Arch Linux

aio7

Member

Registered: 2008-07-05

Posts: 8

securing Arch box from remote threats

I made a list of security measures. Please give me your opinion on this list.  Paranoid opinions are highly welcomed.

1) Configure iptables: deny all incoming connections. Close all listening  ports.
2) Install software only using pacman. Do not enable AUR. Put system and software updates on cron, two times a day.
3) Install rkhunter, put on cron twice a day.
4) Use FF. Enable NoScript and ADBlock plus addons. DIsable Java and cookies (except trusted ones).
5) Use system under user account.

Do I have to worry about movies, music and pdf I download from torrent?

I heard that Defcon's wifi network is extremely hostile: you login and soon you're rooted. How is this possible, if I deny all incoming connections using iptables?

dolby

Member

From: 1992

Registered: 2006-08-08

Posts: 1,581

Re: securing Arch box from remote threats

2) Put system and software updates on cron, two times a day.

That might not be a security from remote threads but it is, excuse me for saying so, dumb.
You should NOT update your system using a cron job for many reasons.

---

There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

aio7

Member

Registered: 2008-07-05

Posts: 8

Re: securing Arch box from remote threats

Why not?

RedShift

Member

From: Belgium

Registered: 2004-07-16

Posts: 230

Re: securing Arch box from remote threats

Why not?

Because you're next in line to complain some sysupgrade randomly broke your system somewhere. You're supposed to READ AND INTERPRET pacman's output. And stuff like DNS records, websites, package repositories, etc... are easily faked.

If you deny all incoming connections you should be quite safe even on very hostile networks.

---

:?

Berticus

Member

Registered: 2008-06-11

Posts: 731

Re: securing Arch box from remote threats

http://www.auscert.org.au/5816

There's nothing wrong with using AUR. I mean some of them do make it to the official community repository. I too would suggest against updating the system via cron and even updating twice a day. If something goes wrong, you need know about the issue right away and be able to fix it. Also, installing things only via pacman may not be the greatest idea either. I mean neither the repositories nor aur is going to have absolutely everything. Updating twice a day is just pointless.

For iptables, just make sure you know what's opened. If you're gonna use torrents, some ports are going to need to be opened.

Also, intrusion should not be completely automated. In fact, when dealing with security, almost nothing should be automated. You, yourself, need to do a lot of the tasks. Some things can be automated, but you need to step in as the CERT checklist shows.

You may want to check out the Bastille Linux scripts. I actually don't know if they'll work with Arch Linux. If not, there are the Titan scripts.

Another thing you may want to do is secure all accounts, especially root. Have the passwords change every month or something. Don't let anybody su directly into the root account. Other options are to use sudo or have an RBAC system such as the one in SELinux. Try to make it so users don't rely on bash's global configuration (/etc/profile). For example, put PATH in each of the ~/.bashrc files instead. If the global bash configuration file is compromised, your users' accounts won't be reading from it.

Security is a multi-layered thing. You don't just secure incoming connections. You need to make sure your box is secure internally as well in the event that your outer most layer isn't secure enough.

aio7

Member

Registered: 2008-07-05

Posts: 8

Re: securing Arch box from remote threats

About DNS records, websites, package repositories... What pacman does to protect system against man in the middle atacks? I hope Arch uses some kind of digital signing.

Very interesting url, thanks a lot

I wondering, are there any very good books to learn about Linux? More about how it works, thinks and maybe some tinkering tips.

RedShift

Member

From: Belgium

Registered: 2004-07-16

Posts: 230

Re: securing Arch box from remote threats

pacman doesn't do anything to prevent man-in-the-middle attacks. It doesn't have any kind of digital signing.

---

:?

sam

Member

Registered: 2008-05-23

Posts: 82

Re: securing Arch box from remote threats

6)Install clamav and configure it
7)Use spamassassin for emails
8)Disable root login with ssh
9)encrypt hdd

and the most important one:
10)Being smart about not giving away personal information on the net and keeping your computer physically secure.  The scariest computer threats aren't remote virus that linux *barely* has, nor is it a hardcore hacker across the planet who are going after your torrent downloads.  Any software security you do will be for squat if someone gets physical access to your computer, and no amount of code will keep you from giving away information to a fake paypal site or buying stuff from shady online stores.

dyscoria

Member

Registered: 2008-01-10

Posts: 1,007

Re: securing Arch box from remote threats

I wondering, are there any very good books to learn about Linux? More about how it works, thinks and maybe some tinkering tips.

Try out Linux From Scratch if you wanna learn how it works. Search the wiki and forum for tinkering tips.

---

flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

aio7

Member

Registered: 2008-07-05

Posts: 8

Re: securing Arch box from remote threats

Linux From Scratch - extremely interesting. Thanks!

Are there future plans to use digital signing in pacman? As I understood, digital signing stands for no to mitm attacks.  How can Arch user be sure his system not compromised if he cant be sure where system updates come from...

Why do I need clamav, the antivirus? As I heard, there are almost no viruses on Linux. And if I will catch one somewhere, it will take me about hour to make him work

dyscoria

Member

Registered: 2008-01-10

Posts: 1,007

Re: securing Arch box from remote threats

From discussions on the forum and mailing list, there doesn't seem to be much interest from devs in implementing digital signing, though they say they'd welcome patches. Guess they're not that bothered either way.

As for running antivirus stuff, I think for the moment it's mainly limiting windows viruses from spreading as you can still pick them up. Obviously they can't do anything to your linux partition, but if you have a windows partition or regularly transfer files to/from other windows computers, this can be useful. If you're not worried about stuff then it's probably not worth running antivirus, but then again you do seem slightly paranoid when it comes to security

---

flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

dolby

Member

From: 1992

Registered: 2006-08-08

Posts: 1,581

Re: securing Arch box from remote threats

Are there future plans to use digital signing in pacman? As I understood, digital signing stands for no to mitm attacks.  How can Arch user be sure his system not compromised if he cant be sure where system updates come from...

http://gcarrier.koon.fr/2008/06/03/pack … g-secured/

---

There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

twiistedkaos

Member

Registered: 2006-05-20

Posts: 666

Re: securing Arch box from remote threats

Not to be rude, nor to be mean. The weakest link in any computer security is the user. Sure, you can run some firewalls, block ports ect. But lack of knowledge is what's going to get your system compromised. Pacman doesn't really need any digital signing if you actually pay attention to what you're doing. Want to protect your system? Put it in a closet and don't use it is the safest method. You can have top notch secuity, firewall and spam protection out the ass, but that isn't going to make your any safer if the user isn't paying attention to what they are doing. This is why Window's has so many viruses, malware, and worms. It's not because Windows lacks security, it's because the user themselfs aren't paying attention to what they are doing. I run Windows and linux dual boot, My windows is just as secure as my linux. Why? I'm not click happy, I'm not download happy, and I'm very caustious on what I install. I have yet to have a virus on my Windows boot, and have yet to have any sort of spyware. I don't run a virus scanner on real-time, and I don't have any sort of spyware protection. I simply do scan once a week. Want to be secure? Change your ways and pay attention to what you're doing. As I said, the weakest link in any security is YOU, not the OS, not the distro.

Zepp

Member

From: Ontario, Canada

Registered: 2006-03-25

Posts: 334

Website

Re: securing Arch box from remote threats

arch already blocks all incoming connections, by default, with hosts.deny.

Updating that often is rather pointless. Checking for updates once a day is reasonable but really twice a day is just excessive. I also wouldn't auto install updates, a cron job to say e-mail you of new updates would be ok though.

Last edited by Zepp (2008-07-07 00:59:17)

new2arch

Member

Registered: 2008-02-25

Posts: 235

Re: securing Arch box from remote threats

Not to be rude, nor to be mean. The weakest link in any computer security is the user. Sure, you can run some firewalls, block ports ect. But lack of knowledge is what's going to get your system compromised. Pacman doesn't really need any digital signing if you actually pay attention to what you're doing. Want to protect your system? Put it in a closet and don't use it is the safest method. You can have top notch secuity, firewall and spam protection out the ass, but that isn't going to make your any safer if the user isn't paying attention to what they are doing. This is why Window's has so many viruses, malware, and worms. It's not because Windows lacks security, it's because the user themselfs aren't paying attention to what they are doing. I run Windows and linux dual boot, My windows is just as secure as my linux. Why? I'm not click happy, I'm not download happy, and I'm very caustious on what I install. I have yet to have a virus on my Windows boot, and have yet to have any sort of spyware. I don't run a virus scanner on real-time, and I don't have any sort of spyware protection. I simply do scan once a week. Want to be secure? Change your ways and pay attention to what you're doing. As I said, the weakest link in any security is YOU, not the OS, not the distro.

The best way to secure a Winbox is to use a restrictive user account. 
If the winbox runs with restricted privileges, I would say it is as secure as a Linux box.

But I agree the weakest link in security matters is the user no matter if you run Windows or Linux.

crouse

Arch Linux f@h Team Member

From: Iowa - USA

Registered: 2006-08-19

Posts: 907

Website

Re: securing Arch box from remote threats

My windows is just as secure as my linux.

I'd disagree ...
Linux is more secure by design.

B-Con

Member

From: USA

Registered: 2007-12-17

Posts: 554

Website

Re: securing Arch box from remote threats

- Don't overdo sudoers, letting pacman, etc, run without a password is insecure by design
- Dunno if you're running any services, if so, then configure them securely. Seems obvious, but don't overlook it.
- I like to mount /tmp to RAM. Prevents a program that has potantially secret data from temporarily being written to disk and ensure temp data doesn't persist after a reboot
- See here: http://www.cromwell-intl.com/security/l … ening.html
- A larger list: http://www.linux-sec.net/Harden/howto.gwif.html

Last edited by B-Con (2008-07-07 23:56:32)

---

- My AUR packages.

new2arch

Member

Registered: 2008-02-25

Posts: 235

Re: securing Arch box from remote threats

My windows is just as secure as my linux.

I'd disagree ...
Linux is more secure by design.

Out of the box the Linux machine is probably more secure than, say, XP or W2k.
But with little tweaking, the initial differences diminish. Also it heavily depends on which distrubution you're looking at, IMO. Some distros have tons of services enabled by default and some of those daemons have, in a historical point of view, been insecure.
(But it's generally easier to disable unnecessary services in Linux than it is in Windows - disabling services in XP can be a pain especially when many of them are depended on each other.)
And why do many [userland]files have the 's' bit set when they obviously don't need it (gnome-games)? And why can't Xorg be run without the 's'-bit? Why must it listen for tcp-connections?
Why can any under-privileged user bypass root by typing simple commands during lilo/grub?
The list can go on.
The kernel has had and it's having its share of never ending security patches also, due to programming errors. Secunia.com's reports show there are potential dangers using any operating system, even if the design and thought behind the OS is great. 

That being said, I believe Linux can be made very secure but there are some rough edges that need to be polished.
But it's not fair to say (not that you've said it, I'm just quoting what I've been reading on the internet, on why Linux is so secure) Linux is secure because viruses/malware designed specifically for Microsoft cannot administer any damage to it.