Welcome to the Linux Foundation Forum!
Security Help? Linux-Debian-Gnome-i386.iso
Doumiwia
Posts: 5
I just installed Linux-Debian-Gnome-i386.iso on an old Windows XP desktop. Its my first Linux experience and among other things I'd like to lock it down. I'm not sure at this point what I'm going to do with it, I might throw backtrack on a partition and use that... but who knows. Regardless I am not sure how to lock down anything Linux. Tips, Advice, Warnings, all is accepted thanks for the help!
0
Comments
-
In what way do you want to "lock it down"? Note that by default, only the system administrator (the user root) can modify system-wide settings, install programs or in any way damage the system itself. The UNIX permission system ensures that even if someone designs a virus that targets Linux (I so far don't know of any), they (1) have to set the virus file executable after transferring it to your system, and (2) won't have the permissions to do any system-wide damage.
If Linux Mint follows the same defaults as Ubuntu, the root user is disabled by default, but commands can be invoked with administrator privileges using the command sudo. Only users in a group named admin or wheel can gain administrative privileges using sudo (the exact name of this group depends on the distribution, e.g. in Arch and Gentoo it's wheel, in Ubuntu it's admin). The first user you create will be put in this group - and is able to invoke sudo using his own password.
If Mint follows the default model of Debian, I believe the root user will be enabled by default, and given a password. You should in that case be able to either gain root privileges using the command su (switch user) or sudo, but in this case with the password of the root user.
Both models are viable, and the default is usually good enough. The exact mechanism used to gain root privileges can be customized though, no matter which distribution you use. Note that if the root user is enabled, you should never log in graphically as this user, since it is considered dangerous and unwise. You should also take care when running commands as root in a terminal, as the root user is omnipotent; he can remove important system files with no warning issued, and has direct read/write access to all hardware devices. With great power, comes great responsibility :-)0 -
I'm not sure. I was thinking about possibly whole disk encryption in case the box was ever stolen. Its not really something I'm concerned with but I want to practice some theoretical situations. Also standard file encryption. Shutting down unnecessary ports, basically anything in the realm of securing the box minus physically locking it to the house0
-
Aha. First of all, you can enable a stateful firewall with commands like this:
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables is a firewall framework included in the Linux kernel. The setup is inspired by the book Linux Security Cookbook. Note that all of these commands should be run with root privileges; e.g. if you run them in a terminal, prepend each command with sudo.
The first three commands changes the default policy for incoming and forwarded packets to DROP, and makes sure the default output policy is ACCEPT. The fourth command allows all internal traffic on your machine (input from a loop device). The next two commands make sure that the only packets allowed to enter your systems, are responses to connections that your machine initiated. The last one makes sure that the previous rules doesn't interfere with ICMP echo. Basically, this setup makes sure that nothing is allowed in unless you request it. Note that I believe the setup might block e.g. Skype from functioning properly, at least it did a couple of years ago.
If you like the setup, you can open the file /etc/rc.local as root and append the above iptables commands there, to execute them automatically at boot:sudo gedit /etc/rc.local
Alternatively, you can instead export the settings to an iptables ruleset and load that ruleset at boot, as explained on the Debian wiki.
When it comes to whole-disk encryption, I run it on my netbook using dm-crypt. It works fine, but there is a noticeable increase in CPU usage during heavy disk activity. I still think it's worth it when it comes to security though, it takes around 10 min for a knowledgeable person to access your private files using a live usb or livecd. Note that full disk encryption requires a reinstall, and if your distribution doesn't offer harddisk encryption during installation, it can be a bit of a hassle to setup manually - and an encrypted swap partition may interfere with suspend to disk. If I were you, I would spend at least 1-2 months getting used to Linux before attempting a reinstall on an encrypted medium.
If you're a fan of encryption in general, Mozilla Thunderbird with the Enigmail extension works fine for sending/receiving GPG encrypted mail. When you have some extra time on your hands, you might also want to check out Privoxy (a local proxy server filtering ads, scripts, etc out of HTTP traffic) and Tor (anonymization through onion routing).0
Categories
- All Categories
- 227 LFX Mentorship
- 227 LFX Mentorship: Linux Kernel
- 806 Linux Foundation IT Professional Programs
- 361 Cloud Engineer IT Professional Program
- 182 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 150 Cloud Native Developer IT Professional Program
- 138 Express Training Courses & Microlearning
- 138 Express Courses - Discussion Forum
- Microlearning - Discussion Forum
- 6.3K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 71 LFC131 Class Forum
- 44 LFD102 Class Forum
- 228 LFD103 Class Forum
- 19 LFD110 Class Forum
- 41 LFD121 Class Forum
- 18 LFD133 Class Forum
- 8 LFD134 Class Forum
- 18 LFD137 Class Forum
- 71 LFD201 Class Forum
- 5 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 700 LFD259 Class Forum
- 111 LFD272 Class Forum - Discontinued
- 4 LFD272-JP クラス フォーラム
- 12 LFD273 Class Forum
- 172 LFS101 Class Forum
- 1 LFS111 Class Forum
- 3 LFS112 Class Forum
- 3 LFS116 Class Forum
- 7 LFS118 Class Forum
- LFS120 Class Forum
- 9 LFS142 Class Forum
- 8 LFS144 Class Forum
- 4 LFS145 Class Forum
- 3 LFS146 Class Forum
- 2 LFS148 Class Forum
- 14 LFS151 Class Forum
- 4 LFS157 Class Forum
- 42 LFS158 Class Forum
- 10 LFS162 Class Forum
- 2 LFS166 Class Forum
- 4 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- 32 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム - Discontinued
- 19 LFS203 Class Forum
- 135 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 52 LFS241 Class Forum
- 48 LFS242 Class Forum
- 38 LFS243 Class Forum
- 15 LFS244 Class Forum
- 4 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 52 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 156 LFS253 Class Forum
- 1 LFS254 Class Forum
- 1 LFS255 Class Forum
- 9 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 128 LFS260 Class Forum
- 160 LFS261 Class Forum
- 43 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 25 LFS268 Class Forum
- 31 LFS269 Class Forum
- 5 LFS270 Class Forum
- 202 LFS272 Class Forum - Discontinued
- 2 LFS272-JP クラス フォーラム
- 4 LFS147 Class Forum
- 1 LFS274 Class Forum
- 4 LFS281 Class Forum
- 10 LFW111 Class Forum
- 262 LFW211 Class Forum
- 183 LFW212 Class Forum
- 15 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 797 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 104 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 758 Linux Distributions
- 82 Debian
- 67 Fedora
- 17 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 353 Ubuntu
- 469 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 94 Linux Security
- 78 Network Management
- 102 System Management
- 47 Web Management
- 64 Mobile Computing
- 18 Android
- 34 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 373 Off Topic
- 115 Introductions
- 174 Small Talk
- 23 Study Material
- 806 Programming and Development
- 304 Kernel Development
- 484 Software Development
- 1.8K Software
- 263 Applications
- 183 Command Line
- 3 Compiling/Installing
- 987 Games
- 317 Installation
- 98 All In Program
- 98 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)