Use Linux Mint securely

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Use Linux Mint securely

Post by MikeNovember »

Hi,

This post to explain how to use Linux Mint securely.

General:

The threats:

Trend Micro's report for the first half of 2021 shows ~ 13,000,000 attacks on Linux systems. This report is from companies, the only ones equipped with protection software from Trend Micro (which does not offer software for individual users); but this does not mean that individuals are not attacked, just that it is not known, in the absence of feedback.

The attacks are distributed as follows:
- Cryptocurrency miners: 24.56%; they use the computing power of your computer to "mine" bitcoins, ethereums...
- Web shells: 19.92%; installed on a compromised server, they make it easier to take control of a network.
- Ransomware: 11.55%; they encrypt all or part of a system, prevent its use, and demand a ransom (usually in cryptocurrency) to unlock the use of the system.
- Trojans: 9.65%; they hide in a download that seems legitimate, to take control of the system.


The protections included in Linux:

Linux separates the user from the superuser; to be able to modify / write a system file, you must enter a password.

In addition, the downloaded files are not executable by default, they must be made executable expressly.
But:
- under Linux the text files can be executable, whatever their extension,
- downloaded compressed files may contain executable files; after decompression, they will be executable without the need for the user to made them executable.

Protection tools are included in Linux:

The main ones are iptables, seccomp, AppArmor, SELinux, grsecurity, PaX. They are used by some applications during their installation (antivirus programs like Clamav use AppArmor), or used by the kernel, or set by the user (iptables).


Linux weaknesses:

The protection mechanisms would be perfectly effective without programming flaws (specification / encoding / testing) which lead to bugs and vulnerabilities (and which can be found in all operating systems such as MacOS, Windows, Linux,iOS, Android ...).

In particular, the security of the Linux kernel is highly criticized:
- It is an aggregate of separate developments, made by different developers, at different times (some are very old), without development guidelines in terms of security.
- Google also criticizes the insufficient resources put into kernel security, in terms of the number of hours of development and testing.

The vulnerabilities are not only concentrated in the kernel, but also in system software, software with internet access etc.

Because of these vulnerabilities, protections can be bypassed (for example, an attacker could acquire super-user rights without having to enter the password).


Using Linux securely:

The user can significantly improve the security of his system by taking a number of precautions.

Update system and programs:

Trend Micro's report shows that the attacks are focused on outdated systems:
- old distributions no longer maintained (as a reminder, Mint LTS distributions maintained are 19.x until April 2023 and 20.x until April 2025),
- kernel, system software, browsers, other outdated software.

In Mint's LTS distributions, the programs have a frozen version (like on Ubuntu) but:
- the kernel, system software, libraries, etc. are updated each time a security breach is detected,
- browsers and email clients are updated each time their developers update them.

The first rules to apply are therefore:
- stop the use of distributions which are no longer maintained,
- apply all the updates proposed by the update manager,
- update the user installed programs.


User and root passwords:

- Set a root password: Mint does not requires to set a root password by default; you have to set one.

Code: Select all

sudo passwd root
You will need to enter the usual password (superuser) first, then enter the root password, and enter it a second time for confirmation.

- Choose strong passwords for root and user:
Avoid using a simplistic "qwertyu" password or your "peter37" username as the password.
Use a long password (8 characters minimum, 12 to 16 is better), mix alphabetic, numeric, signs, uppercase and lowercase characters.
Adopt two different passwords for root and user.

- To change the user password:

Code: Select all

passwd

Avoid connecting where it is risky:

You can combine several tools, IP address filter, adblocker, browser extensions to avoid malware, ads and tracking.

Hosts file: the '/etc/hosts' file can be used as an IP address filter; for that :
* Copy your '/etc/hosts' file to your home '/home/$USERNAME' where $USERNAME is your username.
* Rename the copied file to "hosts_base.txt".
* Launch a text editor, for example xed, and copy the following code into it:

Code: Select all

#!/bin/bash
# anti malware, anti spam and anti cryptominers hosts file
# system wide connections
sudo mv /etc/hosts /etc/hosts.bak
# malware lists
wget "https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestdomains.piHole.txt" -O hosts1.txt
wget "https://urlhaus.abuse.ch/downloads/hostfile/" -O hosts2.txt
wget "https://curben.gitlab.io/malware-filter/urlhaus-filter-hosts.txt" -O hosts3.txt
# spam list
wget "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" -O hosts4.txt
# no coin list
wget "https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt" -O hosts5.txt
# merge in one file
cat hosts_base.txt hosts1.txt hosts2.txt hosts3.txt hosts4.txt hosts5.txt > hosts
sudo mv hosts /etc/hosts
rm hosts1.txt
rm hosts2.txt
rm hosts3.txt
rm hosts4.txt
rm hosts5.txt
# DNS cache flush
sudo systemd-resolve --flush-caches
read -s -n1 -p "Press any key to continue..."; echo
* Save the file in your '/home/$USERNAME' and name it "update_hosts.sh".
* With your file manager, select the file, right click, properties, permissions and make it executable.
=> When you will run this file, it will update your '/etc/hosts' file.

Adblocker: intentionally the hosts file does not contain a list of anti-advertising IP addresses; this role will be reserved to an adblocker, uBlock Origin; several advantages:
* When a page has trouble loading, you can deactivate the adblocker for this page (you cannot deactivate the hosts).
* The adblocker will use a mixture of lists of IP addresses to block, in addition to those of the hosts file, and lists of keywords which will allow to block the URLs containing these keywords (with a cross filtering of IP addresses and keywords, you will have more effective filtering).
The adblocker, as configured below, will filter advertising, malware and tracking, in addition to what the hosts file already does.
uBlock Origin is available for internet browsers (Firefox, Chrome, Chromium, Ungoogled-Chromium) and for the Thunderbird mail client. You have to do two separate installations, in the browser and in Thunderbird.
Configuration of uBlock Origin (identical in both cases):
- in the "Filter lists" page of the uBlock Origin configuration, check:
* "Update the lists of filters selected automatically",
* "In addition, use the aesthetic rules",
* in "Integrated" check the 5 lists,
* in "Advertising" check "AdGuard base", "EasyList"
* in "Confidentiality" check "AdGuard Tracking Protection" and "Easy Privacy",
* in "Malicious domains" check "Spam404"
* in "Nuisances" check "Fanboy's Annoyances"
* in "Regions, languages" check the list corresponding to your language / country
* add the following two specific lists:
. "Fanboy's Enhanced Tracking List", https://secure.fanboy.co.nz/enhancedstats.txt
. "StevenBlack / hosts", https://raw.githubusercontent.com/Steve ... ster/hosts
[NB: The lists defined above are complementary to those in the hosts file.]

Browser extensions: in addition to uBlock Origin, several browser extensions play a role in security, privacy or anti-tracking
* Block Ads for Social Networks (Chrome and family), Block Facebook™ ads in your Chrome.
* Decentraleyes (Chrome and family, Firefox), Protects from tracking linked to "free", centralized content distributors.
* HTTPS everywhere (Chrome and family, Firefox), Encrypt the Web! Automatically use HTTPS security with many sites.
* Privacy Badger (Chrome and family, Firefox), Privacy Badger automatically learns to block invisible trackers.
* Facebook Container (Firefox), Facebook Container for Firefox helps you take back control and separate your web activity from your Facebook profile.
* NoScript (Firefox), Allows the use of javascript only on web sites you choose.


Avoid unwanted incoming connections:

In Linux Mint, there are two easy ways and a complicated one to avoid unwanted incoming connections.

"hosts.deny" and "hosts.allow": these two files, found in '/etc', allow you to authorize ("hosts.allow") or block ("hosts.deny") incoming connections.
For a single user, the settings are simple.
* Open "hosts.deny" with xed:

Code: Select all

sudo xed /etc/hosts.deny
* Copy the following content to "hosts.deny", just after the lines commented with #:

Code: Select all

ALL: ALL
* Save; your "hosts.deny" file should content:

Code: Select all

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL
* Open "hosts.allow" with xed:

Code: Select all

sudo xed /etc/hosts.allow
* Make sure there is nothing written in "hosts.allow" without a # sign at the beginning of the line,
* Save; your "hosts.allow" file should content:

Code: Select all

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
These settings do not allow any incoming connections (and do not affect outgoing ones). For more setting options, read the hosts_allow and hosts_deny man pages.

GUFW firewall: this is the UFW graphical interface; start it with "gufw" and, for a single user, choose the options "block incoming connections" and "allow outgoing connections". For more setting options, read GUFW's built-in help.

[NB: you can use hosts.deny / hosts.allow and GUFW; this gives two protections in parallel; but make sure that you have the same permissions / exclusions for incoming connections in both cases.]

iptables: it is a very elaborate firewall, refer to its man pages and its online documentation if you want to use it.

Browser choice:

Linux Mint's default browser choice is Firefox.

But is it the best choice when it comes to security? Although opinions diverge sharply, we see that for several years Firefox has not been invited to the "Pwn2Own annual hacking contest", in which hackers receive bonuses if they manage to bypass software security. And this is because Firefox is considered too easy to hack, with too low security.

The least badly performing family of browsers is Chrome and its derivatives (they are regularly hacked, but, at least, they are invited to contest). Under Linux Mint you can install:
- Google Chrome, from its website.
- Chromium, fully OpenSource, directly from the distribution (Mint 19.x or 20.x).
- Or Ungoogled Chromium, an OpenSource version of chromium in which all links with Google have been severed.

All three have the same user interface; Chromium and Ungoogled Chromium can share the same user profile; Ungoogled Chromium is the version that best protects against Google tracking.

To install ungoogled-chromium:
- "Archive" version of Marmaduke:
* Download it from https://chromium.woolyss.com/
* Unzip the "*.tar.xz" archive and copy the resulting directory where you want, for example to '/home/$USERNAME/opt'.
* Ungoogled-chromium is ready to use, you can run it directly (read the "readme") or create a launcher.
* Widevine is included, you need to add a "chromium-web-store" extension to be able to install Google web store extensions. See https://ungoogled-software.github.io/un ... uto-update.

- Installable version, for Ubuntu Focal or Mint 20.x:
* Installation:

Code: Select all

echo 'deb http://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/ /' | sudo tee /etc/apt/sources.list.d/home-ungoogled_chromium.list > /dev/null
curl -s 'https://download.opensuse.org/repositories/home:/ungoogled_chromium/Ubuntu_Focal/Release.key' | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home-ungoogled_chromium.gpg > /dev/null
sudo apt update
sudo apt install -y ungoogled-chromium
* Instructions for complementary packages (language...): https://github.com/ungoogled-software/u ... ium-debian
* It will be necessary to install the extension "chromium-web-store", see above.
* Widevine is not installed, it will need to be installed separately, see https://ungoogled-software.github.io/un ... devine-cdm, including a script to automate this process.

Use flatpak versions of browsers: Firefox, Chromium and ungoogled-chromium are available as flatpaks; since flatpaks are launched in sandboxes, this adds a supplemental security layer; note that Chromium and ungoogled-chromium need a minimal version of flatpak >= 1.8.2 not provided by Mint. You can get a recent version of flatpak from this ppa: https://launchpad.net/~alexlarsson/+arc ... tu/flatpak.
You can also use Firejail as a sandboxing utility.


System and user files backup:

Backup is a very important element:
- against hard drive failures,
- against system errors,
- against bad manipulations by the user,
- and it is one of the only effective means of protecting against ransomware (do not hope to regain access to your system by paying a ransom ...).

The following assumes:
* That the Mint installation was done with separate partitions, '/' which contains root and system files, programs, libraries; '/home' which contains the directory '/home/ $USERNAME' and user files; and a swap partition.
[A separate '/home' partition facilitates successive installations and avoids losing user files in the event of a system malfunction. And a separate '/' partition allows system backups by making partition images or archives that are not too large].
* You have a Linux Mint installation DVD or USB key,
* You have a DVD or bootable USB key allowing the creation of partition images or archives,
* You have an external device, USB hard drive or large key, for backups.

