Securing linux

I am thinking about trying out PCLinux on my other computer. I know that virus and malware do not currently post a threat, but how about tracking from the likes of DoubleClick, Google-Analytics etc. Does linux use a host file or similar?

 

Hello,
Site threats are cross-platform. So the dealing with those is very simple. Make sure the scripts on those sites cannot run on your pc. The simplest method is to use Firefox with Noscript extension.
Mrk

 

Thanks

Thought they would be. The preferred browswer is Opera - does that protect as well? I thought that it was more secure than the basic FF.

 

Hell,
Both are great, just a matter of preference.
Regarding per-site control, FF / Noscript gives you the great possible flexibility you can have of all browser solutions. In Opera, you can accomplish the same, but sometimes there might be some glitches with a few sites.
Try them both, see what fits your bill the best.
Mrk

P.S. I would not worry about double click, triple click, analytics and such.

 

You would use what Opera provides.

Host files in Linux are located in /etc

Privoxy is in the PCLOS repo

And what Mrkvonic said

 

Thanks for that

 

Thanks Mrk

Just going through your tutorial (thanks for taking the time to do that), it seems to be more complex than when I installed Ubuntu a while back - from memory it was more or less automatic. The auto wizard in PCLos doesn't think 9.2 Gb is enough. I am now on my 3rd attempt as I made mistakes then it just froze. Seems to be doing more this time.

 

Hello,

The tutorial is more than just simple installation - it's also configurations afterwards, no less important. As to the complexity, I think I have described almost every step really in detail, so there would be no questions.

One of the things new users need are 100% walkthroughs, not something like open synaptic and install x y - they need to know what synaptic is, where to find it, how to install etc, does seem a bit extra info, but it's for the best.

As to your partitions, well I'm not sure what you're doing, but even 8GB should work, if not less.

Mrk

 

Thanks

It is up and running now and got the browsers installed.

It is really for my Wife. She only uses it for browsing and was getting fed up with all the pop ups from malware warnings and often clicking allow when she should not have, that I thought she would be safer off in Linux. So far she likes it.

 

the hosts file is here -
/etc/hosts

i've no idea how pclos works, but you should be able to open the hosts file if you run these commands in a terminal -
su (then enter your root password)
kwrite /etc/hosts
kwrite is a text editor, if pclos doesn't have kwrite try replacing it with gedit or kate

rkhunter is a nice program for finding rootkits and helping secure your os, i'm not sure but it might keep checksums for important files then check those checksums when it's run in the future, if that's how it works run it as soon as possible like this -
sudo rkhunter --update
sudo rkhunter

 

That is news to me.

I have been spun a yarn about how safe Linux is and now you say you have to protect from rootkits.

If you do not install Samba presumably there cannot be any connection to the Win machines, or is it easy to bypass?

 

I think one should start with the firewall, iptables/netfilter. Whether folks think it's unnecessary or not, i'm reading about it, and i think i'm getting the hang of it.
I didn't like/understand Firestarter's rules, i'm confused somehow. I uses connection tracking in the OUTPUT chain, not the INPUT? Is it up to date with iptables??

Anyway, reading material from the source, and from the Debian forum. There's also a document on securing Debian, which i'll read as soon as i can.

Mrk, do you have any interest in making an article on iptables? I'd really enjoy reading you input on it. Cheers for you site.

 

If you use a firewall, don't run around in root, install software from the repo, you won't get rootkits.

But if you would like to be safe "Securing linux" rkhunter is in the repo.

PCLOS isn't "sudo" to run rkhunter...

Konsole
su <enter>
password <enter>
rkhunter --update <enter>
rkhunter --checkall <enter>

 

Well, it's just an option if you want an additional security check. Linux is very safe - a typical linux box is alot safer than Windows with antivirus, antispyware etc.

But there still exists some rootkits for Linux and different UNIX OSes, so you can use chkrootkit or rkhunter to scan.

Probably the most likely way to get your linux box infected, is by running outated daemons with remote exploits. So to be safe: disable unneccesary daemons AND keep your box updated

 

Quick note, you have a firewall, configured or not, it's there. I'm starting to think nothing is better than iptables itself to configure iptables (kernel).

 

Thanks All for the replies

Pedro

I think PCLos does install a f/w by default. Found what I think is the f/w and upped the protection from standard to next level. I really do not want to get into configuring IPTables. Tried it once before and did not make any sense of it.

 

All the different firewall software for linux are basically just front-ends for iptables, so in the end it's just one firewall with lots of different GUIs. Personally I prefer to configure it manually with a simple script

It's not very difficult, but on the other hand I haven't made a complex setup - i just block incoming traffic and don't bother with outgoing.

 

Me too, it's hard to get good info, from start to finish. But my suggestion is read form the links i gave.
The post in Debian forum is very easy to read, and handles the most important commands for the home pc.
The documentation from the iptables/netfilter website is very good, not too big, and from the author ("Networking Concepts HOWTO" , and "Packet Filtering HOWTO" are good for the home pc).
For the OMG documentation, there's the "iptables tutorial by Oskar Andreasson" in the "Tutorials" section (it's really a book, 200+ pages), and of course the man pages (on the to read list for me).

