|
Any advice on how to secure my system?
Hi,
I recently moved from Windows 10 to Linux Mint 18.3 "Sylvia" - Cinnamon (64-bit). The first thing I always did with Windows, after a clean installation, was to install an antivirus program and a firewall. I understand that Linux is way less vulnerable to malware and other threats, but nothing, of course, is impenetrable. I would like, therefore, to ask for your advice. Should I install some antivirus? Should I set up the Linux firewall some specific way? Are there other steps I should take in order to maximize security? What is your approach when it comes to security? thanks |
Focus on the user in question. Even Windows XP is safe when the user is not stupid.
Focus on your webbrowser. I put certain hosts in a blacklist. I use certain browser plugins Firewall up to you. I had some windows noobs giving me some external drive with virus on it, as it is a windows binary it will not run. Except you may use with dosbox or wine layer. I did not even recognize it, that it was there. Most of the scams, badware, usually happens because the user does something stupid. Opening adachments, entering passwords on fishy sites and such. I think I disabled most of the stuff guys could do from the outside. /etc config files are a lot, do not install stuff you do not need, disable functionality. There is the benefit with gentoo, as the user has to setup anything, and not premade stuff like the binary distro do. even my provider asked me once to give him access via teamviewer. I refused and asked him if he is stupid. who will give someone else access to his box. Recently there was a security issue with teamviewer. Admins are too stupid to explain to a techguy what they want to do, they believe they know always better as the user. never ever trust someone who says, he needs teamviewer to do something! as said focus on the user in question, what he does. -- security even starts at the drive level. I have software encrypted drive. When i sell the drive, I have just to wipe some small headers and all is gone. Also a bonus when the drive goes bad, your data is "kinda" fake protected, as any encryption has usually nsa backdoors, even the linux ones. a NOT Encrypted box is very bad, as anyone could temper with it, when you are away. |
Security is a collection of best practices. The more you learn and use the more secure your system will be.
Areas of issue are linux settings like running as least privilege. Using the least running of software, using trusted sources. Enable https://en.wikipedia.org/wiki/Linux_Security_Modules. Keep system up to date. Some folks can run a form of AV too. Firewall as much as you can. Consider an upstream UTM distro or use a vm of some distro on a working system. There are many good web pages and each one has some good ideas. They also make secure distro's. There is no perfect solution. Just steps to get close to it. |
I suggest that you promptly remove the "anti-virus" software from every machine and never install such a thing again. :tisk:
|
First I would have to echo post #3.
To be able to properly answer your question, you would have to consider the environment and the risks assocated with such an environment. You should always be (as post #3 says) operating on the principal of least privilege. As an example of my situation: I always operate under the principal of least privilege, I have both a normal user account (unprivileged account) and the root user account that I only ever use if, I actually need to do something that requires administrative privileges. You have to remember that short of something like privilege escalation, the "virus" is still a program the same as any other program is a program and more to the point still has the same privileges as the user account it is being run under. I do sometimes use Windows machines and have some files that have been modified in some way from Windows. Therefore I do have some antivirus software installed on my machine. All of that said, a LOT comes down to the person sitting behind the keyboard. As in: the OS vendor (any system) can put in all of the security measures in the world, but they CAN'T:
You need to take security matters into your own hands and consider what risks apply to your particular situation. Wish you all the best... |
Use only "main" repository because "contrib" and "non-free" haven't security verification, according Debian (FAQ).
The same it is valid to others distributions. |
I agree that above all, security is based on knowledge and good practices. It's funny how most people will install anything by just pressing Next > Next > Next, officially allowing spyware to be installed on their machines.
I think I should study more to see the best way to set up a good firewall. And I might use a second under-privileged account for everyday use. If I remember correctly, I checked the box for an encrypted /home, during installation. As for the rest, what happens when you want to visit aggressive websites like ones that offer torrents, porn etc? |
!! LINUX IS NOT SETUP BY DEFAULT TO BE SAFER THAN WINDOWS !!
