How do you make your GNU/Linux system very secure?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think you should look at it from a different POV. Don't set these organizations as your adversaries, because you likely to just fall into the traps they place. Instead, focus on hardening your system to reasonable and maintainable level, and making good decisions. There are plenty of threads on here and the internet about hardening your system.
Here's a list of basic things that everyone should have: see: http://docs.slackware.com/howtos:sec...basic_security
1) Firewall, configured properly. There are plenty of GUI programs to configure them.
2) Trim down the number of services you have running with open external ports. Every one of them could have a bug and could lead to system compromise.
3) Run rkhunter and maybe clamav regularly to detect malware.
4) Choose strong passwords for important things like your system and online credit card access.
5) Stay up-to-date with security fixes for your distro, and sometimes take action yourself by updating programs that the distro maintainer refuses to.
As for others spying on you, I would recommend the following:
1) Get a router that can run dd-wrt or openwrt. Many routers have backdoors and can lead to local network compromise, where monitoring is extremely easy. You could also just use an older computer as a router, but you probably need some more ethernet cards.
2) Make sure that your browser controls javascript very strictly (NoScript). It is very easy to track you with javascript enabled and new methods appear all the time. Enable javascript ONLY for sites that absolutely require it and only just enough to let the site function. This can be tedious, but with time you will be able to configure NoScript properly.
3) Make sure you disable ads in your browser (Adblock, I recommend Edge over Plus). Many ad sites do track you by simply loading the ads (and so they can give you targeted ads), and I hate ads, so both of these should be enough to make you want to remove them. If you know of safe ad sites, you can add them to the whitelist.
Some hints:
1) Don't believe things just because they're in the news. Research them first, and understand them. Just because a project exists with a certain declared purpose doesn't mean that this is its actual purpose or that it will help you in any way rather than harm you. (Ok, yes, I'm talking about Tor here)
2) Act as if you are being watched all the time, but know that you are probably not. They just don't have the resources. Take a look into NSA history and you'll see their computers tend to be overloaded. They're not gonna waste time going after you if you don't arouse suspicion (using Tor will definitely arouse suspicion).
I'd agree with everything except the bit about "strong passwords."
Seriously: if you need to provide ssh, or VPN, then you should not be relying on (or permitting ...) "passwords" at all. (In VPN-land, they call these "PSK = Pre-Shared Keys," and they are just as evil.)
No, you should be issuing a uniquebadge to everyone, in the form of a digital certificate, issued by your own organizational certificate-authority as need be, this unique certificate then being password-protected (enciphered ...) using a strong password.
Verdict: you cannot get in without possession of a valid key. (A "badge.") After all, every time I went into Apple's front door, I had to "swipe my badge." No one ever looked at me sternly and demanded that I "say the magic word." In some very-secure areas you have to swipe your badge and enter a numeric sequence on a keypad ... a sequence that, like your badge, is unique to you, and is known only to you, and only works when your badge is swiped. Then, when I'm not working with Apple, I know that my badge (even though I still possess it) won't let me in anywhere.
(And yet, next time, they don't have to issue me a new one.)
(Key gets lost or stolen? Quick phone call, and presto ... it, alone is stone-dead.)
That's "security-management 101," and that's what you must (also) do.
Note that when I say, "organizational certificate-authority," I am speaking of a group within your organization (it could of course be "you") which issued (and then, profoundly protects) a "self-signed" root certificate and then uses it to sign other certificates ... and which has arranged for various other computers to trust, or to trust only, certificates having this signature. In this context, you do not (and should not ...) engage the services of any "signatories for-hire." This CA is, simply, "your company security-department." The one that issues the only badges that will ever work at your company.
Last edited by sundialsvcs; 08-06-2014 at 09:03 PM.
you mention the NSA
so use RHEL or CentOS and keep SE set to ENFORCING and targeted
use FULL disk encryption
use tor ( ?????? read the recent security news from conferences )
or BUILD the source for freenet ( yes a source build -read the "frost" message board on WHY!!!!)
then well ......
fallow the "best practices" of security experts
however doing just the NORMAL everyday things is your best option
Dunno ... if NSA and those guys actually cared about what was on your drive, they could hold a gun to your head and I'll bet that those passwords would be theirs in a matter of seconds.
Anyway, they're WE'RE not the WATCHING real YOU problem here. A lot of what you're got to do is simply to make your system a non-trivial "opportunity." Not the easiest house on the block to hit. (For example, the windows are shut and the door is actually locked. The porch light blinks on as you walk up the drive.) Most intrusions are crimes of opportunity. So, the first and perhaps the single most-important factor is to eliminate easy opportunity. If a thief has a million IP-addresses to troll through, looking for sitting-ducks, and he or his script discovers that your duck is awake and even snapping back at him, he's going to move on to the next house. ("Why bother?")
