Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux Security Measures


  • Please log in to reply
11 replies to this topic

#1 pcpunk

pcpunk

  • Members
  • 6,108 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:49 AM

Posted 07 June 2015 - 07:53 PM

I know this has been done to death, but it's and interesting and important topic.  Anyone who is running any type of Security Software please post your experiences and links here.  I'll start off with one from home as usual:

 

http://www.bleepingcomputer.com/forums/t/467080/antivirus-for-linux/?p=2825606

 

http://www.ibm.com/developerworks/library/l-selinux/

 

http://www.eset.com/us/home/products/antivirus-linux/

 

http://www.tuxradar.com/content/get-best-virus-scanner-linux

 

https://wiki.ubuntu.com/BasicSecurity

 

Thanks pcpunk


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


BC AdBot (Login to Remove)

 


#2 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2015 - 01:21 AM

Nothing major to share, but I've been fiddling around with Elementary OS in a virtual-machine, and I wanted some basic firewall protection while I'm using it. Elementary OS comes with a firewall, but it's not turned on so I enabled it and created some basic rules.  

Rules:
Deny TCP ipv6 in 1-65535
Deny TCP ipv4 in 1-65535
Deny UDP ipv6 in 1-65535
Deny UDP ipv4 in 1-65535

So these rules deny incoming TCP and UDP connections on all ports. This means I can use the network, but I'm only exposed on connections I start, everything else incoming from outside sources is blocked. To verify the rules were working I used netcat on Lubuntu to try and send a message to my terminal. When the firewall is on I can send a message to Lubuntu, but can't recieve one. When the firewall is off I can send and recieve. Which is exactly what I wanted.

Screenshots of the test:
 
1. Sending a message to Lubuntu
AuhLZIe.png
 
2. Sending A Message To Elementary With The Firewall Rules Enabled
g8v3WjL.png

3. Sending A Message To Elementary With The Firewall Rules Disabled
9SLtOIr.png

Edited by hollowface, 08 June 2015 - 01:22 AM.


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia

Posted 08 June 2015 - 01:56 AM

Playing with Ip Tables can be fun.................. Until you mess it up so bad you cant do anything LOL...... Kinda like I did a long time ago.

Basic Guide on IPTables (Linux Firewall) Tips / Commands

 

The Beginner's Guide to iptables, the Linux Firewall


Edited by NickAu, 08 June 2015 - 01:56 AM.


#4 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:12:49 AM

Posted 08 June 2015 - 05:46 AM

hf:  that can be simplified/state more elegantly. 

 

Start with a default deny stance:  Everything is dropped unless explicitly allowed.  You wind up have simpler rules, a better position overall because it's much easier to turn something on, then to turn something off

if you don't need it.  A good example would be NETBIOS traffic from Windows machines:  if your Linux box is a gateway for them, you want to just drop all of that, especially don't leak it to the Internet.

Here's an example pulled from http://superuser.com/questions/427458/deny-all-incoming-connections-with-iptables

The default policies shown deny all incoming and forwarding traffic, permit everything on loopback, finally, allow established connections to come back in.
To fine tune you could change default output to DROP and then explicitly add rules for the traffic you want to allow.  HTTP/HTTPS, SSH, NTP, DNS, SMTP/SMTPS, POP3/POP3S,
IMAP are often enough to do 90% of what a typical enduser needs.

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#5 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2015 - 02:02 PM

Here's an example pulled from http://superuser.com/questions/427458/deny-all-incoming-connections-with-iptables


I'm familiar with the general approach. I don't typically bother with a firewall in my vms (given what they usually used for), but back when I was multibooting I usually used IPTables when ever I needed a firewall as you can do alot more in it than with any front-end for it, though it comes at the cost of convenience. I'm a newb with Elementary OS, so I decided try the Firewall app instead.

#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:49 AM

Posted 08 June 2015 - 04:17 PM

 

I don't typically bother with a firewall in my vms

Same here.



#7 macnux

macnux

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 09 September 2018 - 04:49 PM

Firewalls are the best friends to me especially, iptables.

I can't live without it. This post reminds me of my first time when I tried to write my first iptable rule. I used this tutorial to understand the basics.

And yes, I use firewalls in and outside VMs.



#8 SuperSapien64

SuperSapien64

  • Members
  • 979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 AM

Posted 09 September 2018 - 05:51 PM

Firejail (sandbox) https://firejail.wordpress.com/    https://firejail.wordpress.com/features-3/#security



#9 rufwoof

rufwoof

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 09 September 2018 - 05:55 PM

Browser bug permits a dubious web site or advert displayed in another web site to achieve remote code execution that sends out requests to the hackers web site and executes what is returned. Firewall is mitigated (unless a reverse firewall). After several iterations of requesting (outbound initiated request), receiving, executing the returned code, it takes little time to refine what the hacker is sending to your specific hardware/OS/network. Running X ? Well quite easy then to see what other X windows are showing, also to log what mouse/keystrokes are occurring (and even toggling xterm's Secure Keyboard mode doesn't prevent monitoring of the keystrokes).

