Your Linux Desktop Security Setup

Discussion in 'all things UNIX' started by BrandiCandi, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. BrandiCandi

    BrandiCandi Guest

    In an effort to stop hijacking other peoples' threads (sorry Hungry Man!) and at x942's suggestion, I thought I'd start a new thread:

    What is your Linux security setup?

    I've been running Ubuntu 11.10 (a full install)
    with UFW denying all incoming & outgoing except what's whitelisted
    (but I'm in transition to iptables currently)
    Running ssh with key authentication, password login disabled, on an obscure port
    Firefox with noscript, adblock, & https everywhere
    full disk encryption
    Wireshark (does that count?)

    I've done absolutely nothing to alter the basic defaults in my VMs running Debian & various *buntus.
     
  2. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Adblock plus in chromium because of the ads... don't feel the need to add anything else.
    I simply surf the web and do my work without worries :)
     
  3. x942

    x942 Guest

    Awesome! Thanks for the thread! :D

    Setup #1 (Host):

    Ubuntu 11.10
    LUKS FDE
    Apparmour (With default profiles and HM's Profiles)
    IPTables (Block all incoming & block all Russian/Chinese IP's)
    RKhunter
    Chkrootkit
    Bastille
    PSAD (Port-Scan Attack Detector)
    Tripwire IDS
    Chrome Dev. - Seccomp + AdBlock & Built in javascript whitelisting
    ( I use Setup #2 for all web browsing)

    Setup #2 (Guest VM)

    Debian Stable
    SeLinux
    Chrome Dev (Seccomp + AdBlock & Built in javascript whitelisting)
    RKHunter
    Chkrootkit
    IPTables (Block all incoming & block all Russian/Chinese IP's) - Redundant as using virtual NAT?

    Setup #3 (Host #2)

    Gentoo
    Hardened Kernel (GrSecurity)
    IPTables (Block all incoming & block all Russian/Chinese IP's)
    Chrome Dev (Seccomp + AdBlock & Built in javascript whitelisting)
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,297
    Nothing really. I run noscript in some cases, but not because of security.
    Mrk
     
  5. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    i used to be security freak but now nothing just default Selinux some firefox addons no script, cookie monster clean flash cookie and

    astaro gateway decent configure with country blocking nothing else

    on ubuntu nothing :D

    when i used to use windows i always have nightmare of its been hacked 5 years nothing happen so one day i put virus in it my self with pendrive and since then i sleep in peace :))
     
    Last edited: Apr 4, 2012
  6. BrandiCandi

    BrandiCandi Guest

    If not for security, what do you use it for?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Default ubuntu set up with gnome 3.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,297
    I use it to silence websites. Too many are gaudy and flashy and noisy. I like the landscape to be quiet, and the simplest way to achieve that is by using Noscript. But not always. Sometimes I just don't bother. And of course, as my own self-appointed web dev, it's useful for testing and/or blocking services, third-party sites to check behavior without impacting or skewing traffic.

    Mrk
     
  9. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Good thread Brandi, fun stuff. Here are some things from my possible to do list. A lot of this is taken from the NSA RHEL guide (from 2008 iirc) and Debian's security manual. I have yet to run through the SANS checklist but have a copy laying around.

    -If encrypted data is to be stored on this comp, and if it's a laptop, always fill the drive with random data before the install. This will take about 24 hours. do multiple passes if time allows.
    dd if=/dev/urandom of=/dev/sdxx bs=1M

    -Use LUKS to encrypt a drive or a partition, or encfs to encrypt a specific folder.

    -Massively restrict where root can log in
    /etc/securetty

    -Mount your drives/locations with more restrictions
    /etc/fstab
    mount /home with nodev & nosuid
    mount /tmp into RAM (tmpfs) with noexec, nodev, nosuid
    tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,noatime,size=2048M 0 0

    do same for /var/run, /var/lock, & /var/tmp if you want
    mount chrome's cache into RAM (~/.cache/chromium)
    mount flash LSO storage in RAM (~/.macromedia/Flash_Player & ~/.adobe/Flash_Player)

    make sure to add to Firefox's about:config
    browser.cache.disk.parent_directory; /tmp/ffcache


    -Configure startup services
    Find out what runlevel you are:
    cat /etc/inittab | grep initdefault

    Then go to:
    /etc/rcx.d, where x is your runlevel (likely will be 2).
    Edit:
    the 'S##name' to a 'K01name' for scripts you want to disable


    -Restrict max number of processes (nproc), max number of logins (maxlogins) and disable core files (core). Depending on your setup, you may wanna use different numbers.
    /etc/security/limits.conf
    -Add:
    #MY ENTIRES
    @userorgroupname hard core 0
    @userorgroupname hard nproc 350
    root hard nproc 400
    @userorgroupname hard maxlogins 2
    root hard maxlogins 2

    /etc/pam.d/su
    Uncomment:
    session required pam_limits.so


    -Set Login password storage encryption
    /etc/login.defs
    -Uncomment and/or set:
    ENCRYPT_METHOD SHA256
    SHA_CRYPT_MIN_ROUNDS 5000
    SHA_CRYPT_MAX_ROUNDS 5000

    LOGIN_RETRIES 3
    LOGIN_TIMEOUT 15

    FAILLOG_ENAB yes


    -Create a wheel group to limit sudo users
    sudo groupadd -r wheel
    add only priviledged users


    -Deny all TCP wrappers
    /etc/hosts.deny
    Uncomment:
    ALL:pARANOID
    or
    ALL: ALL
    (where the face is, should be a colon and capital P)


    -Secure SSH
    /etc/ssh/ssh_config
    Add:
    PermitRootLogin no
    PermitEmptyPasswords no
    AllowGroups wheel admin

