Your Linux Desktop Security Setup

Discussion in 'all things UNIX' started by BrandiCandi, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. x942
    Offline

    x942 Registered Member

    Rocking Fedora now :D Everything else is the same.
  2. zorro zorrito
    Offline

    zorro zorrito Registered Member

    Good day, x942, Have you ever had any virus or rootkits in linux? How good are RKHUnter and CHKRootkit? Do you advise to install them? Thanks.
    :D
  3. BrandiCandi
    Offline

    BrandiCandi Guest

    [DISCLAIMER]Can't speak for x942, and I'm certainly far from an expert [/DISCLAIMER]

    I can tell you that rkhunter & chkrootkit can throw false positives (or at least in Ubuntu-based ones). You need to get a good baseline first, best if right after a known good install. And you need to create another new baseline after certain updates. They also don't fix any problems, they merely report potential problems. So if you're up to some interaction with the tools and research to understand the positives you get, then sure, they can add to your desktop security. If you're hoping for a click-&-done kind of approach, then you'll probably be disappointed. I believe they're much more important on a server.

    I'd be very interested to hear some of the experts and seasoned users comment on rkhunter & chkrootkit .
  4. Hungry Man
    Offline

    Hungry Man Registered Member

    Not an expert but I see no need for either unless you're on a server. Harden your OS with AppArmor or SELinux, keep patched and update, and as long as you don't piss any hackers off you'll be ok.

    My sig links to this but...

    Network
    DDWRT Router running recommended build - Remote Access disabled
    DDWRT firewall turned on
    OpenDNS with DNSCrypt

    Realtime Protection
    No AV running.
    All ports closed - no need for a firewall.

    System Hardening -- Ubuntu 12.04
    As few programs installed as possible.
    BIOS Password
    Apparmor Enabled - Profiles for all programs



    Browser -- Chrome Dev
    Seccomp Sandbox + Default Sandbox + AppArmor
    Block 3rd Party Cookies
    Built in malware protection
    Default PDF reader -- no adobe necessary
    Adblock Plus with DNT
    HTTPS Everywhere

    A "private" profile with more aggressive privacy/ data settings.

    Chrome Privacy Profile

    No cookies/ no data sent to Google
    Block form validation
    ScriptNo with strict settings
    Working on getting it to run with a RAMDisk.
  5. x942
    Offline

    x942 Registered Member

    Code:
    
    
    This is correct. Rkhunter can detect FP and does almost every time an update comes out (specially kernel updates). That said if you use:

    Code:
    rkhunter --update
    It will reduce false positives. I use it just to see if i'm infected. That said the likely hood of being infected is slim unless it's a targeted attack. Any one pulling off a targeted attack would know how to evade rkhunter & chkrootkit.

    I no longer use chkrootkit as it's redundant and rkhunter does more tests.

    You can also use:

    Code:
    rkhunter -c --sk
    to automate the process and not need to hit 'enter' between each check.
    Last edited: Apr 9, 2012
  6. Beavenburt
    Offline

    Beavenburt Registered Member

    Just sat behind an external firewalled router and that's it on my linux box.

    As for my two windows 7 lappy's, just the router and the free avira av for that good old placebo effect!
  7. NGRhodes
    Offline

    NGRhodes Registered Member

    It is safe/secure to run 12.04 beta yet ?
    There are no security updates yet and is for testing only.

    Cheers, Nick
  8. Hungry Man
    Offline

    Hungry Man Registered Member

    Wasn't aware (are you sure?) of that but I'm not worried. I like to keep a patched system but I also have quite a lot of apparmor profiles for various running services.

    edit: I have this ppa:

    Ign http://security.ubuntu.com precise-security InRelease

    so it looks like there's something.
    Last edited: Apr 10, 2012
  9. vasa1
    Offline

    vasa1 Registered Member

  10. NGRhodes
    Offline

    NGRhodes Registered Member

    Yes the repo is there, but no one is using it yet:

    http://www.ubuntu.com/usn/precise/

    IMHO if it was a server i would be worried, but a desktop not so much.

    Cheers Nick.
  11. Hungry Man
    Offline

    Hungry Man Registered Member

    Good to know.
  12. BrandiCandi
    Offline

    BrandiCandi Guest

    Am I right in assuming that folks will start using the repos when 12.04 is officially released on April 26th?
  13. NGRhodes
    Offline

    NGRhodes Registered Member

    Security updates start on release usually.

    Note there probably are security bundled as part of normal updates from upstream through the regular repositories.

    Cheers, Nick.
  14. Hungry Man
    Offline

    Hungry Man Registered Member

    Well there have been at least some security updates, but I think that they weren't really noted as security updates. For example, there was an apparmor patch that I got.

    If I were running a server I'd be on 11.10. As it stands, I'm on a desktop and I've taken other measures to secure it so I'm not worried.

    edit: Nick, you might know... how does linux handle DEP policies? On Windows you can control it per-process and you can also set the system to Always On, which forces DEP and avoids some ROP attacks that can turn DEP off. I have no idea how Linux handles it.
  15. NGRhodes
    Offline

    NGRhodes Registered Member

    DEP is know as NX protection in Linux and been in Ubuntu for ages, its not configurable because its always on if supported by your CPU and no need to disable it.

    Cheers, Nick.
  16. Hungry Man
    Offline

    Hungry Man Registered Member

    Right, I know what DEP and NX are and how they work. And if your CPU/BIOS supports it it's enabled for the OS. But the OS can still set the policy for it, which on Windows is Opt Out. Are you saying that Linux forces all applications to use it by default?

    Just to be clear.
  17. NGRhodes
    Offline

    NGRhodes Registered Member

    Yes it turns it on by default for all applications, but I think the applications themselves can choose to mark memory they use writeable or not, essentially overriding the default.

    Cheers, Nick.
  18. Hungry Man
    Offline

    Hungry Man Registered Member

    That would be hard-encoded so there wouldn't be any risk of DEP turning off. Thanks - if it forces all applications to use it that's one significant step over Windows security.

    edit: In particular I'm talking about DEP bypasses using SetDEPPolicy(), which bypasses DEP on default Windows on programs that have not set Permanent DEP. I guess this doesn't exist on Linux, meaning this bypass doesn't exist.
    Last edited: Apr 11, 2012
  19. Hungry Man
    Offline

    Hungry Man Registered Member

    Network
    DDWRT Router running recommended build - Remote Access disabled
    DDWRT firewall turned on
    OpenDNS with DNSCrypt

    Realtime Protection
    No AV running.
    All ports closed - no need for a firewall.

    System Hardening -- Ubuntu 12.04
    Pax + Grsecurity, custom kernel with "High" settings (high entropy ASLR, kernel ASLR, etc)
    As few programs installed as possible.
    BIOS Password
    Apparmor Enabled - Profiles for all programs
    RBAC Enabled - System Wide, locked down user + root


    Browser -- Chrome Dev
    Seccomp Sandbox + Default Sandbox + AppArmor
    Block 3rd Party Cookies
    Built in malware protection
    Default PDF reader -- no adobe necessary
    Adblock Plus with DNT
    HTTPS Everywhere

    A "private" profile with more aggressive privacy/ data settings.

    Chrome Privacy Profile
    No cookies/ no data sent to Google
    Block form validation
    ScriptNo with strict settings
    Working on getting it to run with a RAMDisk.
    Last edited: Apr 23, 2012
  20. chronomatic
    Offline

    chronomatic Registered Member

    Don't use them, they are worthless. If an attacker gets root on your box (a rootkit is used to hide an attacker's presence after he gets root), then you're finished. The rootkit scanner won't save you. He can modify your rootkit scanner or modify the rootkit he uses so that it won't be detected. He can delete log files so you can't trace him. He can do anything. He is root.

    Better is to take other preventative measures so you aren't root compromised in the first place.
  21. Hungry Man
    Offline

    Hungry Man Registered Member

    This is actually why I like grsecurity. With RBAC you can restrict even root.

    Typically it goes User | Root
    With RBAC it goes User | Root | Admin

    I don't think rootkit scanners are useless though. But if you think you're compromised your best bet is to wipe or at least reinstall your kernel.
  22. Hungry Man
    Offline

    Hungry Man Registered Member

    Network
    DDWRT Router running recommended build - Remote Access disabled
    DDWRT firewall turned on
    OpenDNS with DNSCrypt

    Realtime Protection
    No AV running.
    All ports closed - no need for a firewall.

    System Hardening -- Ubuntu 12.04 Kernel 3.3.X Optimized for i5 CPUs
    Pax + Grsecurity, custom kernel with custom settings.
    As few programs installed as possible.
    BIOS Password
    Apparmor Enabled - Profiles for all programs
    RBAC Enabled - System Wide, locked down user + root


    Browser -- Chrome Dev
    Seccomp Sandbox + Default Sandbox + AppArmor
    Block 3rd Party Cookies
    Built in malware protection
    Default PDF reader -- no adobe necessary
    Adblock Plus with DNT
    HTTPS Everywhere

    A "private" profile with more aggressive privacy/ data settings.

    Chrome Privacy Profile
    No cookies/ no data sent to Google
    Block form validation
    ScriptNo with strict settings

    Chrome's cache is on a RAMDisk with low deny execute chmod.
    Last edited: Apr 30, 2012
  23. BrandiCandi
    Offline

    BrandiCandi Guest

    I'm curious. I assume you closed all the ports by removing services that would use them, right? What prevents services from opening a port?
  24. Hungry Man
    Offline

    Hungry Man Registered Member

    A service could open the ports. But none of them do. By default Ubuntu has no open ports and nothing I've added would listen on any ports.

    Open ports aren't a death sentence though. Anything that ever connects to the internet has an apparmor profile. But, I'd rather not have it open to begin with.
  25. BrandiCandi
    Offline

    BrandiCandi Guest

    Yeah, but what I'm driving at is if you don't run a firewall then what stops a new service from opening up a port? Ports are closed until a service opens them. If a service opens a new one with a firewall running, then the firewall would block it. But if you don't have a firewall then any new ones would be unrestricted.

    I don't know that it's super critical to run a firewall on Ubuntu desktop, but it seems uncharacteristically non-paranoid for you not to have one!
Thread Status:
Not open for further replies.