 

pf is so much easier in my experience, since it uses an actual ruleset instead of a series of commands for example, see this ruleset that gets rid of all bad packets, enables SPI on TCP, UDP, and ICMP, changes up the TCP header to a more secure and random one, allows only people from trusted ip's to connect to my computer, and blocks all other connections:

Code:

ext_if = "tlp0"

table <goodGuys> { someipsthatiwonttellyyou }

scrub in
block return

pass quick on lo (netbsd's version of pf doesn't have set skip on lo so I just pass all of the packets instead on not analyzing them)
pass out on $ext_if proto { tcp, udp, icmp } all flags S/SA modulate state
pass in on $ext_if proto tcp from <goodGuys> to port ssh flags S/SA keep state

As for iptables, well, I haven't done much with it at all (only configured my router to allow incoming connections for ssh which involved editing the firewall script to forward ports), but it seems so much more complicated, but that is probably just me and being biased and all .


As for security, don't run as root, keep your machine up to date, ensure that no daemons are running unless you absolutely need them, and if they don't need to accept remote connections configure then to listen only on localhost, install packages from official repositories, and you should be good to go.

Cheers,

Alphalutra1

 

Ah, it's a file that contains the rules, and also where you edit them. Nice.
But one also has to know what those arguments mean in order to edit them.

 

Sorry for taking this a bit off topic (expanding linux to other *nix's), but the rules are readable by humans if you ask me (no switches like -j -z etc. like iptables uses). And the openbsd faq for pf (which is actually more like a guide and complete authority on the matter while being very easy to read), explains everything, and is linked in my signature.

Let me dissect my ruleset to show you how easy it is.

Code:

ext_if = "tlp0"

This is what is called a "macro", which is just a fancy way of saying defining a variable. So wherever I write $ext_if, it substitutes "tlp0", which is the name of my ethernet card. This is very convenient, since I can use my ruleset anywhere and just change the macro instead having to replace every instance in my ruleset (which isn't bad for my small one for a workstation, but for some people's it may get quite complex).

Code:

table <goodGuys> { someipsthatiwonttellyyou }

This just sets up a table that contains every ip that I trust to connect to my pc via ssh (will still have to authenticate with a password though ) I use a table instead of a list since it is much faster, and this keeps me from having to repeat every ip for every rule in my list, which is very convenient and leaves my rules very easy to adapt to a situation.

Code:

scrub in

This clean up every packet so that malformed packets and fragmentation which helps protect the system.

Code:

block return

This tells it that it should block everything unless permitted in the ruleset, and that if it blocks something it should return a packet saying it was blocked instead of just dropping the packets. Most firewalls just drop the packet, which makes the ports seemed "stealthed". I prefer to conform to regulations and return a packet making my ports seemed "closed", but that is preference and each method has pros and cons.

Code:

pass quick on lo

This allows every packet to be passed on loopback right away without being submitted to the other rules (hence the quick). However, on newer versions of pf, one usually does "set skip on lo" which means that the packets aren't even filtering which helps in performance.

Code:

pass out on $ext_if proto { tcp, udp, icmp } all flags S/SA modulate state

The allows out all tcp, udp, and icmp from my computer to any address and keeps state on them (basically keeps track of each connection and allows returning packets from the connection, this is better known by the abbreviation SPI). The beauty of pf allows me to condense this all to one line, so even though udp and icmp don't have flags for SYN and SYN ACK (the S/SA), it tells pf only to keep track of connections with those flags (they are the flags that start connections). Also, the modulate randomizes the tcp header, which keeps things nice and secure to prevent leaking too much information.

Code:

pass in on $ext_if proto tcp from <goodGuys> to port ssh flags S/SA keep state

This allows incoming ssh connections to my computer from only the IPs I list in my goodGuys table, and it also keeps track of the connections via SPI.

Hopefully that helps a bit, but the faq is much better at explaining then me. Also, as you saw how condensed the file is, I will show you how it actually gets expanded by pf after it is loaded:

Code:

scrub in all fragment reassemble
block return all
pass quick on lo all
pass out on tlp0 proto tcp all flags S/SA modulate state
pass out on tlp0 proto udp all keep state
pass out on tlp0 proto icmp all keep state
pass in on tlp0 proto tcp from <goodGuys> to any port = ssh flags S/SA keep state

Cheers,

Alphalutra1

 

Hello,

Pedro, I have written a bit about it in my Slackware tutorial, but noted, it's another thing on the todo list.

Alpha, would you like to write a guest article? I'd be glad to post it.

Mrk

 

Well, I haven't tried pf at all so I can't draw any comparison. On the other hand I found iptables not complicated if you configure it with the GUI Firestarter.

Has anyone tried Firewall Builder?

This said, at least in Ubuntu a firewall is actually unnecessary as this distribution doesn't have open ports by default. It's a different situation, though, if certain server applications are installed.

 

IMO easiest solution is a cheap router and leave the firewall out of the software...

 

Hi:

My (not necessarily correct) understanding is that you need to enable the iptables in PCLOS from the control center by unchecking the "allow everything" box. It will then install shorewall and you check the boxes that you want to allow. Since I am using a basic setup, I unchecked all the boxes and so far, so good. I'm behind a router/FW, so this has more to do with playing around than with security. Replies, comments, or brief tutorials?