Hi!

I tried to search for answers but no luck so far. So i finally decide to ask here.

1º- If i block ALL incoming connections i will be protected against portscaners and ddos? If not, how? Iptable rules?

2º- I want to install kubuntu minimal using ubuntu minimal. Is there any risk using ubuntu minimal? Any security/privacy problem downloading all packages?

3º- Is safe to use "chmod 700 $HOME"?

4º- Is possible to ONLY allow firefox to use internet?

Thank you in advance.

Blocking all incoming connections is a good start, but as good rule of thumb when configuring firewalls is first deny everything, then open up only what you need. Then restrict incoming connections to trusted sources only, and block all incoming new connection attempts. Traffic that enters the system goes through the input chain, and it's this one you need to make as tight as possible! Block ICMP/SNMP protocals, and log traffic that you explicity specifed not to allow... Use only ipaddresses in the script and not hostnames, to ensure that the firewall still works incase of a DNS failure, and also to prevent DNS spoofing... After your firewall is setup you should verify its working as intended by scanning yourself, checking logs to make sure what you wanted blocked is getting blocked, and seeing how iptables interpreted your script...
-- Some ddos mitigation tools that may aide you is fail2ban, pf's rate limit feature, log monitor scripts + dynamic tables, mod_security and mod_evasive..
-- To mitigate port scanning uninstall all unnessesary services, especially ones that are listening for outside connections (use netstat -tap | grep LISTEN to see such services). The idea here is if you delete/disable such services than an intruder cant break into a port that's not open, because no server is listening on it.. So the goal is to turn off as many services as possible so only the minimal amount of ports NESSESARY are open... Then only allow only 1 special port with key only ssh, aswell as having a restrictive /etc/hosts.xfile(s) (Im not sure but if you do this you may need to do stuff like load balencing and advanced routing techniques) Also look into stealthing this port, and hosting your services in VM so the ports open for those services are not accesible/visible on your physical machine...
-- You can use chroot jails to stop programs from accessing the internet (also useful for making logs easier to read), but know that nothing stops an app from removing itself from a chroot jail. A jail is easily broken cause the jail just edits something in the memory of an app's process, and nothing is stopping that process from editing it's own memory. Then changing back to root directory, and therfor escaping the chroot jail.

1 members found this post helpful.

Welcome to LQ!
If you have a router?
A firewall program shouldn't be necessary, if you do.
Have a look at Security References here at LQ?

/home on different OSs is set differently
I use Mint17 (based on Ubuntu14) so my /home is 755
Why do you want to change it?
Firefox will only use the internet if firefox is being used.

1 members found this post helpful.

Erm... If you don't know the answer then just use Linux, browse with Firefox, with NoScript if you like, and forget about it.
By the way, no OS allows incoming connections (Windows once did) because it's silly and, anyway, they won't make it past your MODEM/Brouter.
If you really care about security then read the multiple sites and don't just post on a Linux help site.

linux4evr5581 & Habitual
Thank you! Great answers!

Habitual
I want to change to prevent my brother from accessing my files in my account using his account. Works but idk if it can break some config files. Everything is fine so far.

273
Asking here was my last option in hope to try know the answers to my 4 questions.


Question nº2 is rly important for me too if someone have a opinion/answer please help.

(1) Ordinarily the router which connects you to the Internet contains a firewall which is the first line of defense in limiting inbound connections to only the port-numbers you wish to expose. You should also use a software firewall on your machines. You can't realistically prevent someone from scanning for open ports, but you can ensure that only the ports you wish to expose are available.

(2) I suggest that you should consider which packages you want to use on your machine, given that you can install more at any time. I once, on a whim, "installed everything" ... ... and it was "unbelievably too-much."

(3) That's what I do. Other users don't need to be looking at anything in my home directory.

(4) So far as I am aware, "no."

1 members found this post helpful.

Thank you sundialsvcs !!

(2) Yes but if i install kubuntu minimal i will need to download more than 1000 packages. There's no problem downloadingg all those packages? Because in a normal installlation those packages already come inside a ISO file.

(3) Exactly!

As good of a place to ask as any other

If you are blocking all ports then you are protected against portscanners as they should not be able to detect anything.

ddos on the other hand you really aren't protected against that. If someone knows you are out there and they start a ddos then there is really nothing you can do about it on your end. The only way to block ddos is at your providers level. People that use this form of attack are not looking to get in but stop your communications.

Not sure I understand here what you are trying to do. Why can you not just simply install kubuntu minimal and be done?

YES. I do it here on all my machines.

Yes, with a bit of work. Something like THIS

1 members found this post helpful.

Yeah, just install the option that seems most appropriate for you: there are choices such as "LAMP Server" as well as "Minimal."

Yes, they install a lot of packages. Don't sweat it.

You can always add (or remove) packages later.

Then, you should port-scan your own system, and review the list of running daemons, to be sure that you're running precisely what you intend to run: no more, and no less.

1 members found this post helpful.

Are you aware that KUbuntu is Ubuntu with the kubuntu-desktop package installed? For all intents and purposes, the two use the same repositories and are the same OS save for the desktop environment being used. If by minimal you mean without a GUI, then they're the same.

If you want to know what you are showing to the world go here:
https://www.grc.com/x/ne.dll?bh0bkyd2
Been using this site for years to check my machines, you can scan a range of ports, common ports, look up what ports do what etc, etc.

1 members found this post helpful.

Even if that would be technically feasible I would recommend to not try to implement this right away. There is various tools used by the system itself that require access to the Internet: NTP (for clock synchronization), DNS (for name resolution), the "tool-provided-by-your-distro" to apply updates and probably others.

On the long run, hardening your system to allow only some specific application to access the Internet is possible, but you will need to review and audit your system for an extended period of time (couple of weeks, maybe a month) to make sure that you don't have forgot anything.

1 members found this post helpful.

Thank you everyone for taking the time to address my concerns.