Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I use Linux Mint 18. I would learn more about OS hardening and about security-oriented system administration. I'm not skilled user but I think that very important concepts about OS and networking security should be cognizable, accessible and usable by every user, skilled or newbie. I would have those informations:
A) Security-oriented OS, appropriate for non-specialist use, exists? I always found only very specialized OS... For example Kali or Blackarch for pentest, CAINE for forensic use, Tails for anonymity... I yet didn't found anything appropriate for generale use.
B) Hardening-oriented metapackages or scripts exists? I hear about Bastille or harden-foo but they are now obsolete.
C) If the previous questions will have negative answer, could you help me for building an harden and security-oriented system? You consider that:
C1) I would get software only from official debian-based repositories; I wouldn't make experiments with untrusted repos, unstable packages or raw source code. I don't want to compromise the system which I would protect;
C2) I would implement defensive technologies like PAM, SELinux, Apparmor, Grsecurity and other also (all togheter also if it's possible for a stable system);
C3) I would a graphical front-end NFtables/IPtables rules manager which is actively maintained and fully supported by latest kernel/OS/libraries versions; I would also some automation services like fail2ban or PSAD which could help me for firewall rules managing and upgrading;
C4) I would an IDS/IPS service combined with some other accessory services like HIPS, files integrity checker, correlator and log analyzer. I would that this services aren't too intricate or intrusive for my moderate skills and for my basic OS and network utilization... I would a good security level, but without excessive paranoia. I use a simple desktop OS and I haven't use it for web server or for manage a complex LAN.
C5) I would a system monitor and an admin panel with simple but powerful graphical GUI;
C6) I would some tools for data forensic analysing and for anti-forensic use; I would simply protect my data by hardware/software fault (with the possibility to carving lost files) and my sensitive data from privacy vulnerabilities;
C7) I would tools for passively protect my OS by various offensive process like arp poisoning, port-scan, port-knocking, sniffing, DNS faking etc...
C8) I would some utilities for vulnerabilities audit for every security-administration side;
C9) I would other utilities, which could be useful for me. (process and runtime analyzers, clients or tunnellers for crypting/anonyming networking, etc...).
Thanks a lot for your attention and excuse me if I wrote too much. Excuse me also for possible english grammar mistakes.
P.S. I read many walkthrough about hardening but I'm confuse because sometimes they recommend different ways (sometimes conflicting), or obsolete nor too much complex solving, or also recommend software absent into trusted repositories.
Linux, by default, is generally secure. A more clear answer would depend on your distro and the package versions that are in the repositories (for the distro in question). RHEL based distro's will offer SELinux out of the box (you have an option to configure this in the installer) and Ubuntu comes with AppArmor out of the box. You cannot use both AppArmor and SELinux at the same time as this would create conflicts with file permissions. You should be fine using SELinux or AppArmor.
Unfortunately you selected a distro that has been made to be widely usable to almost anyone.
This brings in security issues to me. Less is more to begin with. I'd start with a minimal hardened system. Might even go to susestudio and get Suse Enterprise Linux or configure Centos to be hardened. There are of course some distro's that claim to be hardened out of the box.
Security is as many best practices as you can learn and use.
I already read that topic but I see that many links are dead and some software are now obsolete. This is a very common problem which I found in various guides. I read many many topics or guides and now I'm confuse. I would clarify.
About other replies: I would remain into debian-based side because this is the environment into which I feel much confortable and much able to manage it. I could also make some new experience and experiments but first of all I would limited recklessness because I could compromise my system security instead of harden it with some misconfiguration error or with the use of untrusted repositories or unstable SW.
I also read something about QuebesOS but it have a very complex architecture and I don't know if I could be able to manage it well. Also I think that Xen supervisioning could have troubles about HW/SW full support. The project is overall very interesting but for now I think that it isn't the most suitable OS for me
I'm a fan of Common Sense Security.
Up-to-date System patches from vetted software channels.
And definitely scan the nut behind the keyboard.
Basic and decent Security can be had using a Router.
You're being "new" and all, I will not take the time for "security-oriented system administration"
I don't Yak Shave, Sorry.
It's going to take along time to learn all that to be able to make good use out of it.
Better off picking one way of harding an learn all that takes first!
I'm a fan of Common Sense Security.
Up-to-date System patches from vetted software channels.
And definitely scan the nut behind the keyboard.
Basic and decent Security can be had using a Router.
You're being "new" and all, I will not take the time for "security-oriented system administration"
I don't Yak Shave, Sorry.
Thank you very much for your reply. Your word are granitic truth. Maybe however you misunderstand me about something because I said that I'm confuse about some points and I would hear some fresh direct opinion but I don't said that I would one substitute who leads to term the task or that I would somebody who is at my disposal. Also about packages, I already understand that security is not a package, because I don't never think that installation are enouh to make you quiet sleepy and safe (nobody can quiet sleepy... never). I'm new but I'm not so stupid
I'm totally avaible for lost me among thousand of guides or for consume my keyboard and my fingers. I'm new but I have much willingness to engage the task. I'm already doing this to be honest. For example I'm trying OpenSuse and CentOS and I'm deciding to abandon debian-based environment because I notice that this could be a good idea.
For example I'm trying OpenSuse and CentOS and I'm deciding to abandon debian-based environment because I notice that this could be a good idea.
Being a free universe. I think the opposite. But to each person, to cramp their finger, to trip their own trigger.
I was a OpenSuse and Mandriva user while Zenwalking in a past life. Rawhide should have been just a show I watched. Not a sources.list I should have enabled.
Why? Your opinion could much interest me... Some ReHL-based OSs are well-know for their great maturity and stability and maybe the unique thing which I could regret is the departure from immense debian repositories (without underestimate the stability of Debian mainstream OS). Also I try various distros in those days but when I play with Suse or CentOS in a VM, I have the strange feel (maybe irrational) that they could represent a better starting point for me and for my purpose.
Lack of online support. My inexperience. Back then broken rpm distro threads on this forum was legion in numbers. It might be better now. I don't know. As I settled into my ways till I got comfy cozy with what I learned.
Back then. Gear was lower powered and VM was not a option. It is a more varied universe now.
I am AntiX user like most Slackware users are on this forum. A freaking die-hard fanatic fan boy.
Lack of online support. My inexperience. Back then broken rpm distro threads on this forum was legion in numbers. It might be better now. I don't know. As I settled into my ways till I got comfy cozy with what I learned.
Back then. Gear was lower powered and VM was not a option. It is a more varied universe now.
I am AntiX user like most Slackware users are on this forum. A freaking die-hard fanatic fan boy.
It is what trips my trigger.
The lack of online support could be a problem, maybe. Also in reality the less wealth of rpm repositories than debian repos scare me a bit... above all because I would use only trusted sources and if I don't find into they everything I could need, I'll be forced to break this conduct, and if I could break this, I'll not doing hardening in the right way IMHO.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.