|
setting up a single-use machine
Hello,
I'm a Linux newbie, so please take it easy on me with your answers. I'm considering putting Linux on an old laptop and setting it up so that the laptop does little or nothing else other than browse secure (https) web pages. Security is a high priority, and I'd rather turn off (preferably uninstall completely) any programs, services or features that aren't strictly necessary for that purpose. Here are some features that I will need: networking--I'll connect to a router via an ethernet cable; I'd prefer to neither see nor be seen by other devices connected to that router logins for multiple users package installer/manager--to hopefully keep things simple for me whatever it takes to make the browser communications secure possibly antivirus and/or a firewall And here are features that I won't need: wifi--I'll connect to a router via ethernet cable; I'd like wifi completely disabled LibreOffice or other office software--perhaps the administrator's account (my account) might need an editor to edit configuration files, but the regular users won't need to do any editing of documents or spreadsheets or presentations anything to do with entertainment (movies or other videos, music, games, social networking...) This morning, I put Ubuntu Desktop 16.04.02 LTS onto the machine. I liked the idea of "long term support." But when I saw how much stuff it loaded onto the machine by default, I thought that there must be a better option. Rather than installing everything under the sun and then trying to figure out what I can remove afterwards, I think it'd be easier to do a minimal installation to start with and just add the little that I actually need. I'd like recommendations for which distribution (and which version of the distribution) to start from in order to build the system I want, and any other advice you might have for me. Please recall that I'm a newbie. Simpler is better. The computer will function in my place of work, if home vs business makes a difference in any way. Jim |
Since you are already familiar with Ubuntu, take a look at the page below which explains downloading and installing it's 'minimal iso'.
https://help.ubuntu.com/community/In...tion/MinimalCD Most major Linux distributions should have something similar available on their download pages. |
You might consider using a second machine to set up the software on the machine-of-interest, so that the primary machine has only what it needs. You would securely ssh into the machine (using digital certificates, of course, with passwords disabled) and perhaps use rsync to copy the material from the master. Meanwhile, "from the front door," the machine is single-purpose and has no public-facing exit.
Then, you might get some ideas from these pages: |
There's Linux from Scratch, or homebuild your own distribution by downloading the kernel and create a custom kernel as well as root file system.
Given that you are entirely new, I'd recommend trying something which guides you first, and also taking it slow while realizing that you will have some setbacks. Therefore keep an excellent record of how you've proceeded, note what works and what doesn't so when you go back and re-make it from the ground up you don't have leftover stuff that you tried, but rejected on there. I second the recommendation to have more than one system. Perhaps consider a Raspberry Pi first and do all your explorations on the Pi until you get it as right as you want. |
Hello Jim,
That is an interesting situation you pose. I guess the real question is "who are you attempting to secure from what?" or perhaps "what are you attempting to secure from whom?" The extra software installed by default by Ubuntu is probably a low order threat. Accessing the Internet is inherently dangerous. The various threats can be mitigated in different ways. For example... If you are using a VPN to obscure your location/identity you need access a site such as doileak.com. It will point out various leaks from your PC/browser. Adobe Flash, WebGL and WebRTC are quite common and easily fixed. It might be worth while to install the HTTPS Everywhere add-on to Firefox. This program forces secure connections to web sites wherever possible. Windows viruses and mal-ware are not an issue in Linux. Just don't copy them to one of your Windoze machines :) If you are concerned about privacy (browsing history etc.) there are settings in Firefox to deal with a lot of that and some addons to block ads, scripts, tracking etc. If you are concerned about the various users getting into each other's "stuff" you could setup encrypted home directories for each user. If you are "really" paranoid you could run Linux from a non-writable media (CD or DVD) using a live disro or if you are "REALY" paranoid consider the Tails OS which also forces all connections through Tor. It all depends on what you are trying to achieve. Ken |
Quote:
Using a prebuilt system is much different to creating it in a new (to the OP) architecture. Stick to x86 (Intel/AMD) initially would be my recommendation. However locking it down to that extent with no prior hardening experience will be an interesting learning curve. |
Hey Jim - the distribution I currently use, Arch, installs a bare system with a basic command-line only interface to start with. You add what you need or want afterwards - including a desktop environment (GUI). So this definitely meets your need for a lean system.
However : Arch also requires more "homework" on the part of the user. Documentation is excellent - but you will be expected to read up. So in that respect, it doesn't necessarily meet your requirement for something "simple". So it's a bit of a balancing act. Perhaps something in between Ubuntu and Arch in terms of simplicity is a better option for you - Someone suggested the "basic install" variant of Ubuntu or other popular distros - this might be the best approach. Cheers and let us know how it goes :-) |
Quote:
|
Quote:
Disabling wifi completely will make some other statements easier to get past. Running some kind of anti-virus will make some other statements easier to get past. Configuring a firewall so that the browser can *only* go to https sites would also help. I'll cross that bridge when I get there. |
Quote:
( ... That's you, Jim .. ;-) ... ) |
Quote:
Quote:
And I know you didn't say point of sale, you instead said security questionnaire. To me, this still involves access to information related to financial accounts for businesses or people. Same deal, you wish to introduce your new capabilities using caution, whether it be related to investment accounts, credit card accounts, point of sale processing, medical data base information, and so forth. |
Quote:
Thank you for your thoughts. |
Quote:
I'm at the point where I can select software to install. I notice that "standard system utilities" comes pre-checked. (It is the only item that is checked by default.) I Googled what that set of utilities contains, and I see that telnet is one of those utilities. Having my computer telnet to anything else or having anything else telnet to my computer both sound risky. I think I'll opt out of the standard system utilities. Thoughts? I notice that openSSH is not checked by default. Does SSH only provide protection for SSH remote logins, or does it somehow protect other types of remote logins (such as telnet)? That is, would not installing SSH make the system more secure (by disallowing one type of remote login) or less secure (by making other types of remote login less safe)? |
Quote:
Cheers, |
Other than setting up a kiosk, I'd think that you could also consider SuseStudio.com to make a one of a kind distro.
I used to like webconverger but I think they have strayed a bit. |
| All times are GMT -5. The time now is 12:14 AM. |