Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
My question revolves around what is security like for an average user like me and other people around the world
Let me introduce myself (my background with the OSs generally) since we don't know one another just to save time
I've been a windows user since 1995, I used to run most of my games from DOS so I'm familiar with boring black and white screens with many lines! Haha
I also used to play around with files of windows and stuff like that; for example, I tracked down every single file of a program called : system file checker on win me. Copied them all in one folder and ran the program on a win98 and made it scan the system with results on my friend’s computer. (btw I’m not saying that I’m genius or anything I’m just saying that I was a young kid who didn’t settle with clicking and right clicking!) anyways, he was an engineer, he liked what I did and told me about this thing called linux. “something like windows” he said. (of course he just wanted to simplify things for me then ) I said ok, let me see. ran it with qemu emulator and so on...
I liked it. So I searched, and found Ubuntu. But I didn’t stop there. I had more free time in my hands; so I tried xubuntu, kubuntu, lubuntu (much earlier before it becomes a relatively stable distro), And recently I just ran mint. But I’m not an expert with the shell and the terminal commands and such (yet!)
And finally I have downloaded, like, almost literally a dozen of .ISOs and files of many distros of linux and BSDs to check out and settle on a specific one to take for a looong journey (haven’t install BSDs yet, but that’s another issue than my questions)
I also understand the BSD is somehow different than Linux, with the tools of the repositories and such.
Quote from wiki:
“FreeBSD is a complete operating system. The kernel, device drivers, and all of the userland utilities, such as the shell, are held in the same source code revision tracking tree. (This is in contrast to Linux distributions, for which the kernel, userland utilities, and applications are developed separately, and then packaged together in various ways by others.) Third-party application software may be installed using various software installation systems, the two most common being source installation and package installation, both of which use the FreeBSD Ports system.”
I understand the concept of the same source, but have no actual/technical knowledge about it. All I’m saying is (and please don’t be offended by direct approach English is not my native tongue) I have a small idea about these “stuff”. I’m no techie here. But I plan to be.
So, now for the discussion I’m hoping I have:
Even after all this long introduction, I’m still an average joe. So I just want to understand what will the famous OpenBSD (and Linux of course) “security” will do to me as an average user (well, maybe if I liked/understood it, I might be not only an average user but an average user who’s willing to be a programmer someday)
You know, I read a lot about privacy and security and programming languages, but, I still can’t put my finger on what is this “security” everyone is talking about.
Let’s talk practically here (giving practical examples that I need explanation/guidance for):
For example: (and sorry if I sounded so rookie to you guys, but people like me do exist! )
What about Firefox addons:
I actually use:
Noscript – Disconnect – Disconnect facebook – Disconnect Twitter – Disconnect google – DoNotTrack me – Adblock Plus – HTTPS Everywhere from the eff.org guys – and even: Google Analytics Opt-out Browser Add-on 0.9.6 (after some average-joe persistent search on the subject!)
I read things on prism-break.org
And I read somewhere on the internet that Addons reveal your ID or something other than that...(Maybe on a TOR-related article)
So,
1- Are these things what we’re talking about here? Just some Pre-set safety gadgets/features in OpenBSD/Linux?
Or
2- Is this “security” thingy related to the coding/programming programmy stuff that pros do on the system itself? (if it is, then it will be of course a whole different thing now)
(Again and again, I apologize if my imagination sounds childish or trivial to you guys. Well, I have to reasons for that: the first is that I’m doing this on purpose, because I really want to spread the message of the freedom of software and the tools with-which people can use to better their lives. I’m a total believer and want to learn, even if I sounded brashly annoying (sorry!).
I could be the missing link between the pros and the amateurs here.
I really wanna preach on with the whole thing with the open-source software programming and the security/privacy thing. Think of me as that annoying/curious student who really wants to learn; So encourage me, don’t scold me. I’m well-intentioned and I like this programming world! I hope I can be part of it someday.
And the second reason why I sound childish and brash, is my vocabulary of English. It’s not much. So I tend to use simpler words.
And I ask you (please) to use simpler language (without cultural metaphors and stuff). Not baby language but just a simple/clear one.
I mean the best answer for me would be:
“Yes, “security” is what you said in number 2” or “Yes, It’s closer to number 1”
Peace out, people!
(note: Please ignore the BSD bit, This post was intended to be on a BSD forum, The registeration process takes longer time than usual. But I couldn't wait to share my thoughts! so I registered here. and I hope to find interaction/guidance)
Security is more than just "set it and forget it" OS settings and the like. Security has a field of its own as a profession where there's things called intrusion detection systems and intrusion prevention systems. There's mailing lists where CVE security bulletins come out to let you participate in discussions of known vulnerabilities. There's sites such as the national vulnerability database etc. I presume that you're more interested in your personal system security so I'll start there.
First, like I said security is a living breathing thing and not set it and forget it. Take for example your noscript addon. When you regularly browse websites you review which sites are attempting to execute JavaScript and then you make an active decision on whether or not to allow certain sites to execute JavaScript. That act of review and allow (or continue to block) is an example of security. Many people don't practice that.
Keeping your system up to date with the latest security patches is another form of security. You want to ensure that your system doesn't get too far out of date because if your software gets too old things that were once zero day vulnerabilities become well known vulnerabilities and often end up in script kiddie toolkits.
You should familiarize yourself with the logs of your system and regularly review your logs. For example, I use KDE and have logs streaming on my desktop background using KDE widgets. One day I forgot to close my personal firewall (I use iptables but if you go BSD route you'll likely encounter ipfw) I noticed that my SSH was being brute forced from several IPs (Amazon AWS, and a few from China). From there, I re-enabled my firewall to block further attack and then I proceeded to gather my log information and research the IP addresses. I found out one of them was from Amazon AWS so I reported the abuse to Amazon (there's not much I could do about the China IP). So there's an example where regular log review protected me from my system being hacked and I mitigated it by tightening up my firewall.
Since we're on the topic of firewalls I guess I'll mention that next. Run a firewall. Many distros (for example Ubuntu) come pre-installed with a firewall however the firewall is disabled (i.e. allows all connections). You must learn how to configure the firewall for the system you're using. Ubuntu uses ufw (uncomplicated firewall) which is simply a wrapper script for iptables. Fedora uses firewalld which is also a wrapper for netfilter iptables. As I mentioned earlier FreeBSD uses ipfw. No matter what distro you're using you should familiarize yourself with the Firewall on your system and how to enable it, add, and modify rules.
There is no "end all" security solution. Security is layers. Security is also user behavior. Resisting the urge to click the image of the giant python snake attacking a crane because it looks cool but instead leads to a malware install is all part of it. Security minded users must not only be vigilant on the web but also disciplined in how they interact with the Internet and resisting the urges of curiosity (unless at least taking into account the risks first or doing it in a way the risks are mitigated).
The next topic is data security. How would you feel if someone posted the entire contents of your hard drive on the Internet right now? Are you comfortable with that thought? If you aren't then you need to rethink how you secure your personal information. Using tools such as Truecrypt or GPG to encrypt your files should be regular practice. You should encrypt your disk drives as well which will protect you from people running a live CD and accessing your data when they have physical access to your machine (e.g. it was stolen). A quick note on encryption, be SURE to follow local laws. I'm a citizen of the United States so I understand that in my locale it is legal to use encryption and best data practices to secure my data (and the 5th Amendment protects me from having to give up my encryption keys). However, some countries heavily restrict how encryption is allowed to be used and in some cases it is outlawed completely and illegal. I implore you to talk to local law enforcement or a lawyer on laws which may affect how you're allowed to use encryption in your country.
So a flat answer for you is: Security is real. Security is necessary. It's also an active effort most of the time. I'll leave you with that as a brief introduction and feel free to ask follow up questions.
That's true whether you're talking about computer security or the front door of your house. (A remarkable number of houses are built with a window immediately adjacent to the front door. If the door is actually locked, the window probably isn't, etc.)
It's also worth remembering, though, that computer intrusion these days is very much a crime of opportunity. There are millions of accessible computers, and a relatively low percentage of people who are aware of security issues that do apply to them, and a dearth of applicable laws. It really only takes a slight amount of defense, sometimes, to distinguish your systems from the easier-targets who have no protection at all.
Wow, sag47. You don't know how helpful your post is to me.
I might need to tone my eagerness to learn a little bit down haha
But I really want to know more information about the whole thing.
And You're right, right in this moment/phase, I'm concerned about my personal system security. Maybe if I advance in the knowledge and after I learn some programming I might consider knowing more about the security deal
I do realize this behavior of user thing. I sometimes can realize bad software or sites that try to redirect me to harmful content. and I feel like I'm a little more aware than the average user. and personally, I really enjoy explaining these things and ideas to users who know less about the subject you know. So, I need more knowledge to explain and to be more able to simplify information better to people.
May I ask you, Where do you think should I start? Is there, like, a free online course that I can join or read?
I feel a little lost between all the websites
Last edited by unSpawn; 04-18-2014 at 09:53 PM.
Reason: //dont quote whole posts please.
Sorry for my late reply I don't know if posts are being moderated or what. Anyways I just wanted to say your posts are a huge help for me thanks a lot for the info.
You also gave me the idea to read about encryption as well. I'm so beginner at this. I've asked in other forums as well. and found out that I do need to do more reading on the matter. Please if you know any websites or resources on the internet please provide me with them. (books or videos for beginners maybe)
I think I still wanna know more about the concepts of programming, encryption, and things like that.
Thanks a lot for your introductions and explanations very helpful
As I mentioned in my first post familiarize yourself with your system logs. For example, on Ubuntu I figured out I was being brute force attacked by viewing /var/log/auth.log. If you have Windows systems they have logs too. Learn how to use "tail -f". See the tail man page. Look at logs while you're doing stuff so that you can see what is output. Learn how to configure your logs for more/less verbosity. e.g. sshd you can modify the log verbosity in /etc/ssh/sshd_config (see the sshd_config man page).
The netfilter.org documentation is a good resource for learning about Firewalls, filtering, and other security concerns.
I also read articles on Wikipedia (see encryption where you'll find links about symmetric and asymmetric encryption).
Understanding the tools which are on your system is a big step in knowing what you have available security-wise (e.g. mitigating, minimizing, and averting attacks) as well as general system maintenance which help to prevent attacks. I usually point people to the coreutils manual because coreutils contains the majority of commands in most Linux distributions.
This is mostly stuff I've figured out on my own. So I'm sure you'll be fine. Security is not some enlightenment that you reach. It's more of a decision to *attempt* to behave responsibly on the Internet to the best of your ability. Of course, a few of the basics should be known (firewalls, encryption concepts and when it is appropriate, etc.). Research the laws associated with Encryption for your country (note that is one example and Wikipedia is not an authoritative resource on law you should speak to someone who really knows).
I encrypt all of my files using GPG. I share most of my scripts including my scripts for encrypting and decrypting files.
I'll leave you with that. Everybody in security feels clumsy. It's once you get a few years of practice it only feels *less* clumsy.
Also, I probably should have mentioned this in my earlier posts. You should practice safe password storage. You should also practice using a different password everywhere. I'll admit that at one time I used the same or similar password in many places (even recently I did). However, Adobe had their password database breach and it was easy to figure out other people's passwords since the database was so large and there were many hints for the same password (because Adobe used poor practices for password storage but that's a different story and gripe or I can explain if you like). As a result of that breach my twitter account was hacked because the username I used at twitter and adobe were similar but the passwords were the same.
Now I use keepassx. I have a random password for different websites and the database keeps track of all of them. For my less sensitive websites I simply save the complicated password in the browser. Note: you shouldn't save sensitive website passwords in your browser (e.g. department of education, banking, social security). So you should utilize random passwords which are generated for you by software and then let the password manager handle the complication. Keepassx has Android, iOS, and other mobile clients which people have made as well to open the keepass database.
Also, I see you mentioned you wanted to get better at the command line and learn programming in general. I wrote a well formed reply for another LQ user which I think you would find useful. Programming is for everybody in my opinion whether you're a simple spreadsheet jockey or a senior programmer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
What is security for average joe?
