LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Needle in the haystack (https://www.linuxquestions.org/questions/linux-newbie-8/needle-in-the-haystack-4175591159/)

linux4evr5581 10-10-2016 06:39 PM

Needle in the haystack
 
Would it make sense to use a small Linux distro to increase security, not by just decreasing the attack vecktors of uneeded software, but also by minimalizing the amount logs in the system. As I read before on a website that when looking for suspicious logs it like like looking for a needle in a haystack, so instead it better to only check the "hot areas". But by only only checking hot areas could you not be missing something somewhere's else in less oversighted logs? And as I also read on this forum where someone sugguested that once an attacker gets passed your IDS, it's too late. So because of this I was wondering that if I used a small distro would it still be too late, as I can more easily (I presume) to search for malitious activity in the system..

Emerson 10-10-2016 06:46 PM

Never saw a system with too many logs. Security-wise there are logs you want to look at, and there is no "needle in haystack" situation.

linux4evr5581 10-10-2016 06:55 PM

If theres not a needle in the haystack situation then why have I heard/read from various sources on the inter-webs, that once an intruder infects your machine. Then from that point to be 100% sure, it's best to just not use that machine... I know you can clean out a machine with antivirus, but antivirus cant un-infect an already infected machine.

Emerson 10-10-2016 07:17 PM

You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.

jefro 10-10-2016 07:25 PM

I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.

As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.

linux4evr5581 10-10-2016 07:37 PM

Quote:

Originally Posted by jefro (Post 5616294)
I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.

As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.

Thanks and im aware of this but I also think it's the implementation of default permissions and setups in many distros. Like iptables not on by default, sudo starting off too open, unessesary read/write access on some files. Im still learning the basics tho so I wont be using anything like LFS or Gentoo for awhile.

John VV 10-10-2016 08:24 PM

also keep in mind
Just WHO are you securing it from!!!
script kiddies ?
Hacker group ?
random drive by install ?
or
the NSA/CIA/....

linux4evr5581 10-10-2016 09:50 PM

Quote:

Originally Posted by Emerson (Post 5616291)
You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.

Understood but what if they infect the MBR with a root kit? Anyways like you said you look at multiple logs, and no i'm no expert so I could be totally wrong (which is why im asking) but if you had fewer subsystems and what not using a minimal distrobution would you not have fewer logs since those programs/subsystems are not present. I understand what you said about no such things about not having too few logs. But wouldnt that be irrelivent in this case since those logs are just not needed due to the absence of the parts of the system that they would normaly log?

linux4evr5581 10-10-2016 10:01 PM

Quote:

Originally Posted by John VV (Post 5616312)
also keep in mind
Just WHO are you securing it from!!!
script kiddies ?
Hacker group ?
random drive by install ?
or
the NSA/CIA/....

Mainly crackers and script kiddies

c0wb0y 10-11-2016 03:01 AM

I think it's extremely hard to secure a system these days. There's just too many vectors (web drive-by, hardware firmwares, 0days,bugs, dirty packets). All we can do, I guess, is to employ best practices and hope for the best.

Habitual 10-11-2016 07:31 AM

Quote:

Originally Posted by linux4evr5581 (Post 5616280)
but also by minimalizing the amount logs in the system.

Whatever that means. fewe{r,st} installed packages = fewer 'attack vectors' = fewer logs? I suppose there's an argument in there somewhere.

Quote:

Originally Posted by linux4evr5581 (Post 5616280)
As I read before on a website that when looking for suspicious logs it like like looking for a needle in a haystack

so...Without quoting 'what' you 'read' on "a website", we can only guess.
And I hate guessing. Linux doesn't guess.

Link please. Many eyes makes all bugs shallow.

Reference:
http://web.mit.edu/tweilu/www/eff-ss...reatmodel.html

dave@burn-it.co.uk 10-11-2016 07:39 AM

Most nasties nowadays infect the Browser and that is going to happen whatever the OS behind it.
An unprotected Linux system is more dangerous than a protected Windows system and most people do not run any protection at all under Linux.

It doesn't matter who you are, you will be open to disease if you perform unprotected sex.

JeremyBoden 10-11-2016 07:57 AM

So how do you protect the average Linux desktop other than by not running a browser?

kilgoretrout 10-11-2016 08:18 AM

Quote:

So how do you protect the average Linux desktop other than by not running a browser?
Depends how paranoid you want to get. I know some people that install a separate VM on their system just for web surfing, i.e. they never use a browser except in an isolated VM.

dave@burn-it.co.uk 10-11-2016 08:40 AM

See https://www.av-comparatives.org/wp-c...ux_2015_en.pdf


All times are GMT -5. The time now is 02:40 AM.