LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-07-2017, 03:48 PM   #1
mazerunner
Member
 
Registered: Nov 2017
Posts: 52

Rep: Reputation: Disabled
Question Any advice on how to secure my system?


Hi,
I recently moved from Windows 10 to Linux Mint 18.3 "Sylvia" - Cinnamon (64-bit).

The first thing I always did with Windows, after a clean installation, was to install an antivirus program and a firewall.

I understand that Linux is way less vulnerable to malware and other threats, but nothing, of course, is impenetrable.

I would like, therefore, to ask for your advice. Should I install some antivirus? Should I set up the Linux firewall some specific way? Are there other steps I should take in order to maximize security? What is your approach when it comes to security?

thanks
 
Old 12-07-2017, 04:22 PM   #2
_roman_
Member
 
Registered: Dec 2017
Location: _Austro_Bavaria_
Distribution: SLACKWARE 96, SUSE 6.2, REDHAT, Gentoo, ARCH-Linux, PC-LINUXOS, Linux-Mint, OpenSuse, REDFLAG, TURBO
Posts: 41

Rep: Reputation: Disabled
Focus on the user in question. Even Windows XP is safe when the user is not stupid.

Focus on your webbrowser.

I put certain hosts in a blacklist. I use certain browser plugins

Firewall up to you.

I had some windows noobs giving me some external drive with virus on it, as it is a windows binary it will not run. Except you may use with dosbox or wine layer. I did not even recognize it, that it was there.

Most of the scams, badware, usually happens because the user does something stupid. Opening adachments, entering passwords on fishy sites and such.

I think I disabled most of the stuff guys could do from the outside. /etc config files are a lot, do not install stuff you do not need, disable functionality. There is the benefit with gentoo, as the user has to setup anything, and not premade stuff like the binary distro do.

even my provider asked me once to give him access via teamviewer. I refused and asked him if he is stupid. who will give someone else access to his box. Recently there was a security issue with teamviewer. Admins are too stupid to explain to a techguy what they want to do, they believe they know always better as the user. never ever trust someone who says, he needs teamviewer to do something!

as said focus on the user in question, what he does.

--

security even starts at the drive level.

I have software encrypted drive. When i sell the drive, I have just to wipe some small headers and all is gone. Also a bonus when the drive goes bad, your data is "kinda" fake protected, as any encryption has usually nsa backdoors, even the linux ones.

a NOT Encrypted box is very bad, as anyone could temper with it, when you are away.

Last edited by _roman_; 12-07-2017 at 04:25 PM.
 
1 members found this post helpful.
Old 12-07-2017, 07:53 PM   #3
jefro
Moderator
 
Registered: Mar 2008
Posts: 17,178

Rep: Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562
Security is a collection of best practices. The more you learn and use the more secure your system will be.

Areas of issue are linux settings like running as least privilege. Using the least running of software, using trusted sources. Enable https://en.wikipedia.org/wiki/Linux_Security_Modules. Keep system up to date. Some folks can run a form of AV too.

Firewall as much as you can. Consider an upstream UTM distro or use a vm of some distro on a working system.

There are many good web pages and each one has some good ideas.

They also make secure distro's.

There is no perfect solution. Just steps to get close to it.
 
1 members found this post helpful.
Old 12-08-2017, 08:37 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,691
Blog Entries: 4

Rep: Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026
I suggest that you promptly remove the "anti-virus" software from every machine and never install such a thing again.
 
Old 12-08-2017, 10:45 AM   #5
jsbjsb001
Member
 
Registered: Mar 2009
Location: hopefully somewhere on earth? ;)
Distribution: Whatever Linux distro that suits my needs!
Posts: 752

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
First I would have to echo post #3.

To be able to properly answer your question, you would have to consider the environment and the risks assocated with such an environment.

You should always be (as post #3 says) operating on the principal of least privilege.

As an example of my situation:

I always operate under the principal of least privilege, I have both a normal user account (unprivileged account) and the root user account that I only ever use if, I actually need to do something that requires administrative privileges.

You have to remember that short of something like privilege escalation, the "virus" is still a program the same as any other program is a program and more to the point still has the same privileges as the user account it is being run under.

I do sometimes use Windows machines and have some files that have been modified in some way from Windows. Therefore I do have some antivirus software installed on my machine.

All of that said, a LOT comes down to the person sitting behind the keyboard. As in: the OS vendor (any system) can put in all of the security measures in the world, but they CAN'T:
  • Make you actually use the available security.
  • Stop you from going the dodgy websites.
  • Stop you from committing risky acts.
  • Puppy-walk you though why you should take whatever relevant security measures are relevant to your situation.
  • In a nutshell... save you from yourself!

You need to take security matters into your own hands and consider what risks apply to your particular situation.

Wish you all the best...
 
Old 12-09-2017, 08:11 AM   #6
luizlmarins
LQ Newbie
 
Registered: Nov 2012
Location: São Paulo
Distribution: Devuan
Posts: 2

Rep: Reputation: Disabled
Use only "main" repository because "contrib" and "non-free" haven't security verification, according Debian (FAQ).
The same it is valid to others distributions.
 
Old 12-09-2017, 02:59 PM   #7
mazerunner
Member
 
Registered: Nov 2017
Posts: 52

Original Poster
Rep: Reputation: Disabled
I agree that above all, security is based on knowledge and good practices. It's funny how most people will install anything by just pressing Next > Next > Next, officially allowing spyware to be installed on their machines.

I think I should study more to see the best way to set up a good firewall. And I might use a second under-privileged account for everyday use. If I remember correctly, I checked the box for an encrypted /home, during installation.

As for the rest, what happens when you want to visit aggressive websites like ones that offer torrents, porn etc?
 
Old 12-09-2017, 05:10 PM   #8
geppy
LQ Newbie
 
Registered: Dec 2017
Posts: 2

Rep: Reputation: Disabled
!! LINUX IS NOT SETUP BY DEFAULT TO BE SAFER THAN WINDOWS !!

I heard long time ago that ubuntu based kernels are compiled in a such ways that these kernels are waiting to be hacked. Can't comment on that.

Do not download any files that you can't verify thru PGP. Such as firefox addons or BIOS updates or device drivers from manufacture website because they never have any verification.
Use DVD-R to burn ISO images that you download. Attacker after modifying your BIOS or under different circumstances wont be able to re-write it, unlike USB or CD-RW or DVD-RW (I went thru this and everything in this post).

Simply because Fedora(and only it) uses Wayland GUI(server) by default - you need to switch to Fedora. XOrg (GUI=server) allows attaker to modify any files that you have access to. If you can read/write thru FileBrowser - attacker thru Firefox can do the same. XOrg is something that was/still-is before Wayland.
If you continue with ubuntu and linux mint then is is mandatory to run XPRA and SSH together. Best on another TTY for each gui app - its a very long learing curve.

When you want to make updates to your system - your need to switch to another tty. GUI such as XOrg never provide isolation that prevent attacker to capture any text you type (such as root password).
To switch to another tty you generaly press Ctl-Alt-F4 F3 F2 F5. Your type root username && passwd && "apt-get dist-upgrade" or "dnf upgrade" and you are DONE. Easy.

All mainstream web browsers use XOrg - in wayland its called XWayland. Meaning the attacker can still mess with files that firefox has access to. But the attacker cannot mess with the files that you can access thru any local FileBrowser (which doesn't use XWayland component) - thats what Wayland devs claim.

I recommend Google Chromium (still uses XOrg = XWayland in Fedora):
1) it uses advanced linux specific protections.
2) you can disable javascript from gui without addons
3) you can set /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established=5
3a) you can set /proc/sys/net/ipv4/tcp_keepalive_time=5
3b) you can set /proc/sys/net/ipv4/tcp_keepalive_probes=0
3c) you can set net.netfilter.nf_conntrack_tcp_loose=0
3d) and your WEB will still works smoothly.
4) you don't need to download addons to disable JavaScript. Addons always use weaker security checks than installing web browser from hard coded repository.

Some time ago Linux introduced "namespaces" - you can have one separate firewall for firefox, one for email programm, one for updates and one for the rest of the system. These namespaces is the only way now to get reasonable WEB performance without beeing easily hacked.

You must start using raw and mangle tables.

Your first iptables (firewall) rules MUST BE:
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

That is, your are DONE with the Filter table! - because there are Raw and Mangle tables.
iptables rules above are shortcut to these:

iptables -t filter -F
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP


I might type another post later
 
Old 12-09-2017, 07:41 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,691
Blog Entries: 4

Rep: Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026Reputation: 3026
The single most-important security principle, to me, is the Principle of Least Privilege."

In other words, only one user on your system should be capable of walking into a phone-booth and walking out again in blue tights!

Oddly enough, in Windows and in OS/X and in Linux, this is not the default. The very first user that is set up on your machine should be an "administrator" (by any other name ...), and every other user should be "just an ordinary Joe or Jane," able to manipulate "their own" files, in "their own" home directory, and no one else's.

And then, go ahead and set up multiple such accounts. For example, if you run a small business and therefore have to do accounting, set up an "accounting" user-id, put all the accounting files in that user's home, and secure (chown) those files and directories so that no other user can see or touch them. And so on.

Finally, backups. Your computer should be backing itself up all the time, all day long, to an external disk drive that is secured so that only the backup-daemon can use it. ("Once a day" backups are not nearly good enough.)

A fairly-recent article on backup software ...

Last edited by sundialsvcs; 12-09-2017 at 07:42 PM.
 
Old 12-10-2017, 03:44 AM   #10
geppy
LQ Newbie
 
Registered: Dec 2017
Posts: 2

Rep: Reputation: Disabled
How to enable corresponing linux Net Namespace that allows u to use different firewall for each app - add repository that contains Firejail sandbox
and install Firejail. (ubuntu,linuxmint,debian have firejail in their default repositories)

Code:
firejail --force --net=enp3s0 --ip=192.168.1.60 --dns=192.168.1.70 --netfilter=/etc/ip.rules --name=nado --noprofile chromium-browser
in this firejail example we disable all additional protection that firejail offers and use iptable rules defined in /etc/ip.rules
Chromium will be using 192.168.1.60 ip addr while the rest of the system maybe using 192.168.1.4 for eaxample or anything else.


Basic general iptables rules for your linux pc:
Code:
iptables -t raw -F
iptables -t raw -P PREROUTING DROP
iptables -t raw -P OUTPUT DROP
But this implies that you need completely different rules for firefox/chrome (feeded using firejail)
Current example doesn't allow any DNS - you'll have to put some hostnames and IPs into /etc/hosts
You don't need to warry about any additionals port scans - because current example handles them all.
Code:
iptables -t raw -A PREROUTING -s YOUR_WAN_IP -j DROP
iptables -t raw -A PREROUTING -s 192.168.0.0/16 -j DROP
iptables -t raw -A PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t raw -A PREROUTING -s 127.0.0.0/8 -j DROP
iptables -t raw -A PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t raw -A PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t raw -A PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t raw -A PREROUTING -s 240.0.0.0/5 -j DROP
iptables -t raw -A PREROUTING ! -d YOUR_LOCAL_IP -j DROP  #like 192.168.1.60
iptables -t raw -A PREROUTING -p igmp -j DROP
iptables -t raw -A PREROUTING -i lo -j DROP
iptables -t raw -A PREROUTING ! -p tcp -j DROP
iptables -t raw -A PREROUTING  -p tcp -m multiport --sports 80,465,993,443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
iptables -t raw -A PREROUTING  -p tcp -m multiport --sports 80,465,993,443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -j ACCEPT
iptables -t raw -A PREROUTING  -p tcp -m multiport --sports 80,465,993,443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
iptables -t raw -A PREROUTING  -p tcp -m multiport --sports 80,465,993,443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
iptables -t raw -A PREROUTING  -p tcp -m multiport --sports 80,465,993,443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j ACCEPT
iptables -t raw -A PREROUTING -j DROP

iptables -t raw -A OUTPUT -d YOUR_WAN_IP -j DROP
iptables -t raw -A OUTPUT -m owner ! --uid-owner 1000 -j DROP	# your default user id
iptables -t raw -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -t raw -A OUTPUT -d 224.0.0.0/3 -j DROP
iptables -t raw -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -t raw -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -t raw -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -t raw -A OUTPUT -d 0.0.0.0/8 -j DROP
iptables -t raw -A OUTPUT -d 240.0.0.0/5 -j DROP
iptables -t raw -A OUTPUT -o lo -j DROP
iptables -t raw -A OUTPUT ! -p tcp -j DROP
iptables -t raw -A OUTPUT -p tcp -m owner --uid-owner 1000 -m multiport --dports 80,465,993,443 -j MARK --set-xmark 0x30
iptables -t raw -A OUTPUT -p tcp -m mark --mark 0x30 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j ACCEPT
iptables -t raw -A OUTPUT -p tcp -m mark --mark 0x30 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j ACCEPT
iptables -t raw -A OUTPUT -p tcp -m mark --mark 0x30 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
iptables -t raw -A OUTPUT -p tcp -m mark --mark 0x30 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -j ACCEPT
iptables -t raw -A OUTPUT -p tcp -m mark --mark 0x30 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK,FIN -j ACCEPT
iptables -t raw -A OUTPUT -m mark --mark 0x30 -j DROP
iptables -t raw -A OUTPUT -j DROP
There is also mangle table to deal with, its very easy actually, this is where -m conntrack --ctstate ESTABLISHED comes in.

Last edited by geppy; 12-10-2017 at 05:10 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Advice about setting up a relatively secure network gateway j.smith1981 Linux - Networking 11 12-28-2010 11:36 AM
Need Advice For: Secure and Automated Backups LinuxLearn Linux - Security 10 03-17-2010 06:44 AM
Advice: Secure remote desktop access matiasar Linux - Networking 2 02-08-2010 07:17 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 01:54 AM
advice about secure remote login kermit Linux - General 3 08-04-2002 02:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration