Your Linux Desktop Security Setup

In an effort to stop hijacking other peoples' threads (sorry Hungry Man!) and at x942's suggestion, I thought I'd start a new thread:

What is your Linux security setup?

I've been running Ubuntu 11.10 (a full install)
with UFW denying all incoming & outgoing except what's whitelisted
(but I'm in transition to iptables currently)
Running ssh with key authentication, password login disabled, on an obscure port
Firefox with noscript, adblock, & https everywhere
full disk encryption
Wireshark (does that count?)

I've done absolutely nothing to alter the basic defaults in my VMs running Debian & various *buntus.

 

Adblock plus in chromium because of the ads... don't feel the need to add anything else.
I simply surf the web and do my work without worries

 

Awesome! Thanks for the thread!

Setup #1 (Host):

Ubuntu 11.10
LUKS FDE
Apparmour (With default profiles and HM's Profiles)
IPTables (Block all incoming & block all Russian/Chinese IP's)
RKhunter
Chkrootkit
Bastille
PSAD (Port-Scan Attack Detector)
Tripwire IDS
Chrome Dev. - Seccomp + AdBlock & Built in javascript whitelisting
( I use Setup #2 for all web browsing)

Setup #2 (Guest VM)

Debian Stable
SeLinux
Chrome Dev (Seccomp + AdBlock & Built in javascript whitelisting)
RKHunter
Chkrootkit
IPTables (Block all incoming & block all Russian/Chinese IP's) - Redundant as using virtual NAT?

Setup #3 (Host #2)

Gentoo
Hardened Kernel (GrSecurity)
IPTables (Block all incoming & block all Russian/Chinese IP's)
Chrome Dev (Seccomp + AdBlock & Built in javascript whitelisting)

 

Nothing really. I run noscript in some cases, but not because of security.
Mrk

 

i used to be security freak but now nothing just default Selinux some firefox addons no script, cookie monster clean flash cookie and

astaro gateway decent configure with country blocking nothing else

on ubuntu nothing

when i used to use windows i always have nightmare of its been hacked 5 years nothing happen so one day i put virus in it my self with pendrive and since then i sleep in peace )

 

If not for security, what do you use it for?

 

Default ubuntu set up with gnome 3.

 

I use it to silence websites. Too many are gaudy and flashy and noisy. I like the landscape to be quiet, and the simplest way to achieve that is by using Noscript. But not always. Sometimes I just don't bother. And of course, as my own self-appointed web dev, it's useful for testing and/or blocking services, third-party sites to check behavior without impacting or skewing traffic.

Mrk

 

Good thread Brandi, fun stuff. Here are some things from my possible to do list. A lot of this is taken from the NSA RHEL guide (from 2008 iirc) and Debian's security manual. I have yet to run through the SANS checklist but have a copy laying around.

-If encrypted data is to be stored on this comp, and if it's a laptop, always fill the drive with random data before the install. This will take about 24 hours. do multiple passes if time allows.
dd if=/dev/urandom of=/dev/sdxx bs=1M

-Use LUKS to encrypt a drive or a partition, or encfs to encrypt a specific folder.

-Massively restrict where root can log in
/etc/securetty

-Mount your drives/locations with more restrictions
/etc/fstab
mount /home with nodev & nosuid
mount /tmp into RAM (tmpfs) with noexec, nodev, nosuid
tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,noatime,size=2048M 0 0

do same for /var/run, /var/lock, & /var/tmp if you want
mount chrome's cache into RAM (~/.cache/chromium)
mount flash LSO storage in RAM (~/.macromedia/Flash_Player & ~/.adobe/Flash_Player)

make sure to add to Firefox's about:config
browser.cache.disk.parent_directory; /tmp/ffcache


-Configure startup services
Find out what runlevel you are:
cat /etc/inittab | grep initdefault

Then go to:
/etc/rcx.d, where x is your runlevel (likely will be 2).
Edit:
the 'S##name' to a 'K01name' for scripts you want to disable


-Restrict max number of processes (nproc), max number of logins (maxlogins) and disable core files (core). Depending on your setup, you may wanna use different numbers.
/etc/security/limits.conf
-Add:
#MY ENTIRES
@userorgroupname hard core 0
@userorgroupname hard nproc 350
root hard nproc 400
@userorgroupname hard maxlogins 2
root hard maxlogins 2

/etc/pam.d/su
Uncomment:
session required pam_limits.so


-Set Login password storage encryption
/etc/login.defs
-Uncomment and/or set:
ENCRYPT_METHOD SHA256
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000

LOGIN_RETRIES 3
LOGIN_TIMEOUT 15

FAILLOG_ENAB yes


-Create a wheel group to limit sudo users
sudo groupadd -r wheel
add only priviledged users


-Deny all TCP wrappers
/etc/hosts.deny
Uncomment:
ALLARANOID
or
ALL: ALL
(where the face is, should be a colon and capital P)


-Secure SSH
/etc/ssh/ssh_config
Add:
PermitRootLogin no
PermitEmptyPasswords no
AllowGroups wheel admin

Uncomment:
PasswordAuthentication yes
Protocol 2 (remove 1)


-Ban unwanted packages from the system
/etc/apt/preferences
-Add:
Package: zeitgeist
Pin: version 0
Pin-Priority: -1


-Some other network stuff, explanations in the file
/etc/sysctl.conf
-Uncomment:
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

net.ipv4.tcp_syncookies=1

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

net.ipv4.conf.all.log_martians = 1

Add:
#Disable all ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1


-Remove as many unused packages as possible, but especially,
apt-get (or yum whatever) purge portmap telnet

-Don't need Java? Get rid of it or disable the browser plugin.