    Uncomment:
    PasswordAuthentication yes
    Protocol 2 (remove 1)


    -Ban unwanted packages from the system
    /etc/apt/preferences
    -Add:
    Package: zeitgeist
    Pin: version 0
    Pin-Priority: -1


    -Some other network stuff, explanations in the file
    /etc/sysctl.conf
    -Uncomment:
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.conf.all.rp_filter=1

    net.ipv4.tcp_syncookies=1

    net.ipv4.conf.all.accept_redirects = 0
    net.ipv6.conf.all.accept_redirects = 0

    net.ipv4.conf.all.send_redirects = 0

    net.ipv4.conf.all.accept_source_route = 0
    net.ipv6.conf.all.accept_source_route = 0

    net.ipv4.conf.all.log_martians = 1

    Add:
    #Disable all ipv6
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1


    -Remove as many unused packages as possible, but especially,
    apt-get (or yum whatever) purge portmap telnet

    -Don't need Java? Get rid of it or disable the browser plugin.

    -Keep tarballed backups so you no longer fear fresh installs.
     
    Last edited: Apr 4, 2012
  10. Judge Dee

    Judge Dee Guest

    Ubuntu 10.04 :
    NoScript (mainly for Mrk's reason).
    Once in a great, great while I run rkhunter just for something to do when I'm bored.
     
  11. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    some of us have tried, or trying Linux, because it is supposed to be much safer than Windows.
    if i am gonna tweak Linux to death for security i might as well stay with Windows.

    on Linux, i use NoScript.
    and the GUFW front end for the kernel firewall.
     
  12. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    830
    Location:
    Ireland
    None. I do use Adblock Plus and NoScript, though, to get rid of annoyances.
     
  13. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    rkhunter and chkrootkit as well bleachbit non-root and used for broswers and flash cookie only

    also i use virus total to scan some files on linux :)
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Never had any security issues with default setup in Ubuntu, so never felt the need to alter.

    Cheers, Nick.
     
  15. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677

    agree nick


    but its also good some digging deep in security great thread thanks BrandiCandi for starting it
     
  16. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Yes, if there is a real world threat about, that relates to my specific usage/setup, I will try and improve the security setup (if its not covered by normal updates), else IMHO its just extra admin to satisfy paranoia .

    Cheers, Nick
     
  17. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,695
    Location:
    Philippines
    I guess my only security is I have a good password. :)

    I have nothing installed outside what comes with the distribution and make no effort to set anything up that comes included with the distribution. Just don't see a reason to do so. Some would be redundant anyway since I sit behind a firewall.

    I have several Firefox extensions installed such as NoScript, but I really don't consider them as part of my Linux security measures. These extensions would be used regardless of the OS.
     
  18. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    -When using a Redhat based distro (Scientific linux, puias or centos) I use selinux sandbox for the same motive I used sandboxie in Windows: A system without internet junkie( cookies, temp files...).

    -When using openSUSE or Ubuntu, default profiles for apparmor. In Ubuntu I use ufw default deny incoming policy(already enabled by default in openSUSE firewall).

    -firefox with adblock plus and noscript, to remove unecessary page loads and junkies from websites.


    --chromium with seccomp-sandbox just for fun, scriptno and adblock plus for the same reasons I use in firefox.

    Not necessary use some of this things, but you know.. its just to learn something new.
     
  19. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    I wanna use the topic to ask something(sorry if O.T. - but I think the subject its the same) about security in linux servers:

    Why admins don't use graphical desktop and tools to do the sysadmin work? I imagine that the less you install, less the attack surface... but its really necessary? Install a basic gnome/xfce/kde interface can really cause some impact in the server security??
     
  20. BrandiCandi

    BrandiCandi Guest

    Because it's actually easier to administer a linux server via terminal. I don't think it's got much to do with security.

    And, incidentally, the whole reason I'm locking down my desktop is to figure out how to lock down a server. Vanilla Linux desktops seem to get cracked rarely (based on my extensive 9 months of experience :p ), however it's a good bet that a poorly configured Linux server will get cracked.
     
  21. BrandiCandi

    BrandiCandi Guest

    Ah, that makes sense. I always thought of the quiet as a happy side effect of NoScript. I miss it when I'm on my Windows work computer running IE. It's not my system to secure, but I wish I could block scripts for my personal tranquility.
     
  22. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Running a GUI through XWindows (which all Linux desktops run on) COULD be a security issue if its not locked down (such as allowing remote access - susceptible to packet sniffing), attackers could read passwords or documents or anything on the GUI if X was attacked. Not a big security risk, but like with running anything unnecessary (e.g. print or file server), its more efficient to simply not install and not have to spend time configuring for better security.

    We do use graphical tools for monitoring linux servers, but these run on desktops or monitoring servers and remotely collect the metrics off the servers we need, much easier for our helpdesk guys to visualise.

    I find the mature commandline offers numerous advantages over GUI -

    Faster for remote access (my pass does not even let me access our server rooms), GUIs take time, even over LAN.
    Less server resources.
    Easier to script multiple commands into job and maintain them (piping and redirecting allow almost universal chaining of commands that is impossible from the GUI).
    Easier to repeat on different machines (this is the main reason MS reinvented the command line as power shell which all their current servers support)
    Less different interface differences to learn (limited ways to write command line interfaces, even Microsofts own tools vary in interface design - IIS seems to use lots of tabs per website dialog, SQL server uses lots of different dialogs per database)

    Cheers, Nick
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,297
    Command line mostly because of automation.
    If it runs from the command line, it's deterministic and can be scripted.
    Mrk
     
  24. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Thank you Sirs for the insightful answers.

    Take Care!
     
  25. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,137
    No firewall, let the router handle that. Only Chrome and Opera, both use Adblock with extended privacy list.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.