Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Location: Margaritaville (a state of mind west of Las Vegas), NV
Distribution: Linux Mint
Posts: 61
Rep:
Suggestions for "locked down Linux"?
I want to build a Linux desktop machine for my Mom. Her needs are fairly simple - email (including the safe viewing of attachments), web browsing, word processing and occasionally a little spreadsheet work. She'll probably also want to view/manage her digital photos and music.
On her current Windows box, I'm constantly cleaning up malware messes for her. I've tried setting up a good firewall, but it's always popping up "Do you want to allow..." messages that she doesn't understand so she simply allows everything. (Which makes the firewall nothing more than an annoyance for her.)
My thinking is that if I build her a Linux box, I can configure all her permissions such that she essentially has just a limited number of whitelisted apps - and none of them can do anything harmful. I'd also like to insure that none of her personal data (passwords, documents, etc.) can be compromised.
The whole thing needs to be dead simple to use (she's a senior citizen and not terribly computer-savvy), reliable, and ideally, require little or no administration/maintenance from me.
I'm somewhat of a Linux novice and have no experience trying to set something like this up. I'd appreciate any and all comments and suggestions for creating a "locked-down Linux" workstation.
Last edited by Donny Bahama; 03-10-2011 at 03:32 PM.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Back in December, I set my near 70 year old mother up with Linux Mint. She has had no problems using it, at all and even likes that it runs a lot faster. I performed the initial setup of Firefox, Thunderbird, printers, showed her how to connect her digital camera, etc. Afterwords, it was no more difficult to use than Windows. I set her up with a dyn-dns domain name and enabled the firewall to allow connections for SSH from my LAN only via key authentication (no passwords). This way, I can remotely administer the machine, if needed, almost as good as if I were sitting in front of it.
I've used Linux Mint and will second the recommendation as an easy-to-use, easy-to-like experience. The only really crucial thing (IMO) which Noway2 left out is installing and configuring NoScript (whether in Firefox under Mint, or Iceweasel under Debian).
I want to build a Linux desktop machine for my Mom. Her needs are fairly simple - email, web browsing, word processing and occasionally a little spreadsheet work. She'll probably also want to view/manage her digital photos and music.
Same situation for me mum. I set her up with Ubuntu, and the email / web / word and spreadsheet problem is licked. It prompts her to run security updates when needed.
Digital photos and music are a whole other problem. I've trained her a half dozen times on how to get photos off her camera. Still hasn't taken...
... I'd also like to insure that none of her personal data (passwords, documents, etc.) can be compromised.
I'd appreciate any and all comments and suggestions for creating a "locked-down Linux" workstation.
Running GNU/Linux - period - is an improvement over what you're doing now. I would think twice before "locking it down" too substantially. If she can't use it at all, it may be secure, but it's also worthless.
Location: Margaritaville (a state of mind west of Las Vegas), NV
Distribution: Linux Mint
Posts: 61
Original Poster
Rep:
Thanks for the suggestions so far, everyone. I was leaning toward Mint and thinking of installing and configuring AppArmor to whitelist OpenOffice, Firefox, Thunderbird and photo/media apps.
Guarddog is a great suggestion (though I have MUCH to learn about iptables.)
I'm really hoping for a better alternative to NoScript. Blacklisting all scripts and then whitelisting on a site-by-site basis is exactly the sort of ongoing headache that Mom will fuss about. I was hoping for a configure-it-once-then-never-worry solution. Ideally, let all scripts run, but block certain script commands that have the potential for harm. (Perhaps that's an idealistic request?)
As for locking it down too tightly, as long as she can do the things I outlined in my initial post, it should be plenty usable for her.
Last edited by Donny Bahama; 03-10-2011 at 03:37 PM.
I'm really hoping for a better alternative to NoScript
there really is not one
There are ways to do SOME of the things without installing no-script and Add-block plus
One is to use the system HOST file .
-- yes the same way you would on windows --
redirect everything "bad" back to 127.0.0.1
you can use " spy bot S&D's " host file
Location: Margaritaville (a state of mind west of Las Vegas), NV
Distribution: Linux Mint
Posts: 61
Original Poster
Rep:
I don't just want to hide things from her. I'm not trying to lock everything down because I'm concerned about her messing things up. But to the extent that her user account doesn't have permission to do harm, then malicious scripts and email attachments won't be able to wreak havoc, either. Beyond her user account, I also have concerns about someone hacking in via an account with higher (even root) permissions.
Location: Margaritaville (a state of mind west of Las Vegas), NV
Distribution: Linux Mint
Posts: 61
Original Poster
Rep:
Quote:
Originally Posted by repo
A good firewall, and a strong root password will do the trick.
You can eventually install an antivirus.
I was hoping to preemptively lock things down such that antivirus was unnecessary. Zero-day attacks aside, it's just one more thing to pop up and perplex/alarm my atechnical Mom. (There's those pesky false positives to worry about, too.) As long as nothing could be written (by her user account) that has executable permission, wouldn't that eliminate such issues?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.