows. It is also very cool as it encrypts per file. This means that it works very well with cloud storage. So if your vault is on your sync dir it will mirror to the cloud but be all encrypted so the files are never pushed when not encrypted.

I used to hate the idea of cloud, but like a lot of people... it is just so darn convenient!!! kek

Last edited by questionsBot; 07-07-2020 at 06:17 PM.
 
Old 07-07-2020, 06:19 PM   #8
questionsBot
Member
 
Registered: Jun 2020
Posts: 94

Rep: Reputation: Disabled
Quote:
Originally Posted by Kiezel View Post
You might find this article interesting, that I've written about security in Linux Mint and other Ubuntu derivatives:
https://easylinuxtipsproject.blogspo.../security.html
this entire article is dope AF... thanks man.
 
1 members found this post helpful.
Old 07-07-2020, 08:18 PM   #9
cordx
Member
 
Registered: Oct 2018
Location: texas
Distribution: bodhi 5.1.0
Posts: 696

Rep: Reputation: 158Reputation: 158
following the links in one article leads to Kiezel-articles-inception that can give a body reading for days. lots of stored and shared (and greatly appreciated) linux wisdom to be found there.
 
Old 07-07-2020, 10:40 PM   #10
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,891
Blog Entries: 3

Rep: Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439Reputation: 2439
Quote:
Originally Posted by derezion View Post
Yes, I'm talking about the desktop. I used to always see AppArmor messages when I ran mainline Ubuntu (and Lubuntu too, I think.)
I would look here for AppArmor information and use a combination of the two methods:

https://gitlab.com/apparmor/apparmor...ing_with_tools
https://gitlab.com/apparmor/apparmor...filing_by_hand

It would take a lot of trial and error, but you can quickly figure out the flow and which narrow set of directories each desktop application should be allowed access to. Some applications may have a profile already, but they are usually ridiculously loose.
 
1 members found this post helpful.
Old 07-12-2020, 01:47 PM   #11
derezion
Member
 
Registered: Aug 2018
Distribution: Bodhi
Posts: 55

Original Poster
Rep: Reputation: Disabled
Is gitlab the official site for AppArmor documentation? Sorry, I'm just a little paranoid sometimes. I also don't know the official homepage for AppArmor either. It's AppArmor .net not apparmor .com right?
 
Old 07-12-2020, 06:07 PM   #12
IvoryMale
Member
 
Registered: Apr 2020
Location: Delaware The First State
Distribution: Bodhi Linux
Posts: 56

Rep: Reputation: Disabled
Since I started using Linux all I need is a firewall now...

Last edited by IvoryMale; 07-17-2020 at 07:37 PM.
 
Old 07-30-2020, 01:51 PM   #13
derezion
Member
 
Registered: Aug 2018
Distribution: Bodhi
Posts: 55

Original Poster
Rep: Reputation: Disabled
Hi Turbocapitalist and everyone else. I'm still looking into ClamAV and one plan I have is to just install AppArmor and deal with the apps that AppArmor sends me messages about. I had no idea what I was supposed to do about those messages when I used to run Lubuntu 12.04 and Ubuntu 12.04. I thouht I was dealing with bugs in those versions of Ubuntu.
 
Old 07-30-2020, 05:12 PM   #14
cordx
Member
 
Registered: Oct 2018
Location: texas
Distribution: bodhi 5.1.0
Posts: 696

Rep: Reputation: 158Reputation: 158
apparmor appears to be installed on my two systems running bodhi 5.1:
Quote:
Jul 30 17:02:02 hostname audit[23860]: AVC apparmor="ALLOWED" operation="file_perm" profile="libreoffice-oopslash" name="/tmp/OSL_PIPE_1000_SingleOfficeIPC_1a9b8cb836ad82b5db8c4f216fde1c5" pid=23860 comm="oosplash" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
i have entries like that in both syslog and kern.log after opening libreoffice docs.

Last edited by cordx; 07-30-2020 at 05:13 PM.
 
Old 07-30-2020, 06:00 PM   #15
IvoryMale
Member
 
Registered: Apr 2020
Location: Delaware The First State
Distribution: Bodhi Linux
Posts: 56

Rep: Reputation: Disabled
Firejail is a Linux security SUID program that drastically reduces the risk of security breaches by sandboxing the running environment of untrusted applications.

sudo apt-get install firejail -y
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Version magic '3.10.40-ga7da876 SMP preempt mod_unload ARMv7 p2v8 ' hould be '3.10.40 SMP preempt mod_unload ARMv7 p2v8 ' ksahin Linux - Kernel 1 09-12-2017 01:15 PM
How do I transfer something from DOS based into Linux, Especially graphics? dearcat Linux - Newbie 3 04-17-2012 12:05 PM
Split a file, byte-wise, not character-wise. stf92 Linux - Newbie 4 11-17-2010 06:43 AM
how to Block a site in a Firewall or Router by Protocol wise & host wise. shahid khan Linux - Security 2 06-26-2009 04:13 PM
bandwidth allocation by user wise and ip wise basbosco Linux - Networking 1 11-12-2003 02:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Bodhi

All times are GMT -5. The time now is 09:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration