Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-03-2006, 11:00 PM
|
#1
|
LQ Newbie
Registered: Jun 2006
Distribution: Debian 8.0 "Jessie"
Posts: 22
Rep:
|
desktop security settings?
Hi I'm new here, just wondering, from everyone's experience. What kind of security do you use for daily regular desktop uses linux box and how to set them? What packages, softwares or libraries needed (including the base packages)
thanks in advance
|
|
|
06-04-2006, 07:28 AM
|
#2
|
Senior Member
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Rep:
|
|
|
|
06-04-2006, 07:40 AM
|
#3
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
network-wise its basically all that dalek talked about. optimally configured iptables works for you to sleep nicely on nights. set strong passwords for all logins. try boot locking with passwords for added physical security. a nice screensaver (that asks for password when disturbed) for temporary security and prying eyes. if you want to get a bit more paranoid install 'chkrootkit' for any kind of rootkit infection you may want to detect and an anti-virus (f-prot or clamav) if you plan to use samba to share files with other windows machines in your network. i think that pretty much sums it up.
|
|
|
06-04-2006, 02:49 PM
|
#4
|
LQ Newbie
Registered: Jun 2006
Distribution: Debian 8.0 "Jessie"
Posts: 22
Original Poster
Rep:
|
Thanks guys, that's good enough. Any clue on setting a standard iptables for daily desktop usage?
Found something called "watchdog" or "guarddog". Is it good? Also SELinux, is it too much for daily desktop usage?
thanks in advance
|
|
|
06-04-2006, 06:06 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
Thanks guys, that's good enough.
Sorry to bump in, but how do you really know this is all there is and if this is "good enough"?
(short answer: no, this ain't covering all of the basics)
|
|
|
06-04-2006, 08:36 PM
|
#6
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
Quote:
Originally Posted by dalek
Shorewall is a program, I think ipchains is kernel based and I'm not real sure but I think you have to enable iptables in the kernel and install some software for iptables. Someone will come along and correct me if I am wrong about any of this.
|
Shorewall, iptables, and ipchains are all programs. Shorewall is just a user-friendly front-end for iptables. ipchains was used long ago with 2.2.x kernels. Nowadays, we use iptables as a userspace tool, which can hook into the `netfilter' code in kernelspace.
So DON'T use ipchains. If you are a newbie, consider shorewall or any of the other front-ends that let you modify your kernel's filtering rules.
|
|
|
06-04-2006, 09:24 PM
|
#7
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
Quote:
Originally Posted by stubbe
Found something called "watchdog" or "guarddog". Is it good? Also SELinux, is it too much for daily desktop usage?
|
Watchdog can mean many things. In many processors, there is a builtin timer that makes sure the system is running correctly. A daemon, often called watchdog, is supposed to periodically probe this. If a certain amount of time elapses without any probing from the daemon, the hardware assumes the computer has crashed, and reboots itself. This is mainly for servers and automated systems that can't afford any downtime. There are also certain daemons for certain network drivers that are supposed to protect your system from malicious stuff.
Is SELinux too much? I don't think there is anything that's too much (I personally much prefer PaX/Grsecurity to SElinux). It depends on how vulnerable you make yourself. If you are directly connected to the internet, plain old linux with smart iptables would be fine for some, but not for me (call me paranoid). Also, a machine that handles lot's of untrusted data might be a good candidate (i.e., to detect rootkits, etc.).
|
|
|
06-04-2006, 11:42 PM
|
#8
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
Quote:
Originally Posted by unSpawn
Thanks guys, that's good enough.
Sorry to bump in, but how do you really know this is all there is and if this is "good enough"?
(short answer: no, this ain't covering all of the basics)
|
SECURITY is a process, NOT a STATE.
|
|
|
06-05-2006, 01:08 AM
|
#9
|
Senior Member
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid/RPIOS
Posts: 4,909
|
Steps I take on my Debian desktop:
I use Guarddog to set up iptables.
Then install Bastille, samhain, tripwire, checksecurity, and rkhunter. Yep call me paranoid.
Bios has a password, lilo has a password, screensaver has a password. Any personal data is in an encrypted partition.
Checking netstat -a only shows 5 processes listening ipp,bootpc Firefox, privoxy and gaim. It is a good idea to check to see what is connecting every once in a while.
Always login as user and never as root. Do not share your root password with anyone that doesn't absolutely have to have it. Even my wife doesn't know mine.
That about covers my desktop. My laptop is even worse. I have the entire disk encrypted and boot it using a usb key that has the "key". Good luck to some one reading the data if it ever gets stolen.
|
|
|
06-05-2006, 05:39 AM
|
#10
|
LQ Newbie
Registered: Jun 2006
Distribution: Debian 8.0 "Jessie"
Posts: 22
Original Poster
Rep:
|
Woah more infos, thanks guys, they're helpful. Yep, it's guarddog, not watchdog.
Quote:
Bastille, samhain, tripwire, checksecurity, and rkhunter.
|
what are these for?
Quote:
Originally Posted by unSpawn
Thanks guys, that's good enough.
Sorry to bump in, but how do you really know this is all there is and if this is "good enough"?
(short answer: no, this ain't covering all of the basics)
|
I don't, that's why i ask. I know iptables but never use it let alone setting up a firewall using iptables. And for sometimes I don't know what it's for. I don't want overblown security settings too, but just a safe desktop to do my daily works.
|
|
|
06-05-2006, 05:45 AM
|
#11
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
if you are not connected to any network (and internet), a strong password is good enough. if you are, you can google for the terms (above) you can't understand and develop a more better understanding about them.
|
|
|
06-05-2006, 11:22 AM
|
#12
|
LQ Newbie
Registered: Jun 2006
Distribution: Debian 8.0 "Jessie"
Posts: 22
Original Poster
Rep:
|
I'm a googling type of person. Waiting for replies often took too long for me. But who knows somebody would do the trouble . And explanation from experienced user often more describing than reading a formal official descriptions.
anyway thanks everybody.
|
|
|
06-05-2006, 05:29 PM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
I don't, that's why i ask.
I was asking that because you wrote "that's good enough", which seemed to me you thought you had everything you needed. The short answer is what I see as missing is (luckily shortened due to recent useful posts) auditing (Tiger?) and (log)reporting software (Logwatch, swatch etc, etc) and an IDS (Snort, Prelude).
I could give a methodical answer detailing steps to take but it would be more beneficial to invest time and start reading the LQ FAQ: Security references about hardening and securing your box.
|
|
|
All times are GMT -5. The time now is 05:39 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|