Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-21-2017, 10:04 PM
|
#1
|
LQ Newbie
Registered: Mar 2017
Posts: 5
Rep:
|
setting up a single-use machine
Hello,
I'm a Linux newbie, so please take it easy on me with your answers.
I'm considering putting Linux on an old laptop and setting it up so that the laptop does little or nothing else other than browse secure (https) web pages. Security is a high priority, and I'd rather turn off (preferably uninstall completely) any programs, services or features that aren't strictly necessary for that purpose.
Here are some features that I will need:
networking--I'll connect to a router via an ethernet cable; I'd prefer to neither see nor be seen by other devices connected to that router
logins for multiple users
package installer/manager--to hopefully keep things simple for me
whatever it takes to make the browser communications secure
possibly antivirus and/or a firewall
And here are features that I won't need:
wifi--I'll connect to a router via ethernet cable; I'd like wifi completely disabled
LibreOffice or other office software--perhaps the administrator's account (my account) might need an editor to edit configuration files, but the regular users won't need to do any editing of documents or spreadsheets or presentations
anything to do with entertainment (movies or other videos, music, games, social networking...)
This morning, I put Ubuntu Desktop 16.04.02 LTS onto the machine. I liked the idea of "long term support." But when I saw how much stuff it loaded onto the machine by default, I thought that there must be a better option. Rather than installing everything under the sun and then trying to figure out what I can remove afterwards, I think it'd be easier to do a minimal installation to start with and just add the little that I actually need.
I'd like recommendations for which distribution (and which version of the distribution) to start from in order to build the system I want, and any other advice you might have for me. Please recall that I'm a newbie. Simpler is better.
The computer will function in my place of work, if home vs business makes a difference in any way.
Jim
|
|
|
03-22-2017, 07:17 AM
|
#2
|
LQ Guru
Registered: Apr 2008
Distribution: Slackware, Ubuntu, PCLinux,
Posts: 10,861
|
Since you are already familiar with Ubuntu, take a look at the page below which explains downloading and installing it's 'minimal iso'.
https://help.ubuntu.com/community/In...tion/MinimalCD
Most major Linux distributions should have something similar available on their download pages.
|
|
|
03-22-2017, 07:37 AM
|
#3
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,867
|
You might consider using a second machine to set up the software on the machine-of-interest, so that the primary machine has only what it needs. You would securely ssh into the machine (using digital certificates, of course, with passwords disabled) and perhaps use rsync to copy the material from the master. Meanwhile, "from the front door," the machine is single-purpose and has no public-facing exit.
Then, you might get some ideas from these pages:
Last edited by sundialsvcs; 03-22-2017 at 07:38 AM.
|
|
|
03-22-2017, 07:55 AM
|
#4
|
Moderator
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,894
|
There's Linux from Scratch, or homebuild your own distribution by downloading the kernel and create a custom kernel as well as root file system.
Given that you are entirely new, I'd recommend trying something which guides you first, and also taking it slow while realizing that you will have some setbacks. Therefore keep an excellent record of how you've proceeded, note what works and what doesn't so when you go back and re-make it from the ground up you don't have leftover stuff that you tried, but rejected on there.
I second the recommendation to have more than one system.
Perhaps consider a Raspberry Pi first and do all your explorations on the Pi until you get it as right as you want.
|
|
|
03-22-2017, 08:08 AM
|
#5
|
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127
Rep:
|
Hello Jim,
That is an interesting situation you pose. I guess the real question is "who are you attempting to secure from what?" or perhaps "what are you attempting to secure from whom?" The extra software installed by default by Ubuntu is probably a low order threat. Accessing the Internet is inherently dangerous. The various threats can be mitigated in different ways.
For example... If you are using a VPN to obscure your location/identity you need access a site such as doileak.com. It will point out various leaks from your PC/browser. Adobe Flash, WebGL and WebRTC are quite common and easily fixed.
It might be worth while to install the HTTPS Everywhere add-on to Firefox. This program forces secure connections to web sites wherever possible.
