LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-10-2016, 06:39 PM   #1
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Rep: Reputation: Disabled
Needle in the haystack


Would it make sense to use a small Linux distro to increase security, not by just decreasing the attack vecktors of uneeded software, but also by minimalizing the amount logs in the system. As I read before on a website that when looking for suspicious logs it like like looking for a needle in a haystack, so instead it better to only check the "hot areas". But by only only checking hot areas could you not be missing something somewhere's else in less oversighted logs? And as I also read on this forum where someone sugguested that once an attacker gets passed your IDS, it's too late. So because of this I was wondering that if I used a small distro would it still be too late, as I can more easily (I presume) to search for malitious activity in the system..

Last edited by linux4evr5581; 10-10-2016 at 07:10 PM.
 
Old 10-10-2016, 06:46 PM   #2
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,057

Rep: Reputation: Disabled
Never saw a system with too many logs. Security-wise there are logs you want to look at, and there is no "needle in haystack" situation.
 
Old 10-10-2016, 06:55 PM   #3
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
If theres not a needle in the haystack situation then why have I heard/read from various sources on the inter-webs, that once an intruder infects your machine. Then from that point to be 100% sure, it's best to just not use that machine... I know you can clean out a machine with antivirus, but antivirus cant un-infect an already infected machine.

Last edited by linux4evr5581; 10-10-2016 at 06:58 PM.
 
Old 10-10-2016, 07:17 PM   #4
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,057

Rep: Reputation: Disabled
You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.
 
1 members found this post helpful.
Old 10-10-2016, 07:25 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 16,885

Rep: Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489Reputation: 2489
I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.

As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.

Last edited by jefro; 10-10-2016 at 07:27 PM.
 
Old 10-10-2016, 07:37 PM   #6
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jefro View Post
I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.

As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.
Thanks and im aware of this but I also think it's the implementation of default permissions and setups in many distros. Like iptables not on by default, sudo starting off too open, unessesary read/write access on some files. Im still learning the basics tho so I wont be using anything like LFS or Gentoo for awhile.

Last edited by linux4evr5581; 10-10-2016 at 07:44 PM.
 
Old 10-10-2016, 08:24 PM   #7
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,169

Rep: Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493Reputation: 2493
also keep in mind
Just WHO are you securing it from!!!
script kiddies ?
Hacker group ?
random drive by install ?
or
the NSA/CIA/....
 
Old 10-10-2016, 09:50 PM   #8
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Emerson View Post
You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.
Understood but what if they infect the MBR with a root kit? Anyways like you said you look at multiple logs, and no i'm no expert so I could be totally wrong (which is why im asking) but if you had fewer subsystems and what not using a minimal distrobution would you not have fewer logs since those programs/subsystems are not present. I understand what you said about no such things about not having too few logs. But wouldnt that be irrelivent in this case since those logs are just not needed due to the absence of the parts of the system that they would normaly log?

Last edited by linux4evr5581; 10-10-2016 at 09:59 PM.
 
Old 10-10-2016, 10:01 PM   #9
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by John VV View Post
also keep in mind
Just WHO are you securing it from!!!
script kiddies ?
Hacker group ?
random drive by install ?
or
the NSA/CIA/....
Mainly crackers and script kiddies
 
Old 10-11-2016, 03:01 AM   #10
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
I think it's extremely hard to secure a system these days. There's just too many vectors (web drive-by, hardware firmwares, 0days,bugs, dirty packets). All we can do, I guess, is to employ best practices and hope for the best.
 
Old 10-11-2016, 07:31 AM   #11
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,563
Blog Entries: 13

Rep: Reputation: Disabled
Quote:
Originally Posted by linux4evr5581 View Post
but also by minimalizing the amount logs in the system.
Whatever that means. fewe{r,st} installed packages = fewer 'attack vectors' = fewer logs? I suppose there's an argument in there somewhere.

Quote:
Originally Posted by linux4evr5581 View Post
As I read before on a website that when looking for suspicious logs it like like looking for a needle in a haystack
so...Without quoting 'what' you 'read' on "a website", we can only guess.
And I hate guessing. Linux doesn't guess.

Link please. Many eyes makes all bugs shallow.

Reference:
http://web.mit.edu/tweilu/www/eff-ss...reatmodel.html

Last edited by Habitual; 10-11-2016 at 07:34 AM. Reason: added link
 
1 members found this post helpful.
Old 10-11-2016, 07:39 AM   #12
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 294

Rep: Reputation: 93
Most nasties nowadays infect the Browser and that is going to happen whatever the OS behind it.
An unprotected Linux system is more dangerous than a protected Windows system and most people do not run any protection at all under Linux.

It doesn't matter who you are, you will be open to disease if you perform unprotected sex.
 
Old 10-11-2016, 07:57 AM   #13
JeremyBoden
Senior Member
 
Registered: Nov 2011
Distribution: Debian
Posts: 1,158

Rep: Reputation: 238Reputation: 238Reputation: 238
So how do you protect the average Linux desktop other than by not running a browser?
 
Old 10-11-2016, 08:18 AM   #14
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,559

Rep: Reputation: 213Reputation: 213Reputation: 213
Quote:
So how do you protect the average Linux desktop other than by not running a browser?
Depends how paranoid you want to get. I know some people that install a separate VM on their system just for web surfing, i.e. they never use a browser except in an isolated VM.
 
Old 10-11-2016, 08:40 AM   #15
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 294

Rep: Reputation: 93
See https://www.av-comparatives.org/wp-c...ux_2015_en.pdf
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to move the needle in open source LXer Syndicated Linux News 0 10-07-2015 06:22 PM
Anti-censorship program Haystack withdrawn Jeebizz Linux - News 1 09-15-2010 04:20 AM
Hello World! from Haystack Haystack LinuxQuestions.org Member Intro 2 11-13-2005 05:08 PM
needle printer, need help blackman890 Mandriva 2 11-25-2004 11:03 AM
9 needle printer mtb Linux - Hardware 3 03-15-2003 07:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration