Your Linux Desktop Security Setup

Discussion in 'all things UNIX' started by BrandiCandi, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. BrandiCandi
    Offline

    BrandiCandi Guest

    In an effort to stop hijacking other peoples' threads (sorry Hungry Man!) and at x942's suggestion, I thought I'd start a new thread:

    What is your Linux security setup?

    I've been running Ubuntu 11.10 (a full install)
    with UFW denying all incoming & outgoing except what's whitelisted
    (but I'm in transition to iptables currently)
    Running ssh with key authentication, password login disabled, on an obscure port
    Firefox with noscript, adblock, & https everywhere
    full disk encryption
    Wireshark (does that count?)

    I've done absolutely nothing to alter the basic defaults in my VMs running Debian & various *buntus.
  2. AlexC
    Offline

    AlexC Registered Member

    Adblock plus in chromium because of the ads... don't feel the need to add anything else.
    I simply surf the web and do my work without worries :)
  3. x942
    Offline

    x942 Registered Member

    Awesome! Thanks for the thread! :D

    Setup #1 (Host):

    Ubuntu 11.10
    LUKS FDE
    Apparmour (With default profiles and HM's Profiles)
    IPTables (Block all incoming & block all Russian/Chinese IP's)
    RKhunter
    Chkrootkit
    Bastille
    PSAD (Port-Scan Attack Detector)
    Tripwire IDS
    Chrome Dev. - Seccomp + AdBlock & Built in javascript whitelisting
    ( I use Setup #2 for all web browsing)

    Setup #2 (Guest VM)

    Debian Stable
    SeLinux
    Chrome Dev (Seccomp + AdBlock & Built in javascript whitelisting)
    RKHunter
    Chkrootkit
    IPTables (Block all incoming & block all Russian/Chinese IP's) - Redundant as using virtual NAT?

    Setup #3 (Host #2)

    Gentoo
    Hardened Kernel (GrSecurity)
    IPTables (Block all incoming & block all Russian/Chinese IP's)
    Chrome Dev (Seccomp + AdBlock & Built in javascript whitelisting)
  4. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Nothing really. I run noscript in some cases, but not because of security.
    Mrk
  5. mack_guy911
    Offline

    mack_guy911 Registered Member

    i used to be security freak but now nothing just default Selinux some firefox addons no script, cookie monster clean flash cookie and

    astaro gateway decent configure with country blocking nothing else

    on ubuntu nothing :D

    when i used to use windows i always have nightmare of its been hacked 5 years nothing happen so one day i put virus in it my self with pendrive and since then i sleep in peace :))
    Last edited: Apr 4, 2012
  6. BrandiCandi
    Offline

    BrandiCandi Guest

    If not for security, what do you use it for?
  7. aigle
    Online

    aigle Registered Member

    Default ubuntu set up with gnome 3.
  8. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    I use it to silence websites. Too many are gaudy and flashy and noisy. I like the landscape to be quiet, and the simplest way to achieve that is by using Noscript. But not always. Sometimes I just don't bother. And of course, as my own self-appointed web dev, it's useful for testing and/or blocking services, third-party sites to check behavior without impacting or skewing traffic.

    Mrk
  9. shuverisan
    Offline

    shuverisan Registered Member

    Good thread Brandi, fun stuff. Here are some things from my possible to do list. A lot of this is taken from the NSA RHEL guide (from 2008 iirc) and Debian's security manual. I have yet to run through the SANS checklist but have a copy laying around.

    -If encrypted data is to be stored on this comp, and if it's a laptop, always fill the drive with random data before the install. This will take about 24 hours. do multiple passes if time allows.
    dd if=/dev/urandom of=/dev/sdxx bs=1M

    -Use LUKS to encrypt a drive or a partition, or encfs to encrypt a specific folder.

    -Massively restrict where root can log in
    /etc/securetty

    -Mount your drives/locations with more restrictions
    /etc/fstab
    mount /home with nodev & nosuid
    mount /tmp into RAM (tmpfs) with noexec, nodev, nosuid
    tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,noatime,size=2048M 0 0

    do same for /var/run, /var/lock, & /var/tmp if you want
    mount chrome's cache into RAM (~/.cache/chromium)
    mount flash LSO storage in RAM (~/.macromedia/Flash_Player & ~/.adobe/Flash_Player)

    make sure to add to Firefox's about:config
    browser.cache.disk.parent_directory; /tmp/ffcache


    -Configure startup services
    Find out what runlevel you are:
    cat /etc/inittab | grep initdefault

    Then go to:
    /etc/rcx.d, where x is your runlevel (likely will be 2).
    Edit:
    the 'S##name' to a 'K01name' for scripts you want to disable


    -Restrict max number of processes (nproc), max number of logins (maxlogins) and disable core files (core). Depending on your setup, you may wanna use different numbers.
    /etc/security/limits.conf
    -Add:
    #MY ENTIRES
    @userorgroupname hard core 0
    @userorgroupname hard nproc 350
    root hard nproc 400
    @userorgroupname hard maxlogins 2
    root hard maxlogins 2

    /etc/pam.d/su
    Uncomment:
    session required pam_limits.so


    -Set Login password storage encryption
    /etc/login.defs
    -Uncomment and/or set:
    ENCRYPT_METHOD SHA256
    SHA_CRYPT_MIN_ROUNDS 5000
    SHA_CRYPT_MAX_ROUNDS 5000

    LOGIN_RETRIES 3
    LOGIN_TIMEOUT 15

    FAILLOG_ENAB yes


    -Create a wheel group to limit sudo users
    sudo groupadd -r wheel
    add only priviledged users


    -Deny all TCP wrappers
    /etc/hosts.deny
    Uncomment:
    ALL:pARANOID
    or
    ALL: ALL
    (where the face is, should be a colon and capital P)


    -Secure SSH
    /etc/ssh/ssh_config
    Add:
    PermitRootLogin no
    PermitEmptyPasswords no
    AllowGroups wheel admin

    Uncomment:
    PasswordAuthentication yes
    Protocol 2 (remove 1)


    -Ban unwanted packages from the system
    /etc/apt/preferences
    -Add:
    Package: zeitgeist
    Pin: version 0
    Pin-Priority: -1


    -Some other network stuff, explanations in the file
    /etc/sysctl.conf
    -Uncomment:
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.conf.all.rp_filter=1

    net.ipv4.tcp_syncookies=1

    net.ipv4.conf.all.accept_redirects = 0
    net.ipv6.conf.all.accept_redirects = 0

    net.ipv4.conf.all.send_redirects = 0

    net.ipv4.conf.all.accept_source_route = 0
    net.ipv6.conf.all.accept_source_route = 0

    net.ipv4.conf.all.log_martians = 1

    Add:
    #Disable all ipv6
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1


    -Remove as many unused packages as possible, but especially,
    apt-get (or yum whatever) purge portmap telnet

    -Don't need Java? Get rid of it or disable the browser plugin.

    -Keep tarballed backups so you no longer fear fresh installs.
    Last edited: Apr 4, 2012
  10. Judge Dee
    Offline

    Judge Dee Guest

    Ubuntu 10.04 :
    NoScript (mainly for Mrk's reason).
    Once in a great, great while I run rkhunter just for something to do when I'm bored.
  11. moontan
    Offline

    moontan Registered Member

    some of us have tried, or trying Linux, because it is supposed to be much safer than Windows.
    if i am gonna tweak Linux to death for security i might as well stay with Windows.

    on Linux, i use NoScript.
    and the GUFW front end for the kernel firewall.
  12. malexous
    Offline

    malexous Registered Member

    None. I do use Adblock Plus and NoScript, though, to get rid of annoyances.
  13. mack_guy911
    Offline

    mack_guy911 Registered Member

    rkhunter and chkrootkit as well bleachbit non-root and used for broswers and flash cookie only

    also i use virus total to scan some files on linux :)
  14. NGRhodes
    Offline

    NGRhodes Registered Member

    Never had any security issues with default setup in Ubuntu, so never felt the need to alter.

    Cheers, Nick.
  15. mack_guy911
    Offline

    mack_guy911 Registered Member


    agree nick


    but its also good some digging deep in security great thread thanks BrandiCandi for starting it
  16. NGRhodes
    Offline

    NGRhodes Registered Member

    Yes, if there is a real world threat about, that relates to my specific usage/setup, I will try and improve the security setup (if its not covered by normal updates), else IMHO its just extra admin to satisfy paranoia .

    Cheers, Nick
  17. chrisretusn
    Offline

    chrisretusn Registered Member

    I guess my only security is I have a good password. :)

    I have nothing installed outside what comes with the distribution and make no effort to set anything up that comes included with the distribution. Just don't see a reason to do so. Some would be redundant anyway since I sit behind a firewall.

    I have several Firefox extensions installed such as NoScript, but I really don't consider them as part of my Linux security measures. These extensions would be used regardless of the OS.
  18. s23
    Offline

    s23 Registered Member

    -When using a Redhat based distro (Scientific linux, puias or centos) I use selinux sandbox for the same motive I used sandboxie in Windows: A system without internet junkie( cookies, temp files...).

    -When using openSUSE or Ubuntu, default profiles for apparmor. In Ubuntu I use ufw default deny incoming policy(already enabled by default in openSUSE firewall).

    -firefox with adblock plus and noscript, to remove unecessary page loads and junkies from websites.


    --chromium with seccomp-sandbox just for fun, scriptno and adblock plus for the same reasons I use in firefox.

    Not necessary use some of this things, but you know.. its just to learn something new.
  19. s23
    Offline

    s23 Registered Member

    I wanna use the topic to ask something(sorry if O.T. - but I think the subject its the same) about security in linux servers:

    Why admins don't use graphical desktop and tools to do the sysadmin work? I imagine that the less you install, less the attack surface... but its really necessary? Install a basic gnome/xfce/kde interface can really cause some impact in the server security??
  20. BrandiCandi
    Offline

    BrandiCandi Guest

    Because it's actually easier to administer a linux server via terminal. I don't think it's got much to do with security.

    And, incidentally, the whole reason I'm locking down my desktop is to figure out how to lock down a server. Vanilla Linux desktops seem to get cracked rarely (based on my extensive 9 months of experience :p ), however it's a good bet that a poorly configured Linux server will get cracked.
  21. BrandiCandi
    Offline

    BrandiCandi Guest

    Ah, that makes sense. I always thought of the quiet as a happy side effect of NoScript. I miss it when I'm on my Windows work computer running IE. It's not my system to secure, but I wish I could block scripts for my personal tranquility.
  22. NGRhodes
    Offline

    NGRhodes Registered Member

    Running a GUI through XWindows (which all Linux desktops run on) COULD be a security issue if its not locked down (such as allowing remote access - susceptible to packet sniffing), attackers could read passwords or documents or anything on the GUI if X was attacked. Not a big security risk, but like with running anything unnecessary (e.g. print or file server), its more efficient to simply not install and not have to spend time configuring for better security.

    We do use graphical tools for monitoring linux servers, but these run on desktops or monitoring servers and remotely collect the metrics off the servers we need, much easier for our helpdesk guys to visualise.

    I find the mature commandline offers numerous advantages over GUI -

    Faster for remote access (my pass does not even let me access our server rooms), GUIs take time, even over LAN.
    Less server resources.
    Easier to script multiple commands into job and maintain them (piping and redirecting allow almost universal chaining of commands that is impossible from the GUI).
    Easier to repeat on different machines (this is the main reason MS reinvented the command line as power shell which all their current servers support)
    Less different interface differences to learn (limited ways to write command line interfaces, even Microsofts own tools vary in interface design - IIS seems to use lots of tabs per website dialog, SQL server uses lots of different dialogs per database)

    Cheers, Nick
  23. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    Command line mostly because of automation.
    If it runs from the command line, it's deterministic and can be scripted.
    Mrk
  24. s23
    Offline

    s23 Registered Member

    Thank you Sirs for the insightful answers.

    Take Care!
  25. linuxforall
    Offline

    linuxforall Registered Member

    No firewall, let the router handle that. Only Chrome and Opera, both use Adblock with extended privacy list.
Thread Status:
Not open for further replies.