Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm a Linux newbe, i've tried Ubuntu, Debian, and Fedora so far. My parents are using the same (windows) laptop for internet banking, as my little brother does for doing all sorts of dangerous things.
So I thought I'd create a persistent bootable linux usb stick just for internet banking.
It has to:
- be a stable and secure distribution.
- have a good automatic update manager.
- boot fast enough.
- easy to set up.
Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Should I use firefox or chrome, or any other browser?
Should I use apparmor? How easy is this to set up?
Should I use a firewall like iptables? How easy is this to set up?
Should I disable unneeded services? Or doesn't this make my distro more secure?
Links to simple newbe guides to Linux security are appreciated.
Should I use a firewall like iptables? How easy is this to set up?
If you're installing all of this on a USB stick, it's conceivable (though highly unlikely) that a cracker could modify the files on the stick, so a firewall would be a good thing. Ubuntu 9.10 ships with a firewall (ufw), but that's a command-line interface. A graphical interface is also available: http://linuxbsdos.com/2009/11/07/ins...n-ubuntu-9-10/
Or you could just use the Live CD instead of a USB stick...the live CD media can't be modified, so you don't have to worry about a cracker changing your files, or catching a virus, since everything's in memory only, and it all goes away when you turn the PC off.
Or you could just use the Live CD instead of a USB stick...the live CD media can't be modified, so you don't have to worry about a cracker changing your files, or catching a virus, since everything's in memory only, and it all goes away when you turn the PC off.
I've read about live CD's, but I'm not going to burn a new CD every time there's an update available.
What's worse, using a (most likely) outdated Ubuntu CD, or risk the chance of malware writing to my usb stick?
What's worse, using a (most likely) outdated Ubuntu CD, or risk the chance of malware writing to my usb stick?
That depends on how often you update your Ubuntu. I know that updates come out all the time for various and sundry Linux programs. The security updates are of particular concern, as you want to have your Linux PC secured against these holes. But many (perhaps all?) of these holes are not applicable to a LiveCD, as the media is not writable. Correct me if I'm wrong, but most security holes allow a cracker to take over root control of the PC and change, upload (keyloggers), or download files (password files, etc.). But on a LiveCD, you can't change the files, and the password is only valuable if you happen to be running the LiveCD at the time the cracker tries to log on.
So they can't install a keylogger onto your LiveCD, which means they can't capture your banking or password information by that means. They could still intercept your traffic to the bank, but that should be encrypted anyways (and I believe they try to crack encryption by changing your files to enable a man-in-the-middle attack...and they can't change your files on a LiveCD).
Therefore I don't think it's as imperative to install updates, even security updates, on a LiveCD as it is on a normal Linux PC.
So what's worse: using a (most likely) outdated Ubuntu CD that crackers can't touch, or risk the chance of malware writing to my usb stick?
It has to:
- be a stable and secure distribution.
- have a good automatic update manager.
- boot fast enough.
- easy to set up.
Any thoughts on which distro would suit my needs? I'm thinking of Ubuntu
Should I use firefox or chrome, or any other browser?
Should I use apparmor? How easy is this to set up?
Should I use a firewall like iptables? How easy is this to set up?
Should I disable unneeded services? Or doesn't this make my distro more secure?
Virtually any Linux live cd/usb distribution that comes with a web browser could fit that bill. But I wouldn't rely on the user (your parents) to run security updates.
A few possible considerations that I'd focus on:
Have your parents memorized their WPA2 password? If not, you might provide it, in a GnuPG or OpenSSL-encrypted file on the live distro.
Have your parents memorized their bank password(s)? Same as above.
Read-only media (cd) would be safer than read-write media (usb drive).
An iptables ruleset could drop all (new) inbound traffic, and allow only outbound traffic for DNS lookups and http/s.
You could further control http/s traffic by forcing them through a localhost http proxy, and setting up an ACL that only permits access to their bank's domain.
Sound good? On the other hand, if you're a complete beginner, simply having them use a Linux live cd for banking will be several orders of magnitude safer than their communal Windows laptop. (Even if you only burn an updated Linux live cd every year.)
If you use an SD card, you can use the read-only switch to disable writing. Also booting and running off a read-only media, there isn't as much worry about most exploits that pop up because it won't be able to become persistent. Even root can't write to a CD or an SD that has the write mode switched off.
repo: That may not work because if the machine is compromised, the cracker has access to the internet traffic of the host machine which the guest uses.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.