Sufficient Security

Discussion in 'all things UNIX' started by Infected, Dec 5, 2017.

  1. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    I'm running Mint 18.3. I have the firewall enabled. Running Chromium wit UBO, and most of all safe browsing habits. Is there much more security that I need?
     
  2. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,038
    Location:
    Québec, Canada
    I don't use more than that.
    Your are behind a NAT router I guess?
     
  3. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    Yes.
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    102
    Location:
    Some country in the European Union
    Keep your system is up to date. I mean install security updates.
    I don't know Mint. I know some distributions are faster while others are slower in providing security updates. If security is your primarily concern, make sure distro of your choice is the one that would have history of quick delivery of security updates.
     
    Last edited: Dec 5, 2017
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    You might consider sandboxing your applications with Firejail.
     
  6. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    What about kernel updates? Are they high priority for security?
     
  7. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    I was thinking about that also. Do I need fj for chromium?
     
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    102
    Location:
    Some country in the European Union
    It depends on the vulnerability and whether your are using additional mechanisms to achieve security in depth.
    I am talking about desktop use-cases.
    The worst kind of vulnerabilities to defend are RCE (remote code execution). The good news is that they are rarely found in kernel. They are often found in internet facing user-space programs, so often the most important task is to update user-space programs. On the other hand if you use apparmor, SELinux or other MAC mechanism, it is good to update kernel too, but it is not so important.
    There are rare exceptions to that.
     
  9. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,038
    Location:
    Québec, Canada
    Honestly, I have never used anything special in Linux since a long time and never got infected.
    Sole thing I added to the FW is blocking TCP ports 139 and 445 outbound.
    Depends on your surfing habits maybe.
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    102
    Location:
    Some country in the European Union
    IIRC most desktop Gnu/Linux distributions don't have anything listening on these ports by default. It would be better to block TCP 22 (OpenSSH).
     
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    Thanks for the replies.
     
  12. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,038
    Location:
    Québec, Canada
    I'll be adding this one too. :)
    Nothing to loose letting the others in the list. (related to Windows SMB, right?)
     
  13. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    Is this how to block outbound ports?

    Code:
    # /sbin/iptables -A OUTPUT -p tcp --dport 22 -j DROP
    # /sbin/service iptables save
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    102
    Location:
    Some country in the European Union
    Primarily you want block input TCP 22 port, so nobody can login to your OpenSSH daemon.
    Then reboot and check:
    Code:
    iptables -L -n
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,017
    Security for what?
    Mrk
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    Yes, it improves its security. See also this follow-up post, and this post which shows how the default profile for Chromium can be considerably tightened.
     
Loading...