[SOLVED] Security Arch <-> Ubuntu

equalizer876 · 2018-09-11 10:33:17

Hello,

I used Ubuntu before and am learning Arch right now. So far I installed Arch with disk encryption, GNOME desktop environment, configured sudo, deleted root login, set up nftables and now I wonder what to do next.

There are so many security topics as we can read in
https://wiki.archlinux.org/index.php/Security
https://wiki.archlinux.org/index.php/Category:Security

There I realized Ubuntu uses AppArmor by default which needs to be installed on Arch first. Are there some other default security measures in Ubuntu which have yet to be set up on Arch Linux?

I just use a stand-alone workstation computer, no server.

Last edited by equalizer876 (2018-09-13 09:36:05)

Awebb · 2018-09-11 10:38:12

You should inform yourself about AppArmor and the likes before you simply install it, just because Ubuntu uses it. I am also not convinced, that disallowing root logins (besides ssh) actually increases the security on a desktop.

What do you mean by "set up nftables"? It seems like Ubuntu has a lot of defaults, that should first be understood and only then be implemented.

equalizer876 · 2018-09-11 10:46:41

nftables as a kind of firewall, I followed the guide: https://wiki.archlinux.org/index.php/Nf … and_tricks but did not allow the incoming ports as I don't use a server.
Ubuntu doesn't have a activated firewall by default. There I activated ufw for simpler configuration. What do iptables (ufw provides a simpler interface) and nftables do? In my case deny incoming and allow outgoing ports.

Yes I have yet to read the AppArmor article to fully understand it. My question is just what are the next most efficient steps to increase the security of my computer? I can't apply every possible security measure because of limited time.

Last edited by equalizer876 (2018-09-11 11:02:49)

Awebb · 2018-09-11 11:06:48

Arch does not have any running network services by default. There is no generic next step. If you install something, make sure you read the docs and configure the firewall accordingly.

There is no catch all security checklist. If you run mongodb, make sure it's not exposed to anywhere you don't want it. Many services have their own configuration regarding listening devices.

I'd go as far as saying, that your firewall setting here reduces your ability to learn, what it does and increases the time it takes to manage the system.

First, learn how to see what ports are open and who and where they are talking to. Then, the moment you install new software, see if it opens a port, either by watching it or reading the docs. Then decide whether to apply firewall rules or not.

Second: Update often, as often as it is convenient. Weekly or in case a security problem is known are not bad for starters.

Third: Use the AUR with care. Read the PKGBUILDs and only use an AUR helper, if you really think you know what you're doing.

Fourth: Third party repositories are not under the control of the Arch devs. The same is true for anything Pacman cannot control, like flatpaks.

Fifth: Security automation like AppArmor comes with an increased maintenance cost. In case a package must be patched for or built against AppArmor, assume it's not and you have to do it.

Lone_Wolf · 2018-09-11 11:51:49

Awebb wrote:

I am also not convinced, that disallowing root logins (besides ssh) actually increases the security on a desktop.

There are benefits to that approach, but they require lots of other steps.
Ubuntu doesn't seem to implement the other steps at all*.

* disabling root login while adding user to the wheel group and enabling it with default settings actually decreases security.

equalizer876 · 2018-09-11 13:36:35

Awebb wrote:

First, learn how to see what ports are open and who and where they are talking to. Then, the moment you install new software, see if it opens a port, either by watching it or reading the docs. Then decide whether to apply firewall rules or not.

https://www.archlinux.org/groups/x86_64/gnome/ sets up so many services I don't even know where to start reading each package documentation. Well maybe I could log the connections with Wireshark to see which connections are necessary. So I could deny all outgoing connections and whitelist the necessary ports in nftables?

Well I tought sudo would be safer than root account, https://wiki.archlinux.org/index.php/Sudo
No idea if "Root password" for sudo tasks or "Harden with Sudo Example" would be better.
I added an admin user (wheel group) just to update, install stuff and changing Config-Files. It always asks for password when typing sudo. For other stuff like browsing the web or write documents I use a standard user (not in wheel group). How can that decrease security compared to using Root login for install/update stuff?

Last edited by equalizer876 (2018-09-11 13:41:13)

Trilby · 2018-09-11 13:38:44

equalizer876 wrote:

In my case deny incoming and allow outgoing ports.

