LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-18-2016, 04:10 PM   #1
richarddere
LQ Newbie
 
Registered: Dec 2016
Posts: 9

Rep: Reputation: Disabled
Question 4 Important Security Questions ?!?!


Hi!

I tried to search for answers but no luck so far. So i finally decide to ask here.

1- If i block ALL incoming connections i will be protected against portscaners and ddos? If not, how? Iptable rules?

2- I want to install kubuntu minimal using ubuntu minimal. Is there any risk using ubuntu minimal? Any security/privacy problem downloading all packages?

3- Is safe to use "chmod 700 $HOME"?

4- Is possible to ONLY allow firefox to use internet?

Thank you in advance.
 
Old 12-18-2016, 07:11 PM   #2
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Rep: Reputation: Disabled
Blocking all incoming connections is a good start, but as good rule of thumb when configuring firewalls is first deny everything, then open up only what you need. Then restrict incoming connections to trusted sources only, and block all incoming new connection attempts. Traffic that enters the system goes through the input chain, and it's this one you need to make as tight as possible! Block ICMP/SNMP protocals, and log traffic that you explicity specifed not to allow... Use only ipaddresses in the script and not hostnames, to ensure that the firewall still works incase of a DNS failure, and also to prevent DNS spoofing... After your firewall is setup you should verify its working as intended by scanning yourself, checking logs to make sure what you wanted blocked is getting blocked, and seeing how iptables interpreted your script...
-- Some ddos mitigation tools that may aide you is fail2ban, pf's rate limit feature, log monitor scripts + dynamic tables, mod_security and mod_evasive..
-- To mitigate port scanning uninstall all unnessesary services, especially ones that are listening for outside connections (use netstat -tap | grep LISTEN to see such services). The idea here is if you delete/disable such services than an intruder cant break into a port that's not open, because no server is listening on it.. So the goal is to turn off as many services as possible so only the minimal amount of ports NESSESARY are open... Then only allow only 1 special port with key only ssh, aswell as having a restrictive /etc/hosts.xfile(s) (Im not sure but if you do this you may need to do stuff like load balencing and advanced routing techniques) Also look into stealthing this port, and hosting your services in VM so the ports open for those services are not accesible/visible on your physical machine...
-- You can use chroot jails to stop programs from accessing the internet (also useful for making logs easier to read), but know that nothing stops an app from removing itself from a chroot jail. A jail is easily broken cause the jail just edits something in the memory of an app's process, and nothing is stopping that process from editing it's own memory. Then changing back to root directory, and therfor escaping the chroot jail.

Last edited by linux4evr5581; 12-18-2016 at 07:46 PM.
 
1 members found this post helpful.
Old 12-19-2016, 05:46 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Welcome to LQ!
If you have a router?
A firewall program shouldn't be necessary, if you do.
Have a look at Security References here at LQ?

/home on different OSs is set differently
I use Mint17 (based on Ubuntu14) so my /home is 755
Why do you want to change it?
Firefox will only use the internet if firefox is being used.
 
1 members found this post helpful.
Old 12-19-2016, 07:12 AM   #4
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
Erm... If you don't know the answer then just use Linux, browse with Firefox, with NoScript if you like, and forget about it.
By the way, no OS allows incoming connections (Windows once did) because it's silly and, anyway, they won't make it past your MODEM/Brouter.
If you really care about security then read the multiple sites and don't just post on a Linux help site.
 
Old 12-19-2016, 08:42 AM   #5
richarddere
LQ Newbie
 
Registered: Dec 2016
Posts: 9

Original Poster
Rep: Reputation: Disabled
linux4evr5581 & Habitual
Thank you! Great answers!

Habitual
I want to change to prevent my brother from accessing my files in my account using his account. Works but idk if it can break some config files. Everything is fine so far.

273
Asking here was my last option in hope to try know the answers to my 4 questions.


Question n2 is rly important for me too if someone have a opinion/answer please help.
 
Old 12-19-2016, 10:20 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Quote:
Originally Posted by richarddere View Post
1- If i block ALL incoming connections i will be protected against portscaners and ddos? If not, how? Iptable rules?

2- I want to install kubuntu minimal using ubuntu minimal. Is there any risk using ubuntu minimal? Any security/privacy problem downloading all packages?

3- Is safe to use "chmod 700 $HOME"?

4- Is possible to ONLY allow firefox to use internet?

Thank you in advance.
(1) Ordinarily the router which connects you to the Internet contains a firewall which is the first line of defense in limiting inbound connections to only the port-numbers you wish to expose. You should also use a software firewall on your machines. You can't realistically prevent someone from scanning for open ports, but you can ensure that only the ports you wish to expose are available.

(2) I suggest that you should consider which packages you want to use on your machine, given that you can install more at any time. I once, on a whim, "installed everything" ... ... and it was "unbelievably too-much."

(3) That's what I do. Other users don't need to be looking at anything in my home directory.

(4) So far as I am aware, "no."
 
