Your Linux Desktop Security Setup

Rocking Fedora now Everything else is the same.

 

Good day, x942, Have you ever had any virus or rootkits in linux? How good are RKHUnter and CHKRootkit? Do you advise to install them? Thanks.

 

[DISCLAIMER]Can't speak for x942, and I'm certainly far from an expert [/DISCLAIMER]

I can tell you that rkhunter & chkrootkit can throw false positives (or at least in Ubuntu-based ones). You need to get a good baseline first, best if right after a known good install. And you need to create another new baseline after certain updates. They also don't fix any problems, they merely report potential problems. So if you're up to some interaction with the tools and research to understand the positives you get, then sure, they can add to your desktop security. If you're hoping for a click-&-done kind of approach, then you'll probably be disappointed. I believe they're much more important on a server.

I'd be very interested to hear some of the experts and seasoned users comment on rkhunter & chkrootkit .

 

Not an expert but I see no need for either unless you're on a server. Harden your OS with AppArmor or SELinux, keep patched and update, and as long as you don't piss any hackers off you'll be ok.

My sig links to this but...

Network
DDWRT Router running recommended build - Remote Access disabled
DDWRT firewall turned on
OpenDNS with DNSCrypt

Realtime Protection
No AV running.
All ports closed - no need for a firewall.

System Hardening -- Ubuntu 12.04
As few programs installed as possible.
BIOS Password
Apparmor Enabled - Profiles for all programs



Browser -- Chrome Dev
Seccomp Sandbox + Default Sandbox + AppArmor
Block 3rd Party Cookies
Built in malware protection
Default PDF reader -- no adobe necessary
Adblock Plus with DNT
HTTPS Everywhere

A "private" profile with more aggressive privacy/ data settings.

Chrome Privacy Profile

No cookies/ no data sent to Google
Block form validation
ScriptNo with strict settings
Working on getting it to run with a RAMDisk.

 

Code:

This is correct. Rkhunter can detect FP and does almost every time an update comes out (specially kernel updates). That said if you use:

Code:

rkhunter --update

It will reduce false positives. I use it just to see if i'm infected. That said the likely hood of being infected is slim unless it's a targeted attack. Any one pulling off a targeted attack would know how to evade rkhunter & chkrootkit.

I no longer use chkrootkit as it's redundant and rkhunter does more tests.

You can also use:

Code:

rkhunter -c --sk

to automate the process and not need to hit 'enter' between each check.

 

Just sat behind an external firewalled router and that's it on my linux box.

As for my two windows 7 lappy's, just the router and the free avira av for that good old placebo effect!

 

It is safe/secure to run 12.04 beta yet ?
There are no security updates yet and is for testing only.

Cheers, Nick

 

Wasn't aware (are you sure?) of that but I'm not worried. I like to keep a patched system but I also have quite a lot of apparmor profiles for various running services.

edit: I have this ppa:

Ign http://security.ubuntu.com precise-security InRelease

so it looks like there's something.

 

Re. 12.04 ...

Will http://www.ubuntuupdates.org/?commit=Go&dist=precise&noppa=0 help?

And don't read https://bugs.launchpad.net/ubuntu/ source/xserver-xorg-input-synaptics/ bug/974017 if you don't have time to waste.

 

Yes the repo is there, but no one is using it yet:

http://www.ubuntu.com/usn/precise/

IMHO if it was a server i would be worried, but a desktop not so much.

Cheers Nick.

 

Good to know.

 

Am I right in assuming that folks will start using the repos when 12.04 is officially released on April 26th?

 

Security updates start on release usually.

Note there probably are security bundled as part of normal updates from upstream through the regular repositories.

Cheers, Nick.

 

Well there have been at least some security updates, but I think that they weren't really noted as security updates. For example, there was an apparmor patch that I got.

If I were running a server I'd be on 11.10. As it stands, I'm on a desktop and I've taken other measures to secure it so I'm not worried.

edit: Nick, you might know... how does linux handle DEP policies? On Windows you can control it per-process and you can also set the system to Always On, which forces DEP and avoids some ROP attacks that can turn DEP off. I have no idea how Linux handles it.

 

DEP is know as NX protection in Linux and been in Ubuntu for ages, its not configurable because its always on if supported by your CPU and no need to disable it.

