Welcome to the Linux Foundation Forum!

Security Help? Linux-Debian-Gnome-i386.iso


I just installed Linux-Debian-Gnome-i386.iso on an old Windows XP desktop. Its my first Linux experience and among other things I'd like to lock it down. I'm not sure at this point what I'm going to do with it, I might throw backtrack on a partition and use that... but who knows. Regardless I am not sure how to lock down anything Linux. Tips, Advice, Warnings, all is accepted thanks for the help!


  • jabirali
    jabirali Posts: 157
    In what way do you want to "lock it down"? Note that by default, only the system administrator (the user root) can modify system-wide settings, install programs or in any way damage the system itself. The UNIX permission system ensures that even if someone designs a virus that targets Linux (I so far don't know of any), they (1) have to set the virus file executable after transferring it to your system, and (2) won't have the permissions to do any system-wide damage.

    If Linux Mint follows the same defaults as Ubuntu, the root user is disabled by default, but commands can be invoked with administrator privileges using the command sudo. Only users in a group named admin or wheel can gain administrative privileges using sudo (the exact name of this group depends on the distribution, e.g. in Arch and Gentoo it's wheel, in Ubuntu it's admin). The first user you create will be put in this group - and is able to invoke sudo using his own password.

    If Mint follows the default model of Debian, I believe the root user will be enabled by default, and given a password. You should in that case be able to either gain root privileges using the command su (switch user) or sudo, but in this case with the password of the root user.

    Both models are viable, and the default is usually good enough. The exact mechanism used to gain root privileges can be customized though, no matter which distribution you use. Note that if the root user is enabled, you should never log in graphically as this user, since it is considered dangerous and unwise. You should also take care when running commands as root in a terminal, as the root user is omnipotent; he can remove important system files with no warning issued, and has direct read/write access to all hardware devices. With great power, comes great responsibility :-)
  • Doumiwia
    Doumiwia Posts: 5
    I'm not sure. I was thinking about possibly whole disk encryption in case the box was ever stolen. Its not really something I'm concerned with but I want to practice some theoretical situations. Also standard file encryption. Shutting down unnecessary ports, basically anything in the realm of securing the box minus physically locking it to the house :)
  • jabirali
    jabirali Posts: 157
    Aha. First of all, you can enable a stateful firewall with commands like this:
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT 
    iptables -A INPUT -m state --state INVALID -j DROP 
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    iptables is a firewall framework included in the Linux kernel. The setup is inspired by the book Linux Security Cookbook. Note that all of these commands should be run with root privileges; e.g. if you run them in a terminal, prepend each command with sudo.

    The first three commands changes the default policy for incoming and forwarded packets to DROP, and makes sure the default output policy is ACCEPT. The fourth command allows all internal traffic on your machine (input from a loop device). The next two commands make sure that the only packets allowed to enter your systems, are responses to connections that your machine initiated. The last one makes sure that the previous rules doesn't interfere with ICMP echo. Basically, this setup makes sure that nothing is allowed in unless you request it. Note that I believe the setup might block e.g. Skype from functioning properly, at least it did a couple of years ago.

    If you like the setup, you can open the file /etc/rc.local as root and append the above iptables commands there, to execute them automatically at boot:
    sudo gedit /etc/rc.local
    Alternatively, you can instead export the settings to an iptables ruleset and load that ruleset at boot, as explained on the Debian wiki.

    When it comes to whole-disk encryption, I run it on my netbook using dm-crypt. It works fine, but there is a noticeable increase in CPU usage during heavy disk activity. I still think it's worth it when it comes to security though, it takes around 10 min for a knowledgeable person to access your private files using a live usb or livecd. Note that full disk encryption requires a reinstall, and if your distribution doesn't offer harddisk encryption during installation, it can be a bit of a hassle to setup manually - and an encrypted swap partition may interfere with suspend to disk. If I were you, I would spend at least 1-2 months getting used to Linux before attempting a reinstall on an encrypted medium.

    If you're a fan of encryption in general, Mozilla Thunderbird with the Enigmail extension works fine for sending/receiving GPG encrypted mail. When you have some extra time on your hands, you might also want to check out Privoxy (a local proxy server filtering ads, scripts, etc out of HTTP traffic) and Tor (anonymization through onion routing).


Upcoming Training