 

Security is like defence. Takes much effort/time/cost only to be as strong as the weakest link. A single lapse on a persistent (across reboots) OS and systems can have been compromised in the past unknowingly and continue to be pawned. Virus scanners strive to identify "known" viruses, but miss unknowns.

 

Security is a process, not a product. And its better to assume that you will be compromised rather than opining your security is strong/sound - and then take appropriate measures to reduce the risks. Likely for desktop systems data is the most invaluable, so good backups. Reducing the potential for persistence is another, as is isolating prime data. Ask yourself questions such as "if my system has been hacked to cli root level, what might they do and how might I best protect myself, and other systems/users on the same LAN segment against that damage/loss". Or "if my laptop is stolen - what damage/loss would that have (userid's, passwords, document contents ...etc.)".

 

Security bugs are no different to any other bug, flaws, that are common, but in the security sense are bugs that permit the flaw to be induced and/or permit potential exploitation such as repointing the next instruction pointer to somewhere where the hacker has the ability to write. Some browser maintainers even publish all of the flaws for each version of their browser, handy references for hackers for when they detect such a older browser version visiting their web site as not everyone upgrades their browser in a timely manner.

 

By all means reduce the risk, but don't assume any security system is secure. Security and usability are inversely correlated, the best secure cases likely are unusable in the real world.

 

The greatest benefit is that the appeal for hackers to attack individuals is very very low. Generally high potential penalties with low rewards. Better targets lay elsewhere. But that's not always the case, high volumes with a few being hit with the likes of ransomware can have appeal for some hackers.


OpenBSD (-release) data server (that auto detects and rsshfs mounts one of its folders onto my desktop system).

Desktop system sshfs mounts my android phone (SSHelper app installed on phone).

Desktop system runs X under non-root, and is mostly booted read only (desktop changes lost at shutdown/reboot).


#10 Mike_Walsh

Mike_Walsh

    Bleepin' 'Puppy' nut..!!


  • Members
  • 1,413 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:King's Lynn, UK
  • Local time:08:49 AM

Posted 09 September 2018 - 07:39 PM

Mostly we use the default Firewall that comes with Puppy. It's been updated in recent years, to become a lot more 'granular', yet at the same time easier to set-up. Its current format is based on one published by Slackware blogger & developer, AlienBob.

 

Personally, I also occasionally run a system scan with Comodo's 'AV for Linux'. I have a single, remote install of this on a 'data' partition, sym-linked into each and every Pup at the appropriate points (so that each Pup thinks it's a 'local' install). For some reason, the 64-bit version won't run correctly in Puppy (not for lack of trouble-shooting!).....but the 32-bit version runs happily in Pups of both 'arches'.

 

It just makes sense to me to have all Pups 'singing from the same hymn-sheet', and using the same database of definitions. I used Comodo for many years under Windoze, and never had any real fault to find with it.

 

https://www.comodo.com/home/internet-security/antivirus-for-linux.php

 

I have to agree with others on here; security isn't just summat you install, and that's it.....it's a 'mind-set', and, moreover, a continuous, on-going process (which you have to stay alert & on top of).

 

 

Mike.  :wink:


Edited by Mike_Walsh, 09 September 2018 - 07:45 PM.

Distros:- Multiple 'Puppies'..... and Anti-X 16.1

My Puppy BLOG ~~~  My Puppy PACKAGES

Compaq Presario SR1916UK; Athlon64 X2 3800+, 3 GB RAM, WD 500GB Caviar 'Blue', 32GB Kingspec PATA SSD, 3 TB Seagate 'Expansion' external HDD, ATI Radeon Xpress 200 graphics, Dell 15.1" pNp monitor (1024 x 768), TP-Link PCI-e USB 3.0 card, Logitech c920 HD Pro webcam, self-powered 7-port USB 2.0 hub

Dell Inspiron 1100; 2.6 GHz 400FSB P4, 1.5 GB RAM, 64GB KingSpec IDE SSD, Intel 'Extreme' graphics, 1 TB Seagate 'Expansion' external HDD, M$ HD-3000 'Lifecam'.

 

KXhaWqy.gifFQ8nrJ3.gif

 

 


#11 rufwoof

rufwoof

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 10 September 2018 - 01:11 AM

I activate every firewall available as that potentially isolates access from anything else that might have been penetrated on the same LAN. I don't use vm's, but if I did I'd also set the vm's firewall active as well. Software virtualisation isn't as secure as physical separation (for instance it can be trivial for a hacker to break out of chroots such that if they gain access to a container that can quickly lead to also having gained access to the main host).


OpenBSD (-release) data server (that auto detects and rsshfs mounts one of its folders onto my desktop system).

Desktop system sshfs mounts my android phone (SSHelper app installed on phone).

Desktop system runs X under non-root, and is mostly booted read only (desktop changes lost at shutdown/reboot).


#12 SuperSapien64

SuperSapien64

  • Members
  • 979 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 PM

Posted 10 September 2018 - 03:08 PM

@ rufwoof

 

Agreed nothings bullet proof.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users