I heard long time ago that ubuntu based kernels are compiled in a such ways that these kernels are waiting to be hacked. Can't comment on that. Do not download any files that you can't verify thru PGP. Such as firefox addons or BIOS updates or device drivers from manufacture website because they never have any verification. Use DVD-R to burn ISO images that you download. Attacker after modifying your BIOS or under different circumstances wont be able to re-write it, unlike USB or CD-RW or DVD-RW (I went thru this and everything in this post). Simply because Fedora(and only it) uses Wayland GUI(server) by default - you need to switch to Fedora. XOrg (GUI=server) allows attaker to modify any files that you have access to. If you can read/write thru FileBrowser - attacker thru Firefox can do the same. XOrg is something that was/still-is before Wayland. If you continue with ubuntu and linux mint then is is mandatory to run XPRA and SSH together. Best on another TTY for each gui app - its a very long learing curve. When you want to make updates to your system - your need to switch to another tty. GUI such as XOrg never provide isolation that prevent attacker to capture any text you type (such as root password). To switch to another tty you generaly press Ctl-Alt-F4 F3 F2 F5. Your type root username && passwd && "apt-get dist-upgrade" or "dnf upgrade" and you are DONE. Easy. All mainstream web browsers use XOrg - in wayland its called XWayland. Meaning the attacker can still mess with files that firefox has access to. But the attacker cannot mess with the files that you can access thru any local FileBrowser (which doesn't use XWayland component) - thats what Wayland devs claim. I recommend Google Chromium (still uses XOrg = XWayland in Fedora): 1) it uses advanced linux specific protections. 2) you can disable javascript from gui without addons 3) you can set /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established=5 3a) you can set /proc/sys/net/ipv4/tcp_keepalive_time=5 3b) you can set /proc/sys/net/ipv4/tcp_keepalive_probes=0 3c) you can set net.netfilter.nf_conntrack_tcp_loose=0 3d) and your WEB will still works smoothly. 4) you don't need to download addons to disable JavaScript. Addons always use weaker security checks than installing web browser from hard coded repository. Some time ago Linux introduced "namespaces" - you can have one separate firewall for firefox, one for email programm, one for updates and one for the rest of the system. These namespaces is the only way now to get reasonable WEB performance without beeing easily hacked. You must start using raw and mangle tables. Your first iptables (firewall) rules MUST BE: iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP That is, your are DONE with the Filter table! - because there are Raw and Mangle tables. iptables rules above are shortcut to these: iptables -t filter -F iptables -t filter -P INPUT ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD DROP I might type another post later |
The single most-important security principle, to me, is the Principle of Least Privilege."
In other words, only one user on your system should be capable of walking into a phone-booth and walking out again in blue tights! :tisk: Oddly enough, in Windows and in OS/X and in Linux, this is not the default. The very first user that is set up on your machine should be an "administrator" (by any other name ...), and every other user should be "just an ordinary Joe or Jane," able to manipulate "their own" files, in "their own" home directory, and no one else's. And then, go ahead and set up multiple such accounts. For example, if you run a small business and therefore have to do accounting, set up an "accounting" user-id, put all the accounting files in that user's home, and secure (chown) those files and directories so that no other user can see or touch them. And so on. Finally, backups. Your computer should be backing itself up all the time, all day long, to an external disk drive that is secured so that only the backup-daemon can use it. ("Once a day" backups are not nearly good enough.) A fairly-recent article on backup software ... |
How to enable corresponing linux Net Namespace that allows u to use different firewall for each app - add repository that contains Firejail sandbox
and install Firejail. (ubuntu,linuxmint,debian have firejail in their default repositories) Code:
firejail --force --net=enp3s0 --ip=192.168.1.60 --dns=192.168.1.70 --netfilter=/etc/ip.rules --name=nado --noprofile chromium-browserChromium will be using 192.168.1.60 ip addr while the rest of the system maybe using 192.168.1.4 for eaxample or anything else. Basic general iptables rules for your linux pc: Code:
iptables -t raw -FCurrent example doesn't allow any DNS - you'll have to put some hostnames and IPs into /etc/hosts You don't need to warry about any additionals port scans - because current example handles them all. Code:
iptables -t raw -A PREROUTING -s YOUR_WAN_IP -j DROP |
| All times are GMT -5. The time now is 12:45 AM. |