Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Would it make sense to use a small Linux distro to increase security, not by just decreasing the attack vecktors of uneeded software, but also by minimalizing the amount logs in the system. As I read before on a website that when looking for suspicious logs it like like looking for a needle in a haystack, so instead it better to only check the "hot areas". But by only only checking hot areas could you not be missing something somewhere's else in less oversighted logs? And as I also read on this forum where someone sugguested that once an attacker gets passed your IDS, it's too late. So because of this I was wondering that if I used a small distro would it still be too late, as I can more easily (I presume) to search for malitious activity in the system..
Last edited by linux4evr5581; 10-10-2016 at 07:10 PM.
If theres not a needle in the haystack situation then why have I heard/read from various sources on the inter-webs, that once an intruder infects your machine. Then from that point to be 100% sure, it's best to just not use that machine... I know you can clean out a machine with antivirus, but antivirus cant un-infect an already infected machine.
Last edited by linux4evr5581; 10-10-2016 at 06:58 PM.
You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.
I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.
As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.
I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.
As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.
Thanks and im aware of this but I also think it's the implementation of default permissions and setups in many distros. Like iptables not on by default, sudo starting off too open, unessesary read/write access on some files. Im still learning the basics tho so I wont be using anything like LFS or Gentoo for awhile.
Last edited by linux4evr5581; 10-10-2016 at 07:44 PM.
You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.
Understood but what if they infect the MBR with a root kit? Anyways like you said you look at multiple logs, and no i'm no expert so I could be totally wrong (which is why im asking) but if you had fewer subsystems and what not using a minimal distrobution would you not have fewer logs since those programs/subsystems are not present. I understand what you said about no such things about not having too few logs. But wouldnt that be irrelivent in this case since those logs are just not needed due to the absence of the parts of the system that they would normaly log?
Last edited by linux4evr5581; 10-10-2016 at 09:59 PM.
I think it's extremely hard to secure a system these days. There's just too many vectors (web drive-by, hardware firmwares, 0days,bugs, dirty packets). All we can do, I guess, is to employ best practices and hope for the best.
Most nasties nowadays infect the Browser and that is going to happen whatever the OS behind it.
An unprotected Linux system is more dangerous than a protected Windows system and most people do not run any protection at all under Linux.
It doesn't matter who you are, you will be open to disease if you perform unprotected sex.
So how do you protect the average Linux desktop other than by not running a browser?
Depends how paranoid you want to get. I know some people that install a separate VM on their system just for web surfing, i.e. they never use a browser except in an isolated VM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
