Your Linux Desktop Security Setup

Discussion in 'all things UNIX' started by BrandiCandi, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    True, a service or exploited application with those rights could open a port. I might consider installing a firewall on that basis.

    I might set one up a bit later.

    edit: I'm behind NAT, and I know how to bypass that, but because of the NAT I'm not really too worried. I would like to get to the FW though eventually.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Brandi, Do you have any guides/ whatever for how to set up inbound/outbound rules with UWF or whatever the tool is.
     
  3. BrandiCandi

    BrandiCandi Guest

    Yup. UFW (uncomplicated firewall) is prepackaged in vanilla ubuntu. It's a command line program that tries to simplify (or some may say obfuscate) iptables, which is the underlying firewall. You can install GUFW which will give you a GUI to control UFW. Whatever you end up using, it's important to know that you cannot modify both iptables & UFW. It's either-or. If you choose to stick with iptables you need to uninstall UFW (and GUFW too).

    Don't know how wilders feels about linking to other forums (seems kinda circular). But I liked this tutorial:
    http://ubuntuforums.org/showthread.php?t=1876124

    Honestly I've been screwing around with iptables and have been failing. All I end up doing is blocking all traffic on my network. I haven't had the time to figure out where I'm screwing it up so I can't give you any guidance on iptables. But I'm pretty comfortable with UFW/GUFW.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Thanks, I'll give that a read and see if i can set things up.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Ubuntu does a lot of things security wise that are better, imo, than any distro out there (with the possible exception of Fedora). Sure you can lock down any distro, but Ubuntu does most of it by default. Some distros (like Arch) do not even sign their package repos (a huge security risk!).

    List of Ubuntu security features: https://wiki.ubuntu.com/Security/Features

    Compare it with most other default distros and you will see Ubuntu is ahead of just about all of them. Of course most of these features are now in the Linux kernel itself, but distros must compile the kernel to take advantage of them. Ubuntu does.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Ubuntu's actually fairly behind a distro like Fedora, which bundles exec-shield. At least that's how I understand it.
     
  7. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    I've got 4 FreeBSD boxen, no remote access allowed, running the OpenBSD pf firewall, Tripwire, rkhunter, clamav, bcrypt, and using Firefox or Seamonkey with NoScript and Adblock.

    I'm in the process of converting one of them into a dedicated firewall running pfSense but just started on it last night.
     
  8. BrandiCandi

    BrandiCandi Guest

    Oh man, you don't ssh into it? I'd feel like my arm was cut off without ssh :(
     
  9. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    Hi, BrandiCandi.

    No, to tell you the truth I've never used ssh or telnet since I started using computers in '93. I only require local access, have always kept everything locked down as securely as possible, and don't even trust myself with remote access. :p I figured if I could get in the chances for somebody else being able to was increased.

    All that's about to change though. I've got pfSense installed on one of my machines now and am headed to BestBuy tomorrow to get a switch for it. Once I get the hardware firewall set up and my other 3 FreeBSD machines connected behind it over the LAN I'm going to be playing with it. :)
     
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Exec-Shield is nothing but NX protection (actually an emulation) written for i386 processors that do not natively have the NX instructions. NX emulation is now in the kernel, thus making exec-shield pretty much useless.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Are you sure about that? I don't know much about it, haven' tlooked into it, but the way I saw it was that they removed exec-shield in Ubuntu and instead left it to developers to compile with NX.
     
  12. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    are there tutorial On how to setup

    Gufu / apparmor / IDS systems i can't quite figure them out

    also did anyone try Comodo Antivirus ?
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
  14. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    204
    My laptop runs Crunchbang Statler, which is basically Debian with Openbox, tint2, conky and some non-free drivers pre-installed. I use iptables and SELinux for security.
     
  15. BrandiCandi

    BrandiCandi Guest

    I assume you're using Ubuntu?

    Gufw/ufw tutorials
    http://ubuntuforums.org/showthread.php?t=1876124
    http://blog.bodhizazen.net/linux/firewall-ubuntu-desktops/
    https://help.ubuntu.com/community/UFW

    HIDS tutorial
    http://ubuntuforums.org/showthread.php?t=1477662

    Why would you want to use Comodo Antivirus on Linux? There aren't any viruses in the wild for Linux so you'd just be scanning for known windows viruses. If there ever were to be linux viruses, the existing antivirus options do not use heuristics for linux viruses so you wouldn't be protected anyway. IMO using an AV on linux largely just gives the user a false sense of protection. Maybe the only reason to use AV on Linux is to prevent spreading windows viruses to a windows machine by sending infected documents. But it really doesn't offer any protection for your Linux box.
     
  16. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    I run clamav on my FreeBSD boxes but only because it gives me something to do if I get bored. o_O

    It does check for "malware" but I don't use Wine and it's never found anything.
     
  17. BrandiCandi

    BrandiCandi Guest

    Right. It's checking for windows Trojans, viruses, malware and other malicious threats.
     
  18. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    I used to frequent this and other security forums several years ago, I think the last time I stopped in here it was using the old forum software that had kind of a yellow and white color scheme to it, but when I came back this time what struck me was the never ending list of forums for Windows security programs.

    Not that I wasn't as involved as anyone and didn't use all the popular programs, ConSeal PC Firewall comes to mind as one of my all time favorites, but now that I've migrated from Windows and was away from the scene for a while it all seems so...strange.

    Better to get a *NIX box of some flavour and be done with it.
     
  19. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    can this FW be used like a average windows one - you can a popup when something asks for internet access then you make a rule for it? that is something i would love to have :)
     
  20. BrandiCandi

    BrandiCandi Guest

    Frankly, no. Not that I've found. Doesn't mean it doesn't exist, though. You could kind of do that by setting up a basic firewall, then reviewing your firewall logs when you try to use a new service. It will show traffic blocked on the specific ports needed for that service, so then you'd write a rule to allow it. But that's not really pop-up / click / rule written in the way that windows works.

    My experience with windows firewalls (limited to comodo & the built-in microsoft one) is they like to do the configuring for you, which just kind of obfuscates the process if you know what you're doing. They give you the pop-ups, and you choose to open ports based on what program uses them instead of opening a specific port number. I still haven't figured out how to change a port number for any given service in windows, meaning I can't get the granular control of a windows firewall I'm looking for.

    My experience with linux firewalls (which is limited to gufw/ufw and iptables) is that you really need to understand the OSI model of TCP/IP traffic to get it configured properly. There are some firewall setup tutorials out there, but when you start adding custom services (like printers), it gets harder to find someone to tell you what to do. For instance, I've got an HP printer/scanner and I had to read a 200-page book on networking before I could get the damn thing to scan through the firewall. LOL.
     
  21. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    By enabling Windows Firewall with Advanced Security through the Microsoft Management Control console with a snap-in.

     
  22. FWIW, Mandriva (and I think Mageia and PCLinuxOS) have interactive firewalls. The GUIs are not perfect though, I've seen them crash when packets get spammed (though the underlying firewall doesn't fail).
     
  23. BrandiCandi

    BrandiCandi Guest

  24. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    I ran it on Vista and XP too if I remember correctly, I assume it's still supported.

    It's definitely worth enabling.
     
  25. x942

    x942 Guest

    Now running OpenSuse 12.1 with apparmor and chromium (Seccomp).

    Running smooth. I like the security enhancements built in, however it lacks in other areas.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.