1 members found this post helpful.
Old 12-19-2016, 11:13 AM   #7
richarddere
LQ Newbie
 
Registered: Dec 2016
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
(1) Ordinarily the router which connects you to the Internet contains a firewall which is the first line of defense in limiting inbound connections to only the port-numbers you wish to expose. You should also use a software firewall on your machines. You can't realistically prevent someone from scanning for open ports, but you can ensure that only the ports you wish to expose are available.

(2) I suggest that you should consider which packages you want to use on your machine, given that you can install more at any time. I once, on a whim, "installed everything" ... ... and it was "unbelievably too-much."

(3) That's what I do. Other users don't need to be looking at anything in my home directory.

(4) So far as I am aware, "no."

Thank you sundialsvcs !!

(2) Yes but if i install kubuntu minimal i will need to download more than 1000 packages. There's no problem downloadingg all those packages? Because in a normal installlation those packages already come inside a ISO file.

(3) Exactly!
 
Old 12-19-2016, 12:25 PM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by richarddere View Post
Hi!

I tried to search for answers but no luck so far. So i finally decide to ask here.
As good of a place to ask as any other

Quote:
1- If i block ALL incoming connections i will be protected against portscaners and ddos? If not, how? Iptable rules?
If you are blocking all ports then you are protected against portscanners as they should not be able to detect anything.

ddos on the other hand you really aren't protected against that. If someone knows you are out there and they start a ddos then there is really nothing you can do about it on your end. The only way to block ddos is at your providers level. People that use this form of attack are not looking to get in but stop your communications.

Quote:
2- I want to install kubuntu minimal using ubuntu minimal. Is there any risk using ubuntu minimal? Any security/privacy problem downloading all packages?
Not sure I understand here what you are trying to do. Why can you not just simply install kubuntu minimal and be done?

Quote:
3- Is safe to use "chmod 700 $HOME"?
YES. I do it here on all my machines.

Quote:
4- Is possible to ONLY allow firefox to use internet?
Yes, with a bit of work. Something like THIS
 
1 members found this post helpful.
Old 12-19-2016, 01:07 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Yeah, just install the option that seems most appropriate for you: there are choices such as "LAMP Server" as well as "Minimal."

Yes, they install a lot of packages. Don't sweat it.

You can always add (or remove) packages later.

Then, you should port-scan your own system, and review the list of running daemons, to be sure that you're running precisely what you intend to run: no more, and no less.
 
1 members found this post helpful.
Old 12-20-2016, 06:22 AM   #10
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,861
Blog Entries: 36

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
Quote:
Originally Posted by richarddere View Post
2- I want to install kubuntu minimal using ubuntu minimal. Is there any risk using ubuntu minimal? Any security/privacy problem downloading all packages?
Are you aware that KUbuntu is Ubuntu with the kubuntu-desktop package installed? For all intents and purposes, the two use the same repositories and are the same OS save for the desktop environment being used. If by minimal you mean without a GUI, then they're the same.
 
Old 12-20-2016, 06:42 AM   #11
Keith Hedger
Senior Member
 
Registered: Jun 2010
Location: Wiltshire, UK
Distribution: Linux From Scratch, Slackware64, Partedmagic
Posts: 2,920

Rep: Reputation: 769Reputation: 769Reputation: 769Reputation: 769Reputation: 769Reputation: 769Reputation: 769
If you want to know what you are showing to the world go here:
https://www.grc.com/x/ne.dll?bh0bkyd2
Been using this site for years to check my machines, you can scan a range of ports, common ports, look up what ports do what etc, etc.
 
1 members found this post helpful.
Old 12-20-2016, 11:33 AM   #12
Ellendhel
Member
 
Registered: Aug 2015
Location: Arlington, VA
Distribution: Slackware
Posts: 64

Rep: Reputation: 51
Quote:
Originally Posted by richarddere View Post
4- Is possible to ONLY allow firefox to use internet?
Even if that would be technically feasible I would recommend to not try to implement this right away. There is various tools used by the system itself that require access to the Internet: NTP (for clock synchronization), DNS (for name resolution), the "tool-provided-by-your-distro" to apply updates and probably others.

On the long run, hardening your system to allow only some specific application to access the Internet is possible, but you will need to review and audit your system for an extended period of time (couple of weeks, maybe a month) to make sure that you don't have forgot anything.
 
1 members found this post helpful.
Old 12-21-2016, 11:22 AM   #13
richarddere
LQ Newbie
 
Registered: Dec 2016
Posts: 9

Original Poster
Rep: Reputation: Disabled
Thank you everyone for taking the time to address my concerns.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
is router security not important neilcpp Linux - Security 40 02-13-2009 09:14 AM
Is it really an important security update? Berosus Ubuntu 1 11-17-2007 12:08 PM
Important questions evrae Linux - Newbie 3 06-20-2004 09:03 AM
Two Little Important Questions! navarre9 Debian 4 02-04-2004 11:37 AM
I have several important questions. Antimatter Linux - General 3 09-03-2003 04:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration