You are not logged in.

#1 2023-05-12 19:16:11

iskander9908
Member
Registered: 2022-10-30
Posts: 26

Security recomendations

Hello everyone!

Arch is my desktop OS. It works well, but I suck at computer security. So I'm not sure if it's safe. Сan you help me? Here is a list of recommendations i followed:

  • entire system encryption(unfortunately with luks1 and enabled TRIM)

  • sudo usage instead of su

  • apparmor (default profiles with audit framework) for MAC

  • installed ufw with basic configuration and disabled remote ping.

Is it safe configuration or I need to do something else?

Offline

#2 2023-05-13 02:57:42

lfitzgerald
Member
Registered: 2021-07-16
Posts: 162

Re: Security recomendations

Why didn't you use luks2? It's a lot better.

As for if it's safe... What sort of an answer are you expecting? You need to say what your threat model is.

Offline

#3 2023-05-13 08:07:13

tucuxi
Member
From: Switzerland
Registered: 2020-03-08
Posts: 291

Re: Security recomendations

On desktop systems, the level of security is largely determined by the user's behavior rather than system configuration. People still set their password to 123456, click on links in phishing mails, and type bank account details into fraudulent sites, for example.

Offline

#4 2023-05-13 08:23:28

Awebb
Member
Registered: 2010-05-06
Posts: 6,272

Re: Security recomendations

Backups. Make sure you have backups of your user data in a way that will prevent, say, a script from deleting or encrypting all your user data in a ransom attack.

Offline

#5 2023-05-13 13:31:31

iskander9908
Member
Registered: 2022-10-30
Posts: 26

Re: Security recomendations

lfitzgerald wrote:

Why didn't you use luks2? It's a lot better.

Sure, but grub has limited luks2 support. That's way I use luks1.

lfitzgerald wrote:

You need to say what your threat model is.

I use entire system encryption against physical recovery, snapper for backups, non-privileged sudo user for daily uses, AppArmor as a Mandatory Access Control system(only default profiles), ufw (rules were described in previous post), clamav and rkhunter for detecting trojans, viruses, malware & other malicious threats, BIOS password for physical security(unfortunately USBGuard doesn't identify my devices properly). Also I regularly upgrade the system to keep it safe.

Last edited by iskander9908 (2023-05-13 13:32:40)

Offline

#6 2023-05-13 14:15:21

iskander9908
Member
Registered: 2022-10-30
Posts: 26

Re: Security recomendations

In most cases, I used the default configurations, because at this time my understanding of security are very limited.

Last edited by iskander9908 (2023-05-15 11:26:32)

Offline

#7 2023-05-26 09:30:31

iskander9908
Member
Registered: 2022-10-30
Posts: 26

Re: Security recomendations

Guys, I'm former ubuntu user, please help me.

Offline

#8 2023-05-26 10:28:56

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Security recomendations

Sure, but grub has limited luks2 support. That's way I use luks1.

Grub is far from the only bootloader in existence, use another .


I use entire system encryption against physical recovery,

You mentioned security measures you use, but not what threats they are supposed to protect against .

for example : why do you feel you need Mandatory Access Control ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#9 2023-05-26 11:16:59

jl2
Member
From: 47° 18' N 8° 34' E
Registered: 2022-06-01
Posts: 251
Website

Re: Security recomendations

I use entire system encryption against physical recovery

do you think somebody will gain physical access? Is anything important/interesting for thiefs on your machine?

BIOS password for physical security(unfortunately USBGuard doesn't identify my devices properly).

don't you already have a boot password above?

ufw (rules were described in previous post)

This is only usefull if others have access to your local network or/and your router doesn't have a firwall.

clamav and rkhunter for detecting trojans, viruses, malware & other malicious threats

1. your running linux, bro. way less viruses than windows.
2. backups in case you still get a virus.

snapper for backups, non-privileged sudo user for daily uses. Also I regularly upgrade the system to keep it safe.

I'd keep this for a laptop/PC.


Why I run Arch? To "BTW I run Arch" the guy one grade younger.
And to let my siblings and cousins laugh at Arsch Linux...

Offline

#10 2023-05-26 12:21:42

espritlibre
Member
Registered: 2022-12-15
Posts: 126

Re: Security recomendations

tucuxi wrote:

On desktop systems, the level of security is largely determined by the user's behavior ... .

this...

Lone_Wolf wrote:

You mentioned security measures you use, but not what threats they are supposed to protect against .

... and this

if you leave your notebook unattended at places e.g. hotel rooms, work,... i'd set up secure boot with own keys for peace of mind.
other than that... use your brain while browsing through the internet, use secure passwords, don't fall for phishing links, use software from the official repos if you use AUR check the PKGBUILD and sources, keep your system up-to-date and minimal,...

even though we are here on a linux board... if you want security out of the box use windows 11 in s-mode (modern mitigations against ROP/JOP chains)

EDIT:
you can also install linux-hardened and have a look at hardened_malloc (AUR)

EDIT 2:
use Wayland (set environment variables accordingly)

Last edited by espritlibre (2023-05-26 12:41:57)

Offline

#11 2023-05-31 19:14:13

iskander9908
Member
Registered: 2022-10-30
Posts: 26

Re: Security recomendations

Lone_Wolf wrote:

Grub is far from the only bootloader in existence, use another .

I chose this example of layout, because it's the only one with btrfs.

Lone_Wolf wrote:

You mentioned security measures you use, but not what threats they are supposed to protect against .

for example : why do you feel you need Mandatory Access Control ?

You are right, seems like DAC is more suitable for me. However, the rest measures are necessary, such as encryption (guards data against physical recovery), firewall (network security), antivirus (malware detection) and snapper (backups). Since I'm inexperienced, I'm not sure if these measures are enough?
P.S. I would appreciate if you recommend some literature about computer security.

Last edited by iskander9908 (2023-05-31 19:16:06)

Offline

#12 2023-06-04 17:43:35

jl2
Member
From: 47° 18' N 8° 34' E
Registered: 2022-06-01
Posts: 251
Website

Re: Security recomendations

You still haven't told us what you want to protect your system from.
what system is it? (laptop/pc/server?)
for examle if you have a laptop, you will definetelly want to have external backups and encryption.
encrypted /boot is equivalent to secure boot+unified kernel images, and it supports luks2.
PS: I recommend https://wiki.archlinux.org/title/Security


Why I run Arch? To "BTW I run Arch" the guy one grade younger.
And to let my siblings and cousins laugh at Arsch Linux...

Offline

Board footer

Powered by FluxBB