Security in Arch Linux

aliasbody · 2011-12-01 01:45:29

Hello Everyone,

I have a question.... I have been searching informations about iptables and Linux Security (mostly Ubuntu and Fedora's Security with AppArmor for example). But there is something I just don't understand... Arch Linux use "vanilla" software, kernel etc... and to use apparmor, iptables etc... we have install them manually using pacman..

So my question is : Is there any kind of "native" security when using a simple Arch Linux instalation ? (In the kernel for example), Or I just need to install and configure it myself ?

Thanks in Advance,
Luis Da Costa

qchapter · 2011-12-01 01:54:47

Short answer: No.

Slightly longer answer: One thing that makes a core Arch install more "secure" than some other distributions is there are few services (if any) that have open incoming ports by default. You only install the services that you need. That's really the only Arch specific difference, and I guess the same could be said for a minimal debian install. To answer your question about kernels, there is nothing about Arch's kernel that makes it more secure than any other kernel in any other distro. If you are going to have open network ports on your machine, I recommend installing and learning how to setup iptables. It's worth the time.

Haptic · 2011-12-01 01:59:23

I'm not sure how up to date the wiki on firewall is, but I suggest you at least take a look.

aliasbody · 2011-12-01 03:53:07

qchapter wrote:

Short answer: No.
Slightly longer answer: One thing that makes a core Arch install more "secure" than some other distributions is there are few services (if any) that have open incoming ports by default. You only install the services that you need. That's really the only Arch specific difference, and I guess the same could be said for a minimal debian install. To answer your question about kernels, there is nothing about Arch's kernel that makes it more secure than any other kernel in any other distro. If you are going to have open network ports on your machine, I recommend installing and learning how to setup iptables. It's worth the time.

It is maybe not "more secure" without any "tweak", but at least the Linux Kernel propose some basic security right ?

/dev/zero · 2011-12-01 04:05:24

The question is meaningless without knowing the security requirements.

qchapter · 2011-12-01 17:51:42

aliasbody wrote:

...but at least the Linux Kernel propose some basic security right ?

Basic security protecting you from what? Like /dev/zero said, what are your requirements?

aliasbody · 2011-12-01 21:14:25

When I was talking about "basic security", I was talking about something that protects user from external attacks (mostly from a Network) apart of the "root" protection (that denies access to some important stuff in the system without the right permissions).

For example, is there any open port on the system ? Or those ports only open when necessary without any permissions because there is no firewall ?

If you don't understand something just tell me, I have difficulties translating my ideas in english.

Thanks in Advance

eldragon · 2011-12-01 23:15:24

external attacks = attacks directed to open ports.

in esence, in a fresh arch install, your system is your firewall.

but for a less obnoxious answer:

there is no standard firewall installed by default.

i dropped a feature request for netcfg in the flyspray about defining network locations to define certain iptables rules by default, but i dont know if it will ever be implemented.

/dev/zero · 2011-12-01 23:28:16

aliasbody wrote:

When I was talking about "basic security", I was talking about something that protects user from external attacks (mostly from a Network) apart of the "root" protection (that denies access to some important stuff in the system without the right permissions).

Unix-like systems are intrinsically secure until you expose them in some way, eg by giving someone else physical access to your computer, or opening ports to some network.

A server that hosts webmail/imap, ssh, and a blog, from inside an otherwise secure facility, requires quite different security measures to a laptop that you carry around everywhere. The server probably doesn't need LUKS encryption, and the laptop probably doesn't need a firewall.

This is why I said we need to know your security requirements.

Last edited by /dev/zero (2011-12-01 23:30:07)

aliasbody · 2011-12-02 14:10:35

Thank for the answers I think I understand now

clovenhoof · 2011-12-03 22:00:53

Why I need firewall on server if it is behind a router?

Awebb · 2011-12-03 23:32:22

Maybe if we stopped calling it "firewall", stopped talking about "security" and started to refer to the whole thing as "network package black/whitelisting", this kind of "confusion" would cease.

R00KIE · 2011-12-04 01:05:15

clovenhoof wrote:

Why I need firewall on server if it is behind a router?

If you mean home routers one good reason is that you don't know how many security holes they have, some which might be remotely exploitable and used to try and compromise the local network.

aliasbody · 2011-12-04 01:06:24

R00KIE wrote:

clovenhoof wrote:
Why I need firewall on server if it is behind a router?
If you mean home routers one good reason is that you don't know how many security holes they have, some which might be remotely exploitable and used to try and compromise the local network.

