Sufficient Security

Discussion in 'all things UNIX' started by Infected, Dec 5, 2017.

  1. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    I'm running Mint 18.3. I have the firewall enabled. Running Chromium wit UBO, and most of all safe browsing habits. Is there much more security that I need?
     
  2. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,112
    Location:
    Québec, Canada
    I don't use more than that.
    Your are behind a NAT router I guess?
     
  3. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    Yes.
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    498
    Location:
    Member state of European Union
    Keep your system is up to date. I mean install security updates.
    I don't know Mint. I know some distributions are faster while others are slower in providing security updates. If security is your primarily concern, make sure distro of your choice is the one that would have history of quick delivery of security updates.
     
    Last edited: Dec 5, 2017
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,329
    You might consider sandboxing your applications with Firejail.
     
  6. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    What about kernel updates? Are they high priority for security?
     
  7. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    I was thinking about that also. Do I need fj for chromium?
     
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    498
    Location:
    Member state of European Union
    It depends on the vulnerability and whether your are using additional mechanisms to achieve security in depth.
    I am talking about desktop use-cases.
    The worst kind of vulnerabilities to defend are RCE (remote code execution). The good news is that they are rarely found in kernel. They are often found in internet facing user-space programs, so often the most important task is to update user-space programs. On the other hand if you use apparmor, SELinux or other MAC mechanism, it is good to update kernel too, but it is not so important.
    There are rare exceptions to that.
     
  9. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,112
    Location:
    Québec, Canada
    Honestly, I have never used anything special in Linux since a long time and never got infected.
    Sole thing I added to the FW is blocking TCP ports 139 and 445 outbound.
    Depends on your surfing habits maybe.
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    498
    Location:
    Member state of European Union
    IIRC most desktop Gnu/Linux distributions don't have anything listening on these ports by default. It would be better to block TCP 22 (OpenSSH).
     
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    Thanks for the replies.
     
  12. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,112
    Location:
    Québec, Canada
    I'll be adding this one too. :)
    Nothing to loose letting the others in the list. (related to Windows SMB, right?)
     
  13. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    Is this how to block outbound ports?

    Code:
    # /sbin/iptables -A OUTPUT -p tcp --dport 22 -j DROP
    # /sbin/service iptables save
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    498
    Location:
    Member state of European Union
    Primarily you want block input TCP 22 port, so nobody can login to your OpenSSH daemon.
    Then reboot and check:
    Code:
    iptables -L -n
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,235
    Security for what?
    Mrk
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,329
    Yes, it improves its security. See also this follow-up post, and this post which shows how the default profile for Chromium can be considerably tightened.
     
  17. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    I know Firejail is Linux, but does it Sandbox similar to Sandboxie? I've used Sanboxie in the past, but I've just started using FJ a couple of weeks ago, with Firetools.
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,329
    I'm not familiar with Sandboxie. Firejail uses features available in the Linux kernel (chroot, seccomp-bpf, namespaces, capabilities) in order to sandbox applications.
    I normally don't use Firetools at all. The best way how to use Firejail is by following the steps outlined here. This makes sure that all applications for which Firejail profiles are available will be started sandboxed.
     
  19. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    848
    Ok thanks. I'll check that website out. I already did the sound fix, i lost sound after installing FJ.
     
  20. Santos_L_Halper

    Santos_L_Halper Registered Member

    Joined:
    Sep 22, 2009
    Posts:
    14
    Security for absurd paranoia...
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.