User files backup: Mint contains backup software, "mintbackup"; it is unfortunately unusable in practice because it backs up all files every time you use it, which takes a very long time.
We will therefore use FreeFileSync, with differential backup; during the first backup it copies everything; and during subsequent backups it only copies what has changed.
Installation:
* From https://freefilesync.org/download.php download the Linux version.
* Uncompress the archive.
* Run the installer by choosing where to install FFS (I prefer to install it in my '/home/$USERNAME').
To start FFS I use a small script:

Code: Select all

cd FreeFileSync
sudo ./FreeFileSync
This allows you to copy any existing system files on the home, and to copy files with their attributes / permissions (you must also activate the option in FFS).
The backup is done on an external USB disk (never backup on the system disk, everything would be lost in the event of a disk crash). I do one every two or three days.

System files backup:
- With Timeshift you take snapshots of the system; in RSYNC, on external disk; without planning (because the backup disk does not have to remain permanently connected); you keep at least two snapshots (I do one every two or three days).
By booting from the Mint installation DVD or USB key, you can launch the timeshift version that is there and restore the system to a previously functioning state.

- Timeshift does not always work in system restore. It must be completed with a bootable DVD or USB key containing utilities allowing to create an image or an archive of the '/' partition, and to restore it if necessary; this disk or key must also contain utilities (partitioning, boot sector repair, etc.).
For this, you can use Foxclone, https://www.foxclone.com/ or System Rescue, https://www.system-rescue.org/. Foxclone is the easier to use, System Rescue is harder to use but has a lot of repair tools installed.

Frequent Timeshift snapshots can be combined with a fortnightly or monthly backup with Foxclone or System Rescue.

In case of problem :
* You boot from Mint installation or USB key and try to restore the latest functioning snapshot with Timeshift; if it's good you leave it there.
* If the restoration by Timeshift does not work, you restore the '/' partition with Foxclone or System Rescue; then you restore the latest functioning snapshot with Timeshift.


Virus and malware scanning:

Several tools are available:
- Linux Malware Detect, on-demand malware scanning (12768 signatures of programs targeting Linux), not in Mint repos, https://www.rfxn.com/projects/linux-malware-detect/.
- Rkhunter, on-demand rootkit scanning, in Mint repos but not working (fails to update), http://rkhunter.sourceforge.net/.
- Chkrootkit, on-demand rootkit scanning, in Mint repos but outdated, http://www.chkrootkit.org/.
- Clamav, on-demand and on-access viruses and malware scanning, in Mint repos but outdated, https://www.clamav.net/.
- Clamav-unofficial-sigs, used to complete Clamav signatures, in Mint repos but outdated, https://github.com/extremeshok/clamav-unofficial-sigs/.
[This subject is not treated seriously by Ubuntu (and, as a consequence, in Mint): LMD missing, Rkhunter not working, chkrootkit, clamav and clamav-unofficial-sigs outdated.]

So, if interested:
* download these programs from their respective websites,
* carefully read their installation and user documentations before to install or use them.


Encryption:

To better protect the confidentiality of your data, you can use encryption:

- of the complete system: choice to be made when installing Mint.

- of a partition, of a directory in a partition: you can use Veracrypt.
* From Veracrypt download page, choose the version of Veracrypt adapted to your distribution (Mint 19.x <=> Ubuntu 18.04; Mint 20.x <=> Ubuntu 20.04).
* Install the DEB with gdebi (select the DEB, right click, install with gdebi).
* Read the large and complex Veracrypt documentation VERY CAREFULLY before using it.

- when browsing: with the HTTPS Everywhere extension; or encryption + anonymity with Tor Browser.
To install Tor Browser:
* Go to this page https://www.torproject.org/download/,
* Click on the "Download for Linux" button,
* Unzip the downloaded archive "* .tar.xz"; move the uncompressed directory where you want, for example '/home/$USERNAME/opt'.
* Launch Tor-Browser the 1st time: double-click on "Tor-Browser Setup" in the directory; it will change the icon to "Tor-Browser" and launch the browser.
* Launch Tor-Browser the next times: double-click on "Tor-Browser" in the directory, or create an entry in your menu using your menu manager.

- for your e-mails :
* Install Gnu Privacy Guard and a graphical interface.
* Generate your private key / public key pair.
* Publish your public key, or exchange your public keys with your correspondents.
* Encrypt your emails for the public key of your correspondents (and for yours).
* Sign the emails you send with your private key.
* Decrypt emails you receive with your private key.


Use of Windows apps:
[Added]

- Some Windows apps, written in ".Net" language, can be executed under Linux with mono.
- Some others can be run using Wine, CrossOver ("polished" and pay version of Wine) or Play On Linux (graphical layer over Wine, more user-friendly).
However, doing this, Windows processes are not isolated from Linux ones and could offer a door to a potential attacker.

It is preferable, when possible, to install a copy of Windows in a virtual machine (qemu/kvm, Virtual Box, VMware Workstation Player...) and play the app on the Windows host, inside the virtual machine: Windows processes are isolated from Linux ones, a potential attack is more difficult. And then, to uninstall mono, Wine / Crossover / Play On Linux.


Security audit:

You can go further and use a security audit program to track your system weaknesses; this can be done with the free version of Lynis, https://cisofy.com/lynis/.
Once downloaded, see https://packages.cisofy.com/community/, and uncompressed, you launch Lynis, a script.
Lynis will examine your system, and make some recommendations (generally a few tens...).
Lynis itself does not apply any change to your system.
If you apply some or all of its recommendations to your system, its security will be improved.


Here we are.

This post is very long but it gives an overview of the means of security improvement. Take whatever you want. Among Linux Mint users there may be single home users, but also small companies, doctors, lawyers, journalists, activists... Different users, different needs.

Regards,

MN
Last edited by MikeNovember on Mon Sep 13, 2021 11:24 am, edited 4 times in total.
User avatar
revmacian
Level 4
Level 4
Posts: 414
Joined: Wed May 27, 2020 1:50 pm

Re: Use Linux Mint securely

Post by revmacian »

MikeNovember wrote:
Mon Sep 13, 2021 9:22 am
User and root passwords:

- Set a root password: Mint does not requires to set a root password by default; you have to set one.

Code: Select all

sudo passwd root
You will need to enter the usual password (superuser) first, then enter the root password, and enter it a second time for confirmation.
It was my understanding that the root account is disabled in Mint. If this is true then attempting to log into root is going to be a waste of time. However, if a root password is set, then someone can sit at the computer all day and try passwords until access is granted. An attacker only needs to try passwords since they already know the root username.. half of the login credentials are already known. Logging into a regular user account, however, is more difficult since an attacker will need to know both halves of the login credentials; username and password. If the root account is disabled in Mint, wouldn't it degrade security to set a root password?
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Re: Use Linux Mint securely

Post by MikeNovember »

Hi,

- In Mint, root account exists. And, you are right, you cannot connect to this account.

- However, it seems preferable to set a root password; see viewtopic.php?t=213173 thread, 4th message.

- That's why "sudo passwd root" works.

Regards,

MN
User avatar
revmacian
Level 4
Level 4
Posts: 414
Joined: Wed May 27, 2020 1:50 pm

Re: Use Linux Mint securely

Post by revmacian »

MikeNovember wrote:
Mon Sep 13, 2021 10:04 am
Hi,

If root account is disabled, why does "sudo passwd root" works?

MN
I would assume that is how the root account is enabled and a password is set. Without a root password being set then logging in will never be granted because the last half of the credentials (username and password) can never be satisfied. However, once a password is set then both halves of the credentials are available and an attacker can simply try as many passwords as they want. I still think it's much more secure to not set a root password.. you cannot try to guess a password that doesn't exist.
Last edited by revmacian on Mon Sep 13, 2021 10:14 am, edited 1 time in total.
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Re: Use Linux Mint securely

Post by MikeNovember »

revmacian wrote:
Mon Sep 13, 2021 10:12 am
MikeNovember wrote:
Mon Sep 13, 2021 10:04 am
Hi,

If root account is disabled, why does "sudo passwd root" works?