Cheers, Nick.

 

Right, I know what DEP and NX are and how they work. And if your CPU/BIOS supports it it's enabled for the OS. But the OS can still set the policy for it, which on Windows is Opt Out. Are you saying that Linux forces all applications to use it by default?

Just to be clear.

 

Yes it turns it on by default for all applications, but I think the applications themselves can choose to mark memory they use writeable or not, essentially overriding the default.

Cheers, Nick.

 

That would be hard-encoded so there wouldn't be any risk of DEP turning off. Thanks - if it forces all applications to use it that's one significant step over Windows security.

edit: In particular I'm talking about DEP bypasses using SetDEPPolicy(), which bypasses DEP on default Windows on programs that have not set Permanent DEP. I guess this doesn't exist on Linux, meaning this bypass doesn't exist.

 

Network
DDWRT Router running recommended build - Remote Access disabled
DDWRT firewall turned on
OpenDNS with DNSCrypt

Realtime Protection
No AV running.
All ports closed - no need for a firewall.

System Hardening -- Ubuntu 12.04
Pax + Grsecurity, custom kernel with "High" settings (high entropy ASLR, kernel ASLR, etc)
As few programs installed as possible.
BIOS Password
Apparmor Enabled - Profiles for all programs
RBAC Enabled - System Wide, locked down user + root


Browser -- Chrome Dev
Seccomp Sandbox + Default Sandbox + AppArmor
Block 3rd Party Cookies
Built in malware protection
Default PDF reader -- no adobe necessary
Adblock Plus with DNT
HTTPS Everywhere

A "private" profile with more aggressive privacy/ data settings.

Chrome Privacy Profile
No cookies/ no data sent to Google
Block form validation
ScriptNo with strict settings
Working on getting it to run with a RAMDisk.

 

Don't use them, they are worthless. If an attacker gets root on your box (a rootkit is used to hide an attacker's presence after he gets root), then you're finished. The rootkit scanner won't save you. He can modify your rootkit scanner or modify the rootkit he uses so that it won't be detected. He can delete log files so you can't trace him. He can do anything. He is root.

Better is to take other preventative measures so you aren't root compromised in the first place.

 

This is actually why I like grsecurity. With RBAC you can restrict even root.

Typically it goes User | Root
With RBAC it goes User | Root | Admin

I don't think rootkit scanners are useless though. But if you think you're compromised your best bet is to wipe or at least reinstall your kernel.

 

Network
DDWRT Router running recommended build - Remote Access disabled
DDWRT firewall turned on
OpenDNS with DNSCrypt

Realtime Protection
No AV running.
All ports closed - no need for a firewall.

System Hardening -- Ubuntu 12.04 Kernel 3.3.X Optimized for i5 CPUs
Pax + Grsecurity, custom kernel with custom settings.
As few programs installed as possible.
BIOS Password
Apparmor Enabled - Profiles for all programs
RBAC Enabled - System Wide, locked down user + root


Browser -- Chrome Dev
Seccomp Sandbox + Default Sandbox + AppArmor
Block 3rd Party Cookies
Built in malware protection
Default PDF reader -- no adobe necessary
Adblock Plus with DNT
HTTPS Everywhere

A "private" profile with more aggressive privacy/ data settings.

Chrome Privacy Profile
No cookies/ no data sent to Google
Block form validation
ScriptNo with strict settings

Chrome's cache is on a RAMDisk with low deny execute chmod.

 

I'm curious. I assume you closed all the ports by removing services that would use them, right? What prevents services from opening a port?

 

A service could open the ports. But none of them do. By default Ubuntu has no open ports and nothing I've added would listen on any ports.

Open ports aren't a death sentence though. Anything that ever connects to the internet has an apparmor profile. But, I'd rather not have it open to begin with.

 

Yeah, but what I'm driving at is if you don't run a firewall then what stops a new service from opening up a port? Ports are closed until a service opens them. If a service opens a new one with a firewall running, then the firewall would block it. But if you don't have a firewall then any new ones would be unrestricted.

I don't know that it's super critical to run a firewall on Ubuntu desktop, but it seems uncharacteristically non-paranoid for you not to have one!