Basic (non-paranoid) security

Llama · 2008-05-15 06:24:10

Hi, everybody,

I've done a modest research on the forums. There emerged certain keywords, like iptables, chkrootkit, rkhunter, tripwire, and snort. The question is: am I reasonably safe just running the Arch "as is"? If not quite, are there "fire and forget" security solutions?

I'm just an ordinary Internet user: firefox, ktorrent;
I don't live in the root account;
I don't build packages in the root account;

That's pretty much it. I don't care to know more about security measures than I absolutely have to.

chicha · 2008-05-15 07:00:49

The best way to get into trouble is to believe you are in security.
That said I am exactly the same kind of user as you and I have been using Arch for more than a year now without any security problem.

I have no firewall, no log watcher, no chkrootkit running daily, etc ...
The only thing I do is run kismet from time to time to see if somebody hacked my wireless network at home. That is all !
Probably the best security practice I have is to update (pacman -Syu) regularly, so that I fetch security updates for my web connected softwares (linux, epiphany, transmission, lftp ....).

I guess your security also depends on what you are doing on the internet. If you just go through this forum, and your country main news paper site, then you are safe. If you download a lots of illegal stuffs with emule or bittorent and you go through some warez sites ... then do not complain !

ezzetabi · 2008-05-15 09:20:53

According to the chicha idea I'd say... Why don't you turn off your computer put it inside a steel box, weld it and send it to a friendly military base? That's security!
You are safe if you do not use your computer!

Joking a part, if you do not have an hardware firewall or a NAT using iptables is a good idea imo.
But yes, if you avoid living in root you are reasonable safe as is.
About building packages in root is (always imo) overrated as risk. I saw some ugly made PKGBUILD that make unusable packages is some situation (e.g they rely on user umask value), but I never seen a PKGBUILD (from both aur or abs) were builiding damages the system.
Surely, even if not risky... why doing it?

A little script I used to configure iptables.

#!/bin/sh
#   firewall.sh

if [ "`/usr/bin/id -u`" != 0 ]
then
  echo "`basename $0`": you need to be root to do that.
  exit 1
fi

iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --flush        # Flush all rules, but keep policies
iptables --delete-chain

### Basic firewall rules ###
iptables --policy FORWARD DROP
iptables --policy INPUT DROP
iptables --append INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables --append INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT

### icmp services ###
#iptables --append INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type echo-request -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type echo-reply -j ACCEPT

### Open ports ###
#Bittorrent, ten downloads at time
#iptables --append INPUT -p tcp --dport 6881:6890 -j ACCEPT

#Utorrent
#iptables --append INPUT -p tcp --dport 41688 -j ACCEPT

#aDonkey network
#iptables --append INPUT -p tcp --dport 4662 -j ACCEPT
#iptables --append INPUT -p udp --dport 4672 -j ACCEPT

#ssh server
iptables --append INPUT -p tcp --dport 22 -j ACCEPT

#skype
#iptables --append INPUT -p tcp --dport 59945 -j ACCEPT

#http server
#iptables --append INPUT -p tcp --dport 80 -j ACCEPT

#https server
#iptables --append INPUT -p tcp --dport https -j ACCEPT

### Limits the logging to 40 entries per minute ###
iptables --append INPUT -j LOG -m limit --limit 40/minute
### Everything other is dropped ###
iptables --append INPUT -j DROP

### Finally saves the settings for the next reboot.
iptables-save > /etc/iptables/iptables.rules
echo "`basename $0`": Done.

Last edited by ezzetabi (2008-05-15 09:22:39)

Llama · 2008-05-16 05:43:56

Joking a part, if you do not have an hardware firewall or a NAT using iptables is a good idea imo.

I've got an ADSL connection, no provider-associated LAN, and the D-Link router which is advertised by can't remember who as a "hardware firewall". I don't know whether to believe in the "hardware firewall" theory or not .

ploub · 2008-05-16 06:34:30

Llama wrote:

Joking a part, if you do not have an hardware firewall or a NAT using iptables is a good idea imo.
I've got an ADSL connection, no provider-associated LAN, and the D-Link router which is advertised by can't remember who as a "hardware firewall". I don't know whether to believe in the "hardware firewall" theory or not .

Try shields up on www.grc.com then

skymt · 2008-05-16 06:38:43

Llama wrote:

I've got an ADSL connection, no provider-associated LAN, and the D-Link router which is advertised by can't remember who as a "hardware firewall". I don't know whether to believe in the "hardware firewall" theory or not .

For now, do.

Your router uses a technique called "NAT" or Network Address Translation. It's used to allow several computers, each with its own local IP address, to connect to the Internet using the single external IP address your ISP gives you. Here's how it works: when you make an outbound connection, your router makes a note of it and forwards all traffic associated with that connection to the internal IP that originated it. Naturally, this doesn't work for inbound connections: your router has no way of knowing what internal IP address to forward the traffic to, so it drops it. This, by a convenient coincidence, is the same behavior as a simple stateful firewall: allow outgoing connections, disallow incoming ones.

The one flaw in the theory doesn't yet apply, but you should watch out for it. If your ISP and router both support IPv6, each of your computers will have its own global IP address; NAT will no longer be used. This is extremely unlikely to be the case right now, but it should happen within the next 5-10 years. At that point, you should set up a "real" hardware firewall instead of relying on NAT.

skymt · 2008-05-16 06:49:36

ploub wrote:

Try shields up on w ww.grc.com then

Before you link there again, read up on Shields Up (scroll down to "ShieldsUp Analysed"). tl;dr: Shields Up is a poorly written, deliberately misleading advertisement for ZoneAlarm that actually misses security holes it should be able to find while raising an astonishing number of false positives.

(Quote mangled to unlinkify the GRC url; I don't want to contribute to their PageRank.)

ploub · 2008-05-16 07:46:07

skymt wrote:

ploub wrote:
Try shields up on w ww.grc.com then
Before you link there again, read up on Shields Up (scroll down to "ShieldsUp Analysed"). tl;dr: Shields Up is a poorly written, deliberately misleading advertisement for ZoneAlarm that actually misses security holes it should be able to find while raising an astonishing number of false positives.

(Quote mangled to unlinkify the GRC url; I don't want to contribute to their PageRank.)

Mmmm, interesting...

daf666 · 2008-05-16 08:21:25

skymt wrote:

ploub wrote:
Try shields up on w ww.grc.com then
Before you link there again, read up on Shields Up (scroll down to "ShieldsUp Analysed"). tl;dr: Shields Up is a poorly written, deliberately misleading advertisement for ZoneAlarm that actually misses security holes it should be able to find while raising an astonishing number of false positives.

(Quote mangled to unlinkify the GRC url; I don't want to contribute to their PageRank.)

I use shields up regularly to test my firewall.. and it works great, you can test specific ports you have opened or closed etc.

kezar · 2008-05-16 08:44:47

You can use /etc/iptables/iptables.rules to put your rules instead of using a shell script (then you don't need to call iptables each line, just write your parameters).

B-Con · 2008-05-16 17:50:17

GRC does nothing truly special. I just nmap -sS* and -sA myself through my WAN IP. Faster, too. Also, GRC doesn't actually scan for vulnerabilities, they just test how well "cloaked" you are. Failing their test with loads of closed ports doesn't necessarily mean that you're insecure.

(Thanks to pacman, I know always hesitate and go, "-Ss, or -sS?")

Think of security this way: Your box, as it sits with no OS, unplugged on your floor, is the safest it will ever be. Unfortuantly, it's not of much use to you that way, and makes a lousy step-stool to boot. So you decide to start adding "stuff" to it. Everything you add makes you a little less secure, by the very definition of secure. The more complex, the less secure.

Use that mentality. Do you need it? No? Chuck it. Yes? Keep it, but limit it.

Don't run any services you don't need. Keep your rc.conf daemons list as short as possible. Use iptables to set up a firewall (look for advice on what packets you should look to drop -- basic rule: if you don't need it, drop it, and allow only ICMP ping replies). Scan for rootkits every few months. Don't keep user accounts you don't need. If you use SSH, read up on tips to securely configure it best. Get extensions for Firefox (like noscript) that help keep it safe. Mount your /tmp directory in RAM to thwart idiot programs that may write sensitive data to /tmp . If you're paranoid, jail processes that connect to the network. Store your really sensitive data elsewhere, perhaps on an encryptied partition.

[edit]
See these links:
http://www.cromwell-intl.com/security/l … ening.html
http://kevin.hatfieldfamilysite.com/?p=147

Last edited by B-Con (2008-05-16 17:56:15)

quarkup · 2009-04-23 11:10:38

what I used to do:

ssh into an external server account;

run nmap/etc against the target cpu (mine)

then check what daemons/services are running, and check everything with iptables.

anyway, this is my log with the GRC shield's up

----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2009-04-23 at 11:12:27
Results from scan of ports: 0-1055
0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
----------------------------------------------------------------------

Last edited by quarkup (2009-04-23 11:14:35)

Arch Linux

#1 2008-05-15 06:24:10

Basic (non-paranoid) security

#2 2008-05-15 07:00:49

Re: Basic (non-paranoid) security

#3 2008-05-15 09:20:53

Re: Basic (non-paranoid) security

#4 2008-05-16 05:43:56

Re: Basic (non-paranoid) security

#5 2008-05-16 06:34:30

Re: Basic (non-paranoid) security

#6 2008-05-16 06:38:43

Re: Basic (non-paranoid) security

#7 2008-05-16 06:49:36

Re: Basic (non-paranoid) security

#8 2008-05-16 07:46:07

Re: Basic (non-paranoid) security

#9 2008-05-16 08:21:25

Re: Basic (non-paranoid) security

#10 2008-05-16 08:44:47

Re: Basic (non-paranoid) security

#11 2008-05-16 17:50:17

Re: Basic (non-paranoid) security

#12 2009-04-23 11:10:38

Re: Basic (non-paranoid) security

Board footer