LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-21-2017, 10:04 PM   #1
jcromano
LQ Newbie
 
Registered: Mar 2017
Posts: 5

Rep: Reputation: Disabled
setting up a single-use machine


Hello,

I'm a Linux newbie, so please take it easy on me with your answers.

I'm considering putting Linux on an old laptop and setting it up so that the laptop does little or nothing else other than browse secure (https) web pages. Security is a high priority, and I'd rather turn off (preferably uninstall completely) any programs, services or features that aren't strictly necessary for that purpose.

Here are some features that I will need:

networking--I'll connect to a router via an ethernet cable; I'd prefer to neither see nor be seen by other devices connected to that router

logins for multiple users

package installer/manager--to hopefully keep things simple for me

whatever it takes to make the browser communications secure

possibly antivirus and/or a firewall

And here are features that I won't need:

wifi--I'll connect to a router via ethernet cable; I'd like wifi completely disabled

LibreOffice or other office software--perhaps the administrator's account (my account) might need an editor to edit configuration files, but the regular users won't need to do any editing of documents or spreadsheets or presentations

anything to do with entertainment (movies or other videos, music, games, social networking...)

This morning, I put Ubuntu Desktop 16.04.02 LTS onto the machine. I liked the idea of "long term support." But when I saw how much stuff it loaded onto the machine by default, I thought that there must be a better option. Rather than installing everything under the sun and then trying to figure out what I can remove afterwards, I think it'd be easier to do a minimal installation to start with and just add the little that I actually need.

I'd like recommendations for which distribution (and which version of the distribution) to start from in order to build the system I want, and any other advice you might have for me. Please recall that I'm a newbie. Simpler is better.

The computer will function in my place of work, if home vs business makes a difference in any way.

Jim
 
Old 03-22-2017, 07:17 AM   #2
yancek
LQ Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 9,425

Rep: Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090Reputation: 2090
Since you are already familiar with Ubuntu, take a look at the page below which explains downloading and installing it's 'minimal iso'.

https://help.ubuntu.com/community/In...tion/MinimalCD

Most major Linux distributions should have something similar available on their download pages.
 
Old 03-22-2017, 07:37 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,232
Blog Entries: 4

Rep: Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260
You might consider using a second machine to set up the software on the machine-of-interest, so that the primary machine has only what it needs. You would securely ssh into the machine (using digital certificates, of course, with passwords disabled) and perhaps use rsync to copy the material from the master. Meanwhile, "from the front door," the machine is single-purpose and has no public-facing exit.

Then, you might get some ideas from these pages:

Last edited by sundialsvcs; 03-22-2017 at 07:38 AM.
 
Old 03-22-2017, 07:55 AM   #4
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,354
Blog Entries: 13

Rep: Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411
There's Linux from Scratch, or homebuild your own distribution by downloading the kernel and create a custom kernel as well as root file system.

Given that you are entirely new, I'd recommend trying something which guides you first, and also taking it slow while realizing that you will have some setbacks. Therefore keep an excellent record of how you've proceeded, note what works and what doesn't so when you go back and re-make it from the ground up you don't have leftover stuff that you tried, but rejected on there.

I second the recommendation to have more than one system.

Perhaps consider a Raspberry Pi first and do all your explorations on the Pi until you get it as right as you want.
 
Old 03-22-2017, 08:08 AM   #5
taylorkh
Senior Member
 
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,075

Rep: Reputation: 165Reputation: 165
Hello Jim,

That is an interesting situation you pose. I guess the real question is "who are you attempting to secure from what?" or perhaps "what are you attempting to secure from whom?" The extra software installed by default by Ubuntu is probably a low order threat. Accessing the Internet is inherently dangerous. The various threats can be mitigated in different ways.

For example... If you are using a VPN to obscure your location/identity you need access a site such as doileak.com. It will point out various leaks from your PC/browser. Adobe Flash, WebGL and WebRTC are quite common and easily fixed.

It might be worth while to install the HTTPS Everywhere add-on to Firefox. This program forces secure connections to web sites wherever possible.

Windows viruses and mal-ware are not an issue in Linux. Just don't copy them to one of your Windoze machines

If you are concerned about privacy (browsing history etc.) there are settings in Firefox to deal with a lot of that and some addons to block ads, scripts, tracking etc. If you are concerned about the various users getting into each other's "stuff" you could setup encrypted home directories for each user.

