Suggestions for "locked down Linux"?

Donny Bahama · 03-10-2011, 02:37 PM

I want to build a Linux desktop machine for my Mom. Her needs are fairly simple - email (including the safe viewing of attachments), web browsing, word processing and occasionally a little spreadsheet work. She'll probably also want to view/manage her digital photos and music.

On her current Windows box, I'm constantly cleaning up malware messes for her. I've tried setting up a good firewall, but it's always popping up "Do you want to allow..." messages that she doesn't understand so she simply allows everything. (Which makes the firewall nothing more than an annoyance for her.)

My thinking is that if I build her a Linux box, I can configure all her permissions such that she essentially has just a limited number of whitelisted apps - and none of them can do anything harmful. I'd also like to insure that none of her personal data (passwords, documents, etc.) can be compromised.

The whole thing needs to be dead simple to use (she's a senior citizen and not terribly computer-savvy), reliable, and ideally, require little or no administration/maintenance from me.

I'm somewhat of a Linux novice and have no experience trying to set something like this up. I'd appreciate any and all comments and suggestions for creating a "locked-down Linux" workstation.

Peufelon · 03-10-2011, 03:00 PM

In brief:

install Debian stable
give her user a fairly strong password,
use a tool such as guarddog to set up a reasonably strong firewall,
have her use Iceweasel browser (works just like Firefox) and install and configure NoScript to work with her multimedia browsing habits,
if possible, set up her email to use webmail via SSL with a reasonably competent ISP,
if possible, once a month or so, use a tool like kpackage to install any patches for installed software,
(optional) set up Tripwire on her machine so that it emails weekly reports to you.

Many variations are possible.

Noway2 · 03-10-2011, 03:00 PM

Back in December, I set my near 70 year old mother up with Linux Mint. She has had no problems using it, at all and even likes that it runs a lot faster. I performed the initial setup of Firefox, Thunderbird, printers, showed her how to connect her digital camera, etc. Afterwords, it was no more difficult to use than Windows. I set her up with a dyn-dns domain name and enabled the firewall to allow connections for SSH from my LAN only via key authentication (no passwords). This way, I can remotely administer the machine, if needed, almost as good as if I were sitting in front of it.

Peufelon · 03-10-2011, 03:06 PM

I've used Linux Mint and will second the recommendation as an easy-to-use, easy-to-like experience. The only really crucial thing (IMO) which Noway2 left out is installing and configuring NoScript (whether in Firefox under Mint, or Iceweasel under Debian).

anomie · 03-10-2011, 03:08 PM

Quote:

Originally Posted by Donny Bahama

I want to build a Linux desktop machine for my Mom. Her needs are fairly simple - email, web browsing, word processing and occasionally a little spreadsheet work. She'll probably also want to view/manage her digital photos and music.

Same situation for me mum. I set her up with Ubuntu, and the email / web / word and spreadsheet problem is licked. It prompts her to run security updates when needed.

Digital photos and music are a whole other problem. I've trained her a half dozen times on how to get photos off her camera. Still hasn't taken...

anomie · 03-10-2011, 03:10 PM

Quote:

Originally Posted by Donny Bahama

... I'd also like to insure that none of her personal data (passwords, documents, etc.) can be compromised.

I'd appreciate any and all comments and suggestions for creating a "locked-down Linux" workstation.

Running GNU/Linux - period - is an improvement over what you're doing now. I would think twice before "locking it down" too substantially. If she can't use it at all, it may be secure, but it's also worthless.

Peufelon · 03-10-2011, 03:18 PM

Quote:

Originally Posted by anomie

I would think twice before "locking it down" too substantially. If she can't use it at all, it may be secure, but it's also worthless.

That is an important and valid point. So you could

set it up, as I suggested above (or similar)
make sure she knows how to bookmark
ask her to browse, use multimedia for a day and bookmark any sites where she had a problem
come back next day and change what you need to change

Donny Bahama · 03-10-2011, 03:35 PM

Thanks for the suggestions so far, everyone. I was leaning toward Mint and thinking of installing and configuring AppArmor to whitelist OpenOffice, Firefox, Thunderbird and photo/media apps.

Guarddog is a great suggestion (though I have MUCH to learn about iptables.)

I'm really hoping for a better alternative to NoScript. Blacklisting all scripts and then whitelisting on a site-by-site basis is exactly the sort of ongoing headache that Mom will fuss about. I was hoping for a configure-it-once-then-never-worry solution. Ideally, let all scripts run, but block certain script commands that have the potential for harm. (Perhaps that's an idealistic request?)

As for locking it down too tightly, as long as she can do the things I outlined in my initial post, it should be plenty usable for her.

luisrod · 03-10-2011, 03:39 PM

(excuse the english).
I used the “brute force” , using a virtual pc:

1) Install alacarte and remastersys
2) Remove a lot of programs with this:
– Applications – Add/Remove
– Synaptic Manager
– Ubuntu software center.

3)Arrange the menu with alacarte.

4)Create *.iso with remastersys

John VV · 03-10-2011, 03:46 PM

Quote:

I'm really hoping for a better alternative to NoScript

there really is not one

There are ways to do SOME of the things without installing no-script and Add-block plus
One is to use the system HOST file .
-- yes the same way you would on windows --
redirect everything "bad" back to 127.0.0.1
you can use " spy bot S&D's " host file

Donny Bahama · 03-10-2011, 03:53 PM

I don't just want to hide things from her. I'm not trying to lock everything down because I'm concerned about her messing things up. But to the extent that her user account doesn't have permission to do harm, then malicious scripts and email attachments won't be able to wreak havoc, either. Beyond her user account, I also have concerns about someone hacking in via an account with higher (even root) permissions.

repo · 03-10-2011, 03:56 PM

A good firewall, and a strong root password will do the trick.
You can eventually install an antivirus.

Kind regards

Donny Bahama · 03-10-2011, 03:57 PM

Quote:

Originally Posted by John VV

you can use " spy bot S&D's " host file

Cool idea! Exactly the kind of suggestion I'm looking for.

Donny Bahama · 03-10-2011, 04:03 PM

Quote:

Originally Posted by repo

A good firewall, and a strong root password will do the trick.
You can eventually install an antivirus.

I was hoping to preemptively lock things down such that antivirus was unnecessary. Zero-day attacks aside, it's just one more thing to pop up and perplex/alarm my atechnical Mom. (There's those pesky false positives to worry about, too.) As long as nothing could be written (by her user account) that has executable permission, wouldn't that eliminate such issues?

repo · 03-10-2011, 04:15 PM

Quote:

I was hoping to preemptively lock things down such that antivirus was unnecessary.

Then there will be no mail?

Quote:

I can configure all her permissions such that she essentially has just a limited number of whitelisted apps - and none of them can do anything harmful

Mail and browser are potential dangerous.

Quote:

it's just one more thing to pop up and perplex/alarm my atechnical Mom.

Install fetchmail, spamassassin and procmail with antivirus protection, no popups will be showed.

Viruses and malware for linux are not that wide spread.
Aren't you a bit to paranoid?

Kind regards