Windows viruses and mal-ware are not an issue in Linux. Just don't copy them to one of your Windoze machines
If you are concerned about privacy (browsing history etc.) there are settings in Firefox to deal with a lot of that and some addons to block ads, scripts, tracking etc. If you are concerned about the various users getting into each other's "stuff" you could setup encrypted home directories for each user.
If you are "really" paranoid you could run Linux from a non-writable media (CD or DVD) using a live disro or if you are "REALY" paranoid consider the Tails OS which also forces all connections through Tor. It all depends on what you are trying to achieve.
Ken
|
|
|
03-22-2017, 08:11 AM
|
#6
|
LQ Veteran
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 21,251
|
Quote:
Perhaps consider a Raspberry Pi first and do all your explorations on the Pi until you get it as right as you want.
|
I disagree - there are enough differences in ARM for that (pi) to have significant potential to add to the confusion.
Using a prebuilt system is much different to creating it in a new (to the OP) architecture.
Stick to x86 (Intel/AMD) initially would be my recommendation. However locking it down to that extent with no prior hardening experience will be an interesting learning curve.
Last edited by syg00; 03-22-2017 at 08:13 AM.
Reason: added quote for clarity
|
|
|
03-22-2017, 08:54 AM
|
#7
|
Senior Member
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364
|
Hey Jim - the distribution I currently use, Arch, installs a bare system with a basic command-line only interface to start with. You add what you need or want afterwards - including a desktop environment (GUI). So this definitely meets your need for a lean system.
However : Arch also requires more "homework" on the part of the user. Documentation is excellent - but you will be expected to read up. So in that respect, it doesn't necessarily meet your requirement for something "simple".
So it's a bit of a balancing act. Perhaps something in between Ubuntu and Arch in terms of simplicity is a better option for you - Someone suggested the "basic install" variant of Ubuntu or other popular distros - this might be the best approach.
Cheers and let us know how it goes :-)
|
|
|
03-22-2017, 08:59 AM
|
#8
|
Moderator
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,894
|
Quote:
Originally Posted by Rickkkk
Perhaps something in between Ubuntu and Arch in terms of simplicity is a better option for you
|
I personally call that Mint Debian Edition Yes I realize that this is really a more fully up system, and do agree with your Arch suggestion. I do feel that the OP may need to experience and tweak Linux a bit to learn before they embark on building their ideal system form, which will always be an evolution until they reach a point of tiredness on the subject.
|
|
1 members found this post helpful.
|
03-22-2017, 09:58 AM
|
#9
|
LQ Newbie
Registered: Mar 2017
Posts: 5
Original Poster
Rep:
|
Quote:
Originally Posted by taylorkh
I guess the real question is "who are you attempting to secure from what?" or perhaps "what are you attempting to secure from whom?"
|
In order to pass a security questionnaire related to credit card procedures, I have to be able to affirm numerous over-the-top statements. One of them is, verbatim, "All unnecessary functionality has been removed from all systems."
Disabling wifi completely will make some other statements easier to get past.
Running some kind of anti-virus will make some other statements easier to get past.
Configuring a firewall so that the browser can *only* go to https sites would also help. I'll cross that bridge when I get there.
|
|
|
03-22-2017, 10:01 AM
|
#10
|
Senior Member
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364
|
Quote:
Originally Posted by rtmistler
I personally call that Mint Debian Edition ... I do feel that the OP may need to experience and tweak Linux a bit to learn before they embark on building their ideal system form, which will always be an evolution until they reach a point of tiredness on the subject.
|
... Agreed - thanks for the Mint Debian Edition suggestion - I am unfamiliar with Mint, but realize it is a very popular current alternative. Sounds like a good starting point for the OP ... ;-) ...
( ... That's you, Jim .. ;-) ... )
|
|
|
03-22-2017, 10:20 AM
|
#11
|
Moderator
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,894
|
Quote:
Originally Posted by Rickkkk
... Agreed - thanks for the Mint Debian Edition suggestion - I am unfamiliar with Mint, but realize it is a very popular current alternative. Sounds like a good starting point for the OP ... ;-) ...