If you are "really" paranoid you could run Linux from a non-writable media (CD or DVD) using a live disro or if you are "REALY" paranoid consider the Tails OS which also forces all connections through Tor. It all depends on what you are trying to achieve.

Ken
 
Old 03-22-2017, 08:11 AM   #6
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,777

Rep: Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572Reputation: 3572
Quote:
Perhaps consider a Raspberry Pi first and do all your explorations on the Pi until you get it as right as you want.
I disagree - there are enough differences in ARM for that (pi) to have significant potential to add to the confusion.
Using a prebuilt system is much different to creating it in a new (to the OP) architecture.

Stick to x86 (Intel/AMD) initially would be my recommendation. However locking it down to that extent with no prior hardening experience will be an interesting learning curve.

Last edited by syg00; 03-22-2017 at 08:13 AM. Reason: added quote for clarity
 
Old 03-22-2017, 08:54 AM   #7
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch
Posts: 1,253

Rep: Reputation: 467Reputation: 467Reputation: 467Reputation: 467Reputation: 467
Hey Jim - the distribution I currently use, Arch, installs a bare system with a basic command-line only interface to start with. You add what you need or want afterwards - including a desktop environment (GUI). So this definitely meets your need for a lean system.

However : Arch also requires more "homework" on the part of the user. Documentation is excellent - but you will be expected to read up. So in that respect, it doesn't necessarily meet your requirement for something "simple".

So it's a bit of a balancing act. Perhaps something in between Ubuntu and Arch in terms of simplicity is a better option for you - Someone suggested the "basic install" variant of Ubuntu or other popular distros - this might be the best approach.

Cheers and let us know how it goes :-)
 
Old 03-22-2017, 08:59 AM   #8
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,354
Blog Entries: 13

Rep: Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411
Quote:
Originally Posted by Rickkkk View Post
Perhaps something in between Ubuntu and Arch in terms of simplicity is a better option for you
I personally call that Mint Debian Edition Yes I realize that this is really a more fully up system, and do agree with your Arch suggestion. I do feel that the OP may need to experience and tweak Linux a bit to learn before they embark on building their ideal system form, which will always be an evolution until they reach a point of tiredness on the subject.
 
1 members found this post helpful.
Old 03-22-2017, 09:58 AM   #9
jcromano
LQ Newbie
 
Registered: Mar 2017
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by taylorkh View Post

I guess the real question is "who are you attempting to secure from what?" or perhaps "what are you attempting to secure from whom?"
In order to pass a security questionnaire related to credit card procedures, I have to be able to affirm numerous over-the-top statements. One of them is, verbatim, "All unnecessary functionality has been removed from all systems."

Disabling wifi completely will make some other statements easier to get past.

Running some kind of anti-virus will make some other statements easier to get past.

Configuring a firewall so that the browser can *only* go to https sites would also help. I'll cross that bridge when I get there.
 
Old 03-22-2017, 10:01 AM   #10
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch
Posts: 1,253

Rep: Reputation: 467Reputation: 467Reputation: 467Reputation: 467Reputation: 467
Quote:
Originally Posted by rtmistler View Post
I personally call that Mint Debian Edition ... I do feel that the OP may need to experience and tweak Linux a bit to learn before they embark on building their ideal system form, which will always be an evolution until they reach a point of tiredness on the subject.
... Agreed - thanks for the Mint Debian Edition suggestion - I am unfamiliar with Mint, but realize it is a very popular current alternative. Sounds like a good starting point for the OP ... ;-) ...

( ... That's you, Jim .. ;-) ... )
 
Old 03-22-2017, 10:20 AM   #11
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,354
Blog Entries: 13

Rep: Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411Reputation: 4411
Quote:
Originally Posted by Rickkkk View Post
... Agreed - thanks for the Mint Debian Edition suggestion - I am unfamiliar with Mint, but realize it is a very popular current alternative. Sounds like a good starting point for the OP ... ;-) ...

( ... That's you, Jim .. ;-) ... )
Emphasis on Debian because normal Mint is based off of Ubuntu.
Quote:
Originally Posted by jcromano View Post
In order to pass a security questionnaire related to credit card procedures, I have to be able to affirm numerous over-the-top statements. One of them is, verbatim, "All unnecessary functionality has been removed from all systems."

