Little things that make Linux more secure

Primoz · 2009-05-28 22:23:46

So after reading a post about rm -rf /home mishap I've decided to make my Arch a bit more safer and share it with you.
So if you have some useful things that make your Arch safer as it is share it here.

So first thing I've did I've decided to add this to my bashrc as alias:

alias rm='echo "last chance before screwing things up 10s..." && sleep 10s && rm'

10 seconds is maybe a bit too much, but it gives you enough time to prevent things from screwing up (at least if you're doing it as normal user...)

The other thing I've done was to prevent Forkbombs to take down the system. I've found this when I tried to reduce swappiness of my Arch.
Sorry can't find the link anymore but what I did was this:

ulimit -u 30

It limits the number of processes on 30, so forkbomb has no effect; but the site said that this could prevent you from compiling things and similar stuff.
So I'm not sure how good is for you.

Do you have any good advice what to do to make it safer.
Something maybe in likes of SELinux or iptables (I have no idea how to set them )
please share.

livibetter · 2009-05-28 22:36:53

Primoz wrote:

So after reading a post about rm -rf /home mishap I've decided to make my Arch a bit more safer and share it with you.
So if you have some useful things that make your Arch safer as it is share it here.
So first thing I've did I've decided to add this to my bashrc as alias:
alias rm='echo "last chance before screwing things up 10s..." && sleep 10s && rm'
10 seconds is maybe a bit too much, but it gives you enough time to prevent things from screwing up (at least if you're doing it as normal user...)

If I want to do safe rm, I would make rm alias a script which does move files to trash bin. Or, I may possibly hit the enter, switch to browser for few pages reading, then go back and find out I still delete wrong files.

karol · 2009-05-28 22:44:00

Well, it's your system, but let me tell you that 30 processes is "a bit" too low. Did you test this setup w/ a running X?
There are many definitions of "safe":
- hacker/cracker-proof,
- PEBKAC/fool-proof,
- backups etc. in case your hardware dies.
- etc.

I'm the only user on my computer and I trust myself not to do really dumb things.

Xyne · 2009-05-28 22:44:09

Making bash sleep every time you want to remove something seems like a complete waste of time. Why don't you just alias rm to "rm -i" so that it asks for confirmation first? You can then use the "-f" flag when you're sure that you want to remove something. You can do the same for mv and cp to avoid overwriting files.

You could also alias rm to "mv -t /path/to/trash". If you don't want to have to empty the trash, put it somewhere on /tmp.

As for forkbombs... what are you running that poses such a risk?

The best way to make a system safer is to remain aware of what you're doing. Crippling the system to compensate for laziness and inattentiveness probably makes people careless in the long run. Just keep backups of what you need (for hardware failures as well) and think before running code, especially when it's from an untrusted source (unknown project, online tutorial, etc).

karol · 2009-05-28 22:46:12

@Xyne
Beat ya ;-P

moljac024 · 2009-05-28 23:52:08

Xyne wrote:

... think before running code, especially when it's from an untrusted source (unknown project, online tutorial, etc).

But where is the world coming to when a guy can't trust a random online tutorial ?

Chokkan · 2009-05-29 01:00:52

I recently updated my alias file exactly as Xyne mentioned, making things like mv and cp interactive and verbose.

I think that overuse of sudo can also lead to laziness and accidents.

Passwords which are too easy to guess also go against common sense.

Automatic logins are also asking for trouble.

The thing I'm wrestling with now though, is a backup system that works for me. There are so many ways to do it. I need to just pick one before Fate steps in.

fumbles · 2009-05-29 03:44:04

.

Last edited by fumbles (2020-09-26 11:41:31)

Chokkan · 2009-05-29 04:21:38

Yup, my user and root prompts are different. Most of my precautions are to save me from myself

Primoz · 2009-05-29 09:32:20

karol wrote:

Well, it's your system, but let me tell you that 30 processes is "a bit" too low. Did you test this setup w/ a running X?
There are many definitions of "safe":
- hacker/cracker-proof,
- PEBKAC/fool-proof,
- backups etc. in case your hardware dies.
- etc.
I'm the only user on my computer and I trust myself not to do really dumb things.

Actually I did. I have KDEmod an "whatnot" running. I was surprised myself still don't really know how it's actually possible.
I've tried the forkbomb it won't work, but I can start new apps, have X and KDE with all it's bells and wisthels runnign and still don't get any errosr which I would expect.

@Xyne:
Well I personally think that hitting y for every subfolder of certain folder I wish to remove is waste of time. But agreed 10s is too much. I'll reduce it to 3-4.
I know I am cautious to some extent. But I decided to start this thread so thredas like my borther / sister / I ve rm -rf-ed my / /home or something else.
I do kind of trust myslef even if I only skim through AUR PKGBUILD files and haven't touch iptables (yet).
I've also don't have SSH on my install as I don't need it.

But to be truthful I do have the weakest password for my root, so that's probably bad (have to think of another password).
I know that most archers know how to take care for their computer, but I was still curious what you do. And if what I did made my computer safer.

What do I have to add to my PS1 so that my root will be red?

livibetter · 2009-05-29 09:35:42

Primoz wrote:

What do I have to add to my PS1 so that my root will be red?

Check out this topic

karol · 2009-05-29 11:20:13

Just for the record, could you 'ps ax | wc -l' to count how many processes to do run w/ you full setup?
If the ulimit and ps commands use the same "currency" to count things you should get 20+ processes.

Primoz · 2009-05-30 10:17:57

karol wrote:

Just for the record, could you 'ps ax | wc -l' to count how many processes to do run w/ you full setup?
If the ulimit and ps commands use the same "currency" to count things you should get 20+ processes.

I guess that it worked just that time I've set it, as now my processes are on 140 again and ulimit has max at 16383 processes.
I guess that if there's not enough processes it forces default settings.
So the bottom line is that it doesn't work.

karol · 2009-05-30 11:04:10

Well, there are people who are deeply caring about safety http://bbs.archlinux.org/viewtopic.php?id=73064. I hope the all go to he^H^H Redmond ;-)

iphitus · 2009-05-30 11:24:26

Phrak handles my security. Just make sure you pacman -S cars daily so that he has a continuous supply.

bangkok_manouel · 2009-05-30 11:33:19

I think you're missing the point James, the broken bits implemented by Allan are the ones who make hackers' life a pain.

Arch Linux

#1 2009-05-28 22:23:46

Little things that make Linux more secure

#2 2009-05-28 22:36:53

Re: Little things that make Linux more secure

#3 2009-05-28 22:44:00

Re: Little things that make Linux more secure

#4 2009-05-28 22:44:09

Re: Little things that make Linux more secure

#5 2009-05-28 22:46:12

Re: Little things that make Linux more secure

#6 2009-05-28 23:52:08

Re: Little things that make Linux more secure

#7 2009-05-29 01:00:52

Re: Little things that make Linux more secure

#8 2009-05-29 03:44:04

Re: Little things that make Linux more secure

#9 2009-05-29 04:21:38

Re: Little things that make Linux more secure

#10 2009-05-29 09:32:20

Re: Little things that make Linux more secure

#11 2009-05-29 09:35:42

Re: Little things that make Linux more secure

#12 2009-05-29 11:20:13

Re: Little things that make Linux more secure

#13 2009-05-30 10:17:57

Re: Little things that make Linux more secure

#14 2009-05-30 11:04:10

Re: Little things that make Linux more secure

#15 2009-05-30 11:24:26

Re: Little things that make Linux more secure

#16 2009-05-30 11:33:19

Re: Little things that make Linux more secure

Board footer