-Keep tarballed backups so you no longer fear fresh installs.

 

Ubuntu 10.04 :
NoScript (mainly for Mrk's reason).
Once in a great, great while I run rkhunter just for something to do when I'm bored.

 

some of us have tried, or trying Linux, because it is supposed to be much safer than Windows.
if i am gonna tweak Linux to death for security i might as well stay with Windows.

on Linux, i use NoScript.
and the GUFW front end for the kernel firewall.

 

None. I do use Adblock Plus and NoScript, though, to get rid of annoyances.

 

rkhunter and chkrootkit as well bleachbit non-root and used for broswers and flash cookie only

also i use virus total to scan some files on linux

 

Never had any security issues with default setup in Ubuntu, so never felt the need to alter.

Cheers, Nick.

 

agree nick


but its also good some digging deep in security great thread thanks BrandiCandi for starting it

 

Yes, if there is a real world threat about, that relates to my specific usage/setup, I will try and improve the security setup (if its not covered by normal updates), else IMHO its just extra admin to satisfy paranoia .

Cheers, Nick

 

I guess my only security is I have a good password.

I have nothing installed outside what comes with the distribution and make no effort to set anything up that comes included with the distribution. Just don't see a reason to do so. Some would be redundant anyway since I sit behind a firewall.

I have several Firefox extensions installed such as NoScript, but I really don't consider them as part of my Linux security measures. These extensions would be used regardless of the OS.

 

-When using a Redhat based distro (Scientific linux, puias or centos) I use selinux sandbox for the same motive I used sandboxie in Windows: A system without internet junkie( cookies, temp files...).

-When using openSUSE or Ubuntu, default profiles for apparmor. In Ubuntu I use ufw default deny incoming policy(already enabled by default in openSUSE firewall).

-firefox with adblock plus and noscript, to remove unecessary page loads and junkies from websites.


--chromium with seccomp-sandbox just for fun, scriptno and adblock plus for the same reasons I use in firefox.

Not necessary use some of this things, but you know.. its just to learn something new.

 

I wanna use the topic to ask something(sorry if O.T. - but I think the subject its the same) about security in linux servers:

Why admins don't use graphical desktop and tools to do the sysadmin work? I imagine that the less you install, less the attack surface... but its really necessary? Install a basic gnome/xfce/kde interface can really cause some impact in the server security??

 

Because it's actually easier to administer a linux server via terminal. I don't think it's got much to do with security.

And, incidentally, the whole reason I'm locking down my desktop is to figure out how to lock down a server. Vanilla Linux desktops seem to get cracked rarely (based on my extensive 9 months of experience ), however it's a good bet that a poorly configured Linux server will get cracked.

 

Ah, that makes sense. I always thought of the quiet as a happy side effect of NoScript. I miss it when I'm on my Windows work computer running IE. It's not my system to secure, but I wish I could block scripts for my personal tranquility.

 

Running a GUI through XWindows (which all Linux desktops run on) COULD be a security issue if its not locked down (such as allowing remote access - susceptible to packet sniffing), attackers could read passwords or documents or anything on the GUI if X was attacked. Not a big security risk, but like with running anything unnecessary (e.g. print or file server), its more efficient to simply not install and not have to spend time configuring for better security.

We do use graphical tools for monitoring linux servers, but these run on desktops or monitoring servers and remotely collect the metrics off the servers we need, much easier for our helpdesk guys to visualise.

I find the mature commandline offers numerous advantages over GUI -

Faster for remote access (my pass does not even let me access our server rooms), GUIs take time, even over LAN.
Less server resources.
Easier to script multiple commands into job and maintain them (piping and redirecting allow almost universal chaining of commands that is impossible from the GUI).
Easier to repeat on different machines (this is the main reason MS reinvented the command line as power shell which all their current servers support)
Less different interface differences to learn (limited ways to write command line interfaces, even Microsofts own tools vary in interface design - IIS seems to use lots of tabs per website dialog, SQL server uses lots of different dialogs per database)

Cheers, Nick

 

Command line mostly because of automation.
If it runs from the command line, it's deterministic and can be scripted.
Mrk

 

Thank you Sirs for the insightful answers.

Take Care!

 

No firewall, let the router handle that. Only Chrome and Opera, both use Adblock with extended privacy list.