Didn't kind about that either :S

.:B:. · 2011-12-04 01:23:11

Most routers run some form of Linux (or VxWorks). If you're in luck, you might be able to replace the firmware of your router with e.g. OpenWrt.

That is, of course, if you are really serious about security. Your router is your first line of defense. If you're really paranoid, you'll be setting up some box with PfSense soon enough.

Awebb · 2011-12-04 09:35:27

.:B:. wrote:

you'll be setting up some box with PfSense soon enough.

It seems I'll need to have a closer look at FreeBSD, I used to be an IPCop zealot (until one minute ago), but PfSense looks interesting enough to take away an afternoon of my time. First FreeNAS and now this…

R00KIE · 2011-12-04 11:25:49

aliasbody wrote:

R00KIE wrote:
clovenhoof wrote:
Why I need firewall on server if it is behind a router?
If you mean home routers one good reason is that you don't know how many security holes they have, some which might be remotely exploitable and used to try and compromise the local network.
Didn't kind about that either :S

If you poke hard enough, you can find a whole range of problems, it's like going to the zoo and see all the different animals. Stuff I've seen, and I haven't seen much, includes (and these are unmodified original firmwares from well known brands):

- port redirection from incoming connections (nat) to the router itself, where a service is listening

- router accepting connections to a range of ports, examples include tcp 1863:1864, 4443, 5190, 5566, 40000:40099, this may be intended to make some things work better but I still find it dubious since I've disabled all helpers and services I could and these get reinserted into iptables every time the router renews the external IP (router with adsl modem)

- services that keep running, accepting connections and prompting for username and password after being disabled via web interface, namely tr-069, which from my limited knowledge of the subject, seems to point that it can be used to remotely manage the device

- services accessible from the wan side without the user explicitly knowing it, not sure what it is but accepts connections on port 25

- hidden default username/password combinations which cannot be deleted/removed/disabled, but at least login is not allowed from the wan side.

So yeah, I really don't trust home routers that much. Like .:B:. says, if you are lucky enough to own a router that can have it's firmware replaced by one of the alternative firmwares you may be better of doing it if you feel brave enough.

lifeafter2am · 2011-12-04 15:09:07

.:B:. wrote:

Most routers run some form of Linux (or VxWorks). If you're in luck, you might be able to replace the firmware of your router with e.g. OpenWrt.
That is, of course, if you are really serious about security. Your router is your first line of defense. If you're really paranoid, you'll be setting up some box with PfSense soon enough.

http://store.netgate.com/-P218.aspx

I have a few of these; including one on my home network. I am a huge fan of pfsense; great software!

clovenhoof · 2011-12-04 15:40:40

Yes I meant home router.
My point was that all these security things can be applied to the router host, then all your LAN will be relatively safe.
Easy way is to use dd-wrt (may be openwrt, too), hard way - manually configure with iptable on the router.

Personally, I use "easy way".

Arch Linux

#1 2011-12-01 01:45:29

Security in Arch Linux

#2 2011-12-01 01:54:47

Re: Security in Arch Linux

#3 2011-12-01 01:59:23

Re: Security in Arch Linux

#4 2011-12-01 03:53:07

Re: Security in Arch Linux

#5 2011-12-01 04:05:24

Re: Security in Arch Linux

#6 2011-12-01 17:51:42

Re: Security in Arch Linux

#7 2011-12-01 21:14:25

Re: Security in Arch Linux

#8 2011-12-01 23:15:24

Re: Security in Arch Linux

#9 2011-12-01 23:28:16

Re: Security in Arch Linux

#10 2011-12-02 14:10:35

Re: Security in Arch Linux

#11 2011-12-03 22:00:53

Re: Security in Arch Linux

#12 2011-12-03 23:32:22

Re: Security in Arch Linux

#13 2011-12-04 01:05:15

Re: Security in Arch Linux

#14 2011-12-04 01:06:24

Re: Security in Arch Linux

#15 2011-12-04 01:23:11

Re: Security in Arch Linux

#16 2011-12-04 09:35:27

Re: Security in Arch Linux

#17 2011-12-04 11:25:49

Re: Security in Arch Linux

#18 2011-12-04 15:09:07

Re: Security in Arch Linux

#19 2011-12-04 15:40:40

Re: Security in Arch Linux

Board footer