( ... That's you, Jim .. ;-) ... )
|
Emphasis on Debian because normal Mint is based off of Ubuntu.
Quote:
Originally Posted by jcromano
In order to pass a security questionnaire related to credit card procedures, I have to be able to affirm numerous over-the-top statements. One of them is, verbatim, "All unnecessary functionality has been removed from all systems."
Disabling wifi completely will make some other statements easier to get past.
Running some kind of anti-virus will make some other statements easier to get past.
Configuring a firewall so that the browser can *only* go to https sites would also help. I'll cross that bridge when I get there.
|
Given that you are new to Linux in general you may wish to stage this for some good length of time and test it well before deploying to a merchant or business situation where these concerns arise from. This also is one of the reasons why there is commercial software for point of sale processing. Back in the 70s and 80s in the US all banking and point of sale networks had their forms of personal covenants from accepting changes to their equipment after a certain point, like Halloween or Thanksgiving in preparation for the holiday season. Either case, my point there is that you wish to get it right, well tested, then deploy and not change it much until you've staged your next set of changes. Hence it may be helpful to set up the basics first, by way of having the computer in place, not allowing access types you wish to block, and doing nothing but recording the data, then adding in the capabilities to conduct transactions. Just some thoughts on that.
And I know you didn't say point of sale, you instead said security questionnaire. To me, this still involves access to information related to financial accounts for businesses or people. Same deal, you wish to introduce your new capabilities using caution, whether it be related to investment accounts, credit card accounts, point of sale processing, medical data base information, and so forth.
|
|
|
03-22-2017, 12:42 PM
|
#12
|
LQ Newbie
Registered: Mar 2017
Posts: 5
Original Poster
Rep:
|
Quote:
Originally Posted by rtmistler
Either case, my point there is that you wish to get it right, well tested, then deploy and not change it much until you've staged your next set of changes.
|
Yes. Caution is the watchword. I do not expect this to be a quick fix. I'm not even sure I'll even become confident enough to even deploy it in our office. But it seems worth investigating, at least. Our office never stores sensitive information electronically, on paper, or in any other way. We communicate it to a secure web site, and they handle everything else. If we can just keep that communication secure, we should be good. And doing so should be possible, I'd think.
Thank you for your thoughts.
|
|
|
03-22-2017, 12:53 PM
|
#13
|
LQ Newbie
Registered: Mar 2017
Posts: 5
Original Poster
Rep:
|
Quote:
Originally Posted by yancek
|
I'm starting down this path.
I'm at the point where I can select software to install. I notice that "standard system utilities" comes pre-checked. (It is the only item that is checked by default.) I Googled what that set of utilities contains, and I see that telnet is one of those utilities. Having my computer telnet to anything else or having anything else telnet to my computer both sound risky. I think I'll opt out of the standard system utilities. Thoughts?
I notice that openSSH is not checked by default. Does SSH only provide protection for SSH remote logins, or does it somehow protect other types of remote logins (such as telnet)? That is, would not installing SSH make the system more secure (by disallowing one type of remote login) or less secure (by making other types of remote login less safe)?
|
|
|
03-22-2017, 01:08 PM
|
#14
|
Senior Member
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364
|
Quote:
Originally Posted by jcromano
I'm starting down this path.
I notice that openSSH is not checked by default. Does SSH only provide protection for SSH remote logins, or does it somehow protect other types of remote logins (such as telnet)? That is, would not installing SSH make the system more secure (by disallowing one type of remote login) or less secure (by making other types of remote login less safe)?
|
Installing OpenSSH won't automatically make your system either less, or more, secure. That will depend on if, and how, you deploy and configure it. SSH provides a secure method of handling remote access, if properly configured and managed. Best to read up on it (man page, your distro's wiki ... ).
Cheers,
|
|
|
03-22-2017, 02:51 PM
|
#15
|
Moderator
Registered: Mar 2008
Posts: 22,130
|
Other than setting up a kiosk, I'd think that you could also consider SuseStudio.com to make a one of a kind distro.
I used to like webconverger but I think they have strayed a bit.
|
|
|
All times are GMT -5. The time now is 11:18 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|