If you are not running any server software that listens on any ports, then there is no point in explicitly denying traffic at a firewall.

This is - I believe - AWebb's main point: setting up a firewall, or apparmor, or anything else because you *think* it improves security when you don't really know what those tools do is a bad idea. At best they will serve no purpose - at worst they might even open up new attack surfaces (I couldn't imagine how off the top of my head, but my imagination is finite).

equalizer876 · 2018-09-11 13:46:11

Trilby wrote:

equalizer876 wrote:
In my case deny incoming and allow outgoing ports.
If you are not running any server software that listens on any ports, then there is no point in explicitly denying traffic at a firewall.

I'm sorry if I tell garbage but the CUPS service (for network printers) seems to use localhost:631. Then there's also a network scanner which only works in the firewall setup, when I open a certain incoming port-number on my computer.

Trilby wrote:

This is - I believe - AWebb's main point: setting up a firewall, or apparmor, or anything else because you *think* it improves security when you don't really know what those tools do is a bad idea. At best they will serve no purpose - at worst they might even open up new attack surfaces (I couldn't imagine how off the top of my head, but my imagination is finite).

I haven't installed AppArmor because I haven't understood it yet. So yeah. But I've fully read the sudo and nftables articles of the arch wiki.

Last edited by equalizer876 (2018-09-11 13:57:00)

Trilby · 2018-09-11 13:53:10

Does CUPS listen to external connections? As for the network scanner, I can't really make sense of what you are saying there: but surely if you explicitly enable a service to listen to incoming connections, you'd not also block the ports they are listening on.

equalizer876 · 2018-09-11 14:08:41

Trilby wrote:

Does CUPS listen to external connections?

Only to local network I think. Not sure, but I guess the firewall applies connection rules to both connections within the local network and external connections.

Mod can move it to newbie corner if needed.

Last edited by equalizer876 (2018-09-11 14:11:41)

brebs · 2018-09-11 14:12:08

# systemctl start cups-browsed.service

# ss -tuan | grep 631
udp   UNCONN     0       0               0.0.0.0:631             0.0.0.0:*      
tcp   LISTEN     0       5             127.0.0.1:631             0.0.0.0:*

This is a security issue (listening on UDP port 631), so yes, firewalling is beneficial

Trilby · 2018-09-11 21:34:04

Is there a reason to enable cups-browsed.service if you don't want to be listening for external connections?

Simply *not* enabling a service is surely easier than enabling a service to listen to external connections and then block it to ensure that it can't do the thing you enabled it to do.

equalizer876 · 2018-09-11 23:07:16

I just wanted a firewall to be more secure, when I use a public wifi with my notebook for example. Yes of course you would better create a VPN at home for that purpose. But what if a hacker somehow uses a security hole (well thanks Intel for ME) and gets through to do bad things? Also I tought it'd be good to block most ports to make it more difficult to portscan my computer.

In case of cups I only need org.cups.cupsd.service and some avahi service to find the local network printer. Though I am not sure if I can avoid avahi service as you tell me the less services running the better.

As for my all-in-one-router: Manufacturer still uses an old Linux Kernel so I don't really trust the NAT of my gateway to the internet. If the manufacturer stops providing new firmwares, it would probably be time to install OpenWRT or something different.

Last edited by equalizer876 (2018-09-11 23:16:24)

Trilby · 2018-09-11 23:30:10

equalizer876 wrote:

I just wanted a firewall to be more secure

But that's the point. Enabling a firewall doesn't just magically make your system more secure.

equalizer876 wrote:

... when I use a public wifi with my notebook for example.

Any risks associated with using public wifi will not be addressed in the slightest by a firewall. The risk of public wifi is that others may be able to monitor information going in and out of your system (e.g., to steal passwords). Using HTTPS connections (or TLS encrypted channels for email, etc) avoids much of this concern, VPN could address these concerns quite well, but a firewall is completely irrelevant.

Attaching a padlock to the outside of your house (just on the wall, no where near a door) doesn't make your house more secure ... it just looks silly.

Last edited by Trilby (2018-09-11 23:31:54)

brebs · 2018-09-12 08:25:03

A fundamental principle of IT security is that it is *layered*, because we cannot completely trust the individual layers (which might be misconfigured, or have security bugs), so additional layers add confidence (when their purpose is understood).

To the OP, I recommend Privoxy, which I've used for many years, as additional protection for the web browser (and to block tedious ads).

Lone_Wolf · 2018-09-12 08:39:53

equalizer876 wrote:

Well I tought sudo would be safer than root account, https://wiki.archlinux.org/index.php/Sudo
No idea if "Root password" for sudo tasks or "Harden with Sudo Example" would be better.
I added an admin user (wheel group) just to update, install stuff and changing Config-Files. It always asks for password when typing sudo. For other stuff like browsing the web or write documents I use a standard user (not in wheel group). How can that decrease security compared to using Root login for install/update stuff?

You went several steps further then ubuntu does* :
- you created an admin user that requires separate authentication
- you created users with access limited to what they need

*
Last time I checked ubuntu setup was about 2 years ago (ubuntu-lts 16.04).
Their default user/sudo setup as far as I remember hasn't changed since 2008 and consists of one non-root user with authentication-less root rights .

TL;DR : sudo/disabling root login can help to increase security, but the way ubuntu configures it doesn't.

Last edited by Lone_Wolf (2018-09-12 08:40:07)

Alad · 2018-09-12 08:41:51

Lone_Wolf wrote:

Last time I checked ubuntu setup was about 2 years ago (ubuntu-lts 16.04).
Their default user/sudo setup as far as I remember hasn't changed since 2008 and consists of one non-root user with authentication-less root rights .
TL;DR : sudo/disabling root login can help to increase security, but the way ubuntu configures it doesn't.

What? You make it sound like Ubuntu has NOPASSWD ALL enabled by default, which is definitely not and never has been the case.

TheSaint · 2018-09-13 06:41:19

I feel this discussion a troll and not leading any conclusion. Please TGN it.

Last edited by TheSaint (2018-09-13 06:43:40)

equalizer876 · 2018-09-13 09:34:02

Thanks for your replies. I'll keep reading and consider your suggestions. How to mark as solved? I guess just edit the Subject.

Last edited by equalizer876 (2018-09-13 09:36:29)

Awebb · 2018-09-13 10:39:58

TheSaint wrote:

I feel this discussion a troll and not leading any conclusion. Please TGN it.

If you have a problem, use the report button. I am convinced, that OP is not a troll. Legitimate questions have been asked.

Arch Linux

#1 2018-09-11 10:33:17

[SOLVED] Security Arch <-> Ubuntu

#2 2018-09-11 10:38:12

Re: [SOLVED] Security Arch <-> Ubuntu

#3 2018-09-11 10:46:41

Re: [SOLVED] Security Arch <-> Ubuntu

#4 2018-09-11 11:06:48

Re: [SOLVED] Security Arch <-> Ubuntu

#5 2018-09-11 11:51:49

Re: [SOLVED] Security Arch <-> Ubuntu

#6 2018-09-11 13:36:35

Re: [SOLVED] Security Arch <-> Ubuntu

#7 2018-09-11 13:38:44

Re: [SOLVED] Security Arch <-> Ubuntu

#8 2018-09-11 13:46:11

Re: [SOLVED] Security Arch <-> Ubuntu

#9 2018-09-11 13:53:10

Re: [SOLVED] Security Arch <-> Ubuntu

#10 2018-09-11 14:08:41

Re: [SOLVED] Security Arch <-> Ubuntu

#11 2018-09-11 14:12:08

Re: [SOLVED] Security Arch <-> Ubuntu

#12 2018-09-11 21:34:04

Re: [SOLVED] Security Arch <-> Ubuntu

#13 2018-09-11 23:07:16

Re: [SOLVED] Security Arch <-> Ubuntu

#14 2018-09-11 23:30:10

Re: [SOLVED] Security Arch <-> Ubuntu

#15 2018-09-12 08:25:03

Re: [SOLVED] Security Arch <-> Ubuntu

#16 2018-09-12 08:39:53

Re: [SOLVED] Security Arch <-> Ubuntu

#17 2018-09-12 08:41:51

Re: [SOLVED] Security Arch <-> Ubuntu

#18 2018-09-13 06:41:19

Re: [SOLVED] Security Arch <-> Ubuntu

#19 2018-09-13 09:34:02

Re: [SOLVED] Security Arch <-> Ubuntu

#20 2018-09-13 10:39:58

Re: [SOLVED] Security Arch <-> Ubuntu

Board footer