I routinely set up my systems with a tiny little clever-proxy on the SSH port. (I rolled my own.) This proxy always answers a request to offer a password with an invitation to do so, then throws it away. Only traffic that meets, ahem, "certain other requirements," is passed on to the real SSH server. If you actually want to get inside, you have to have your certificate, but this little proxy is there in the DMZ just to attract more flies. I've seen scripts throw hundreds-of-thousands of attempts at this proxy, because they are convinced, based on the responses that they see, that eventually there will be some password that will work. (Call it my own version of "shooting (back) at sitting ducks.") I've probably got a download of the entire words.txt library by now.
Last edited by sundialsvcs; 08-07-2014 at 08:37 AM.
Don't connect to the Internet. Be prepared to explain why.
Well... not connecting to the internet means not give and doing what the NSA can get anyway, so not connecting to the internet is obviously the safest.
think you should look at it from a different POV. Don't set these
organizations as your adversaries, because you likely to just fall into
the traps they place. Instead, focus on hardening your system to
reasonable and maintainable level, and making good decisions. There are
plenty of threads on here and the internet about hardening your system.
Here's a list of basic things that everyone should have: see: http://docs.slackware.com/howtos:sec...basic_security
1) Firewall, configured properly. There are plenty of GUI programs to
configure them.
2) Trim down the number of services you have running with open external
ports. Every one of them could have a bug and could lead to system
compromise.
3) Run rkhunter and maybe clamav regularly to detect malware.
4) Choose strong passwords for important things like your system and
online credit card access.
5) Stay up-to-date with security fixes for your distro, and sometimes
take action yourself by updating programs that the distro maintainer
refuses to.
Well, I did follow the instruction on the link about the firewall,
downloaded rkhunter and updated my system. While it is NOT Slackware and
it IS Debian, it still GNU/Linux system so it should work anyway and
help a lot of users as well.
Quote:
Originally Posted by metaschima
As for others spying on you, I would recommend the following:
1) Get a router that can run dd-wrt or openwrt. Many routers have
backdoors and can lead to local network compromise, where monitoring is
extremely easy. You could also just use an older computer as a router,
but you probably need some more ethernet cards.
What router can run dd-wrt or openwrt, I use the BT Hub 3 router where I
live, in the UK, I don't think it can run dd-wrt or openwrt anyway.
Using an older computer as router seems like a good idea, heard of it
but don't really know how it work, does it goes side by side with the
other router or what?
Quote:
Originally Posted by metaschima
2) Make sure that your browser controls javascript very strictly
(NoScript). It is very easy to track you with javascript enabled and new
methods appear all the time. Enable javascript ONLY for sites that
absolutely require it and only just enough to let the site function.
This can be tedious, but with time you will be able to configure
NoScript properly.
3) Make sure you disable ads in your browser (Adblock, I recommend Edge
over Plus). Many ad sites do track you by simply loading the ads (and so
they can give you targeted ads), and I hate ads, so both of these
should be enough to make you want to remove them. If you know of safe ad
sites, you can add them to the whitelist.
I got Adblock (Plus) and NoScript on my Iceweasel browser.
Quote:
Originally Posted by metaschima
Some hints:
1) Don't believe things just because they're in the news. Research them
first, and understand them. Just because a project exists with a certain
declared purpose doesn't mean that this is its actual purpose or that
it will help you in any way rather than harm you. (Ok, yes, I'm talking
about Tor here)
2) Act as if you are being watched all the time, but know that you are
probably not. They just don't have the resources. Take a look into NSA
history and you'll see their computers tend to be overloaded. They're
not gonna waste time going after you if you don't arouse suspicion
(using Tor will definitely arouse suspicion).
Using an older computer as router seems like a good idea, heard of it
but don't really know how it work, does it goes side by side with the
other router or what?
Most routers are modem-routers, and this means you can just use them as a modem. You can set up bridging on the router the ISP provides you with, connect it to your own router (an old computer or dd-wrt/openwrt router) and it should work. Some routers also support adding routers under a router, both in router mode. Some routers have a WAN port, which should bypass the router function as well. Also note that the router must be on for any computer under it to have internet.
Most
routers are modem-routers, and this means you can just use them as a
modem. You can set up bridging on the router the ISP provides you with,
connect it to your own router (an old computer or dd-wrt/openwrt router)
and it should work. Some routers also support adding routers under a
router, both in router mode. Some routers have a WAN port, which should
bypass the router function as well. Also note that the router must be on
for any computer under it to have internet.
It's difficult to do, I admit, even for me, so you can just ignore that one if it is not possible. At least keep your router firmware up-to-date and hope they didn't put a backdoor in it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.