Disabling wifi completely will make some other statements easier to get past.

Running some kind of anti-virus will make some other statements easier to get past.

Configuring a firewall so that the browser can *only* go to https sites would also help. I'll cross that bridge when I get there.
Given that you are new to Linux in general you may wish to stage this for some good length of time and test it well before deploying to a merchant or business situation where these concerns arise from. This also is one of the reasons why there is commercial software for point of sale processing. Back in the 70s and 80s in the US all banking and point of sale networks had their forms of personal covenants from accepting changes to their equipment after a certain point, like Halloween or Thanksgiving in preparation for the holiday season. Either case, my point there is that you wish to get it right, well tested, then deploy and not change it much until you've staged your next set of changes. Hence it may be helpful to set up the basics first, by way of having the computer in place, not allowing access types you wish to block, and doing nothing but recording the data, then adding in the capabilities to conduct transactions. Just some thoughts on that.

And I know you didn't say point of sale, you instead said security questionnaire. To me, this still involves access to information related to financial accounts for businesses or people. Same deal, you wish to introduce your new capabilities using caution, whether it be related to investment accounts, credit card accounts, point of sale processing, medical data base information, and so forth.
 
Old 03-22-2017, 12:42 PM   #12
jcromano
LQ Newbie
 
Registered: Mar 2017
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rtmistler View Post
Either case, my point there is that you wish to get it right, well tested, then deploy and not change it much until you've staged your next set of changes.
Yes. Caution is the watchword. I do not expect this to be a quick fix. I'm not even sure I'll even become confident enough to even deploy it in our office. But it seems worth investigating, at least. Our office never stores sensitive information electronically, on paper, or in any other way. We communicate it to a secure web site, and they handle everything else. If we can just keep that communication secure, we should be good. And doing so should be possible, I'd think.

Thank you for your thoughts.
 
Old 03-22-2017, 12:53 PM   #13
jcromano
LQ Newbie
 
Registered: Mar 2017
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by yancek View Post
Since you are already familiar with Ubuntu, take a look at the page below which explains downloading and installing it's 'minimal iso'.

https://help.ubuntu.com/community/In...tion/MinimalCD
I'm starting down this path.

I'm at the point where I can select software to install. I notice that "standard system utilities" comes pre-checked. (It is the only item that is checked by default.) I Googled what that set of utilities contains, and I see that telnet is one of those utilities. Having my computer telnet to anything else or having anything else telnet to my computer both sound risky. I think I'll opt out of the standard system utilities. Thoughts?

I notice that openSSH is not checked by default. Does SSH only provide protection for SSH remote logins, or does it somehow protect other types of remote logins (such as telnet)? That is, would not installing SSH make the system more secure (by disallowing one type of remote login) or less secure (by making other types of remote login less safe)?
 
Old 03-22-2017, 01:08 PM   #14
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch
Posts: 1,253

Rep: Reputation: 467Reputation: 467Reputation: 467Reputation: 467Reputation: 467
Quote:
Originally Posted by jcromano View Post
I'm starting down this path.

I notice that openSSH is not checked by default. Does SSH only provide protection for SSH remote logins, or does it somehow protect other types of remote logins (such as telnet)? That is, would not installing SSH make the system more secure (by disallowing one type of remote login) or less secure (by making other types of remote login less safe)?
Installing OpenSSH won't automatically make your system either less, or more, secure. That will depend on if, and how, you deploy and configure it. SSH provides a secure method of handling remote access, if properly configured and managed. Best to read up on it (man page, your distro's wiki ... ).

Cheers,
 
Old 03-22-2017, 02:51 PM   #15
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,973

Rep: Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403Reputation: 3403
Other than setting up a kiosk, I'd think that you could also consider SuseStudio.com to make a one of a kind distro.

I used to like webconverger but I think they have strayed a bit.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple login in single machine pdixit Linux - Security 3 07-30-2016 07:43 AM
Two DHCP IP assigned to a single Machine? linuxunix Linux - Newbie 3 04-17-2010 11:14 AM
yum installation in a single machine prasenjitbehera Linux - Newbie 1 03-21-2008 03:58 AM
Transparent proxy on single machine SadPenguin Linux - Networking 3 01-30-2007 03:11 AM
Is it posible to have 2.4 & 2.6 in a single machine? smsundar Linux - Newbie 4 12-23-2005 04:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration