securitybreach Posted August 20, 2014 Share Posted August 20, 2014 All of this is relevant to other distros besides the installation part: Concepts It is possible to tighten the security so much as to make your system unusable. The trick is to secure it without overdoing it. There are many other things that can be done to heighten the security, but the biggest threat is, and will always be, the user himself. When you think security, you have to think layers. When one layer is breached, another should stop the attack. But you can never make the system 100% secure unless you unplug the machine from all networks, lock it in a safe and never use it. Be a little paranoid. It helps. And be suspicious. If anything sounds too good to be true, it probably is! The principle of least privilege: each part of a system should only be able to access what is required to use it, and nothing more..... https://wiki.archlin...ex.php/Security 2 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted August 20, 2014 Share Posted August 20, 2014 Good stuff. That Arch Wiki is impressive as always. I sure wish our dream for the Slackware Wiki had turned out just a bit more like it. Sadly, we lack the participation that Arch enjoys. But you can never make the system 100% secure unless you unplug the machine from all networks, lock it in a safe and never use it. Even that depends on the integrity of the safe. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 20, 2014 Share Posted August 20, 2014 Arch support is awesome for sure. That is a great page on Security (except as Josh noted, the installation part). Quote Link to comment Share on other sites More sharing options...
securitybreach Posted August 21, 2014 Author Share Posted August 21, 2014 Also, lynis is a great security auditing suite: Open source software provides trust by having people look into the code. Adjustments are easily made, providing you with a flexible solution for your business. But can you trust systems and software with your data? Lynis provides you this confidence and helps with auditing your systems. So you can verify yourself and trust! How it works Lynis is an open source security auditing tool. Its main goal is to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks. Examples include searching for installed software and determine possible configuration flaws. Many tests are part of common security guidelines and standards, with on top additional security tests. After the scan a report will be displayed with all discovered findings. To provide you with initial guidance, a link is shared to the related Lynis control. Example output: http://rootkit.nl/software/lynis/ Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted August 25, 2014 Share Posted August 25, 2014 (edited) I tried installing from Mint repositories and running. Generated report with score of 52. Not so great, I suppose... It is an interesting read for sure. Need to get better at setting up stuff like basic firewall, clamav, etc. I've gotten complacent. I guess if I really knew what I was doing, I'd be running in a virtualized sandbox. Haven't learned virtualization yet. Only so many hours in a day... Edited August 25, 2014 by Cluttermagnet 1 Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted August 25, 2014 Share Posted August 25, 2014 These are the three areas with warnings for me. I don't really know how to interpret or act on these, however... Maybe take a look at what I've permitted in Synaptic? - Searching package managers... - Searching dpkg package manager... [ FOUND ] - Querying package manager... - Query unpurged packages... [ NONE ] - Checking security repository in sources.list file... [ WARNING ] - Checking vulnerable packages (apt-get only)... [ DONE ] - Checking package audit tool... [ NONE ] - Checking configured nameservers... - Testing nameservers... Nameserver: 127.0.1.1... [ OK ] - Minimal of 2 responsive nameservers... [ WARNING ] - Checking default gateway... [ DONE ] - Getting listening ports (TCP/TCP)... [ DONE ] [+] Kernel Hardening ------------------------------------ - Comparing sysctl key pairs with scan profile... - kernel.core_uses_pid (exp: 1) [ DIFFERENT ] - kernel.ctrl-alt-del (exp: 0) [ OK ] - kernel.sysrq (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] - net.ipv4.conf.all.forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] - net.ipv4.conf.all.rp_filter (exp: 1) [ OK ] - net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.accept_source_route (exp: 0) [ DIFFERENT ] - net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ] - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] - net.ipv4.tcp_syncookies (exp: 1) [ OK ] - net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] - net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ] - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] [ Press [ENTER] to continue, or [CTRL]+C to stop ] [+] Hardening ------------------------------------ - Installed compiler(s)... [ FOUND ] - Installed malware scanner... [ NOT FOUND ] Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted August 25, 2014 Share Posted August 25, 2014 Pretty much all to me. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 25, 2014 Share Posted August 25, 2014 - Testing nameservers... Nameserver: 127.0.1.1... Wouldn't it be helpful to also have an outside facing nameserver? Besides isn't 127.0.1.1 is an odd nameserver IP? Quote Link to comment Share on other sites More sharing options...
Capt.Crow Posted August 25, 2014 Share Posted August 25, 2014 Martians in your Kernel ??? Sorry couldn't help it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.