How to achieve maximum possible security under Linux ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to achieve maximum possible security under Linux ?
I am paranoid about security. I had some discussions on the web about this topic. Some people told me to use BSD coz they think its more secure. I tested GhostBSD but unfortunately my bluetooth is not supported.
Lots of people kept saying "it depends on the user". I am tired of listening to that sentence.
I tried to install qubes os but unfortunately my hardware is not supported.
To keep my Linux distro secure I do 3 things :
1)I have enabled ufw
2)I run network facing apps like Firefox, Hexchat, Brave inside a firejail sandbox.
3)I install updates as soon as they are offered.
Frankly I don't know what else to do.
What do you think ? Is there any other step I should take ?
I am paranoid about security. I had some discussions on the web about this topic. Some people told me to use BSD coz they think its more secure. I tested GhostBSD but unfortunately my bluetooth is not supported.
So bluetooth is more important than your security?
Quote:
Originally Posted by hifi100
I tried to install qubes os but unfortunately my hardware is not supported.
Installing software is not enough you need to configure and maintain them continuously.
Quote:
Originally Posted by hifi100
To keep my Linux distro secure I do 3 things :
1)I have enabled ufw
2)I run network facing apps like Firefox, Hexchat, Brave inside a firejail sandbox.
3)I install updates as soon as they are offered.
Why don't you install a scanner (like clamav - if you are paranoid)?
Quote:
Originally Posted by hifi100
Lots of people kept saying "it depends on the user". I am tired of listening to that sentence.
In that case you are lost. What do you think how can it be accomplished? The admin should maintain the system, apply [vulnerability] patches, configure daemons, services, follow the news .....
If you won't do that your system will not be secure.
Quote:
Originally Posted by hifi100
Frankly I don't know what else to do.
What do you think ? Is there any other step I should take ?
remove/disable all the services you do not need.
if you are really paranoid just disconnect it from the net.
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824
Rep:
if you are concerned about security, maybe install maldet / antivirus / small footprint distro, like arch / hardened kernel / suricata in IPS mode , thats what comes to my mind.
So bluetooth is more important than your security?
Installing software is not enough you need to configure and maintain them continuously.
Why don't you install a scanner (like clamav - if you are paranoid)?
In that case you are lost. What do you think how can it be accomplished? The admin should maintain the system, apply [vulnerability] patches, configure daemons, services, follow the news .....
If you won't do that your system will not be secure.
remove/disable all the services you do not need.
No bluetooth is not more important than security but the thing is I watch movies using my desktop & I use a bluetooth headphone for that. I simply can't avoid using bluetooth.
I install updates as soon as they are released.
I read that clamav scans for Windows viruses. I use only Linux. I don't a single Windows PC at home. So I didn't install clamav.
I don't any services enabled. No ssh, nothing. All ports are closed. I have tested with nmap.
Quote:
Originally Posted by ondoho
Do your research until you understand how ridiculous that statement is.
Thanks for that. I didn't know that bluetooth is such a security mess. What if I only use bluetooth when I need to use my headphone & physically remove the usb bluetooth dongle when I don't need bluetooth connectivity ? Is that a sensible idea ?
Edit : I found that I can disable bluetooth (please see attachment) Will this improve security ?
I found that I can disable bluetooth (please see attachment) Will this improve security ?
Yes, to some extent. Frankly, I have not researched if disabled bluetooth devices are still potentially reachable from the outside. But then, I'm not "paranoid about security".
My logic tells me that a disabled bluetooth receiver is a smaller security risk than an enabled one, and that a hard disabled bluetooth receiver is a smaller security risk than a soft disabled one.
I use the military model. The only machine I need fully secure is in a locked room, on filtered power, with no network, and a guard on the door. Actually I skip one step, if it was really military there would be someone monitoring that guard remotely. I am not that paranoid.
Anything less than that is a compromise. I am not the one who can tell you what you are using your machine for, what data you should or should not have on that machine, or what connections you should allow or accept to that machine to use or protect that data. When I DO that kind of thing, I start with a lot of business, procedure, threat, and operational data before I even make a suggestion, and I get paid. A LOT!
What kind of data do you have that you consider at risk? How do you use your machine that might open that data to unauthorized access? What is the real level of risk and how can you adjust to reduce that risk.
Don't answer those questions for ME, consider them yourself. You need to decide what your level of real risk is and how much inconvenience you are willing to live with to control that risk. And THAT is why you keep getting that advice you so hate. It is the shortest way to say the real best answer.
I think you have two options. The isolated Crypto room special hardware inside a special room. Have no device enter or leave. No connection except filtered power.
You limit the server to the very minimum needed to do tasks. From zero extra installed programs to zero services to the users with the most minimum permissions.
"Security is a process." Exactly what "threat vectors" are you attempting to guard against in your present situation? Start from there.
Of course ... I presume that "your regular user account" is not "an Administrator" ... that is to say, a member of the wheel group. Of course. Of course it isn't ...? Which means that "rogue software," operating in your name but without your knowledge nor consent, could not permanently damage your system, no matter how hard they tried?
Last edited by sundialsvcs; 04-27-2021 at 05:45 PM.
There are several distributions that allow (and two that enforce) operation of all software in containers. It is horribly inefficient on space, and slightly less fast, but anyone using an application vector to attack finds themselves locked within a container that only exists until the application (and its container) close.
That only helps slightly if you bypass the protections and fire up a browser at host level and go to an insecure or compromised site. I still think it an option that someone with REASON to be paranoid should explore.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.