MN
I would assume that is how the root account is enabled and a password is set. Without a root password being set then logging in will never be granted because the last half of the credentials can never be satisfied. However, once a password is set then both halves of the credentials are available and an attacker can simply try as many passwords as they want. I still think it's much more secure to not set a root password.
Sorry, I edited my answer, probably at the same time you wrote yours; see edited answer.

MN
User avatar
revmacian
Level 4
Level 4
Posts: 414
Joined: Wed May 27, 2020 1:50 pm

Re: Use Linux Mint securely

Post by revmacian »

MikeNovember wrote:
Mon Sep 13, 2021 10:14 am
Hi,

Sorry, I edited my answer, probably at the same time you wrote yours; see edited answer.

MN
Thank you, I have read your edits.

Yes, the root account exists but there is no password set and this is more secure because an attacker cannot guess a password when it doesn't exist.. everything the attacker guesses will always be wrong. I still feel it is more secure to not set a root password. I feel that users don't need to log into root anyway, I have been using Linux distros for 20+ years and I cannot remember the last time I needed to log into root for anything - and I've run servers and compiled apps and drivers for quite a while.

See: viewtopic.php?p=1112254#p1112254
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
User avatar
revmacian
Level 4
Level 4
Posts: 414
Joined: Wed May 27, 2020 1:50 pm

Re: Use Linux Mint securely

Post by revmacian »

Also, for greater user account security, I recommend not having the username visible on the login screen. The reason for this is simple, an attacker sitting down at your computer needs two pieces of information; a username and a password. If the attacker can simply click on your username in the login screen then half of the work is already done, now the attacker only needs to guess your password.

However, if the login screen shows just the login prompt waiting for someone to enter the username, then the attacker must first guess the username before even trying to guess the password.

This is the first thing I do on a new Mint system. To remove your username from the login screen:
Mint Menu > Login Window (requires sudo password) > Users
Enable: "Allow manual login" and "Hide the user list"

Yes, this is going to make you enter your username and password to access your computer, but it is more secure that way. I don't mind extra work if it means tighter security. I would imagine that disk encryption is going to be a bit difficult to crack as well.
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Re: Use Linux Mint securely

Post by MikeNovember »

Hi,

Just have a look to Lynis audit recommendations...

I got more than forty after a test of my system, several are related to passwords (to add a Grub password, to specify limited time duration for a password etc.).

MN
User avatar
PhilippeH
Level 2
Level 2
Posts: 77
Joined: Thu Jul 20, 2017 3:12 am
Location: Toulon (France)
Contact:

Re: Use Linux Mint securely

Post by PhilippeH »

...mix alphabetic, numeric, signs, uppercase and lowercase characters.
I respectfully disagree on this detail, see this xkcd comics and its caption: "Through 20 years of efforts, we have successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess".

Would be hard not to have a text file somewhere in your /home so you can copy/paste the password, possibly defeating the entire scheme, wouldn't it?

But I agree with the need of a few more than 8 characters in a password ;)
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Re: Use Linux Mint securely

Post by MikeNovember »

PhilippeH wrote:
Mon Sep 13, 2021 11:43 am
...mix alphabetic, numeric, signs, uppercase and lowercase characters.
I respectfully disagree on this detail, see this xkcd comics and its caption: "Through 20 years of efforts, we have successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess".

Would be hard not to have a text file somewhere in your /home so you can copy/paste the password, possibly defeating the entire scheme, wouldn't it?

But I agree with the need of a few more than 8 characters in a password ;)
Hi,

Passwords (or passphrases) only are not a very good protection, but they are simple, cost-less ones. Better protection would be passphrase + biometric something, or passphrase + some hardware encrypted something (smartcard). Paranoid protection would be the three: something the user knows + something biometric, + something the user owns.

At this level of security, other things should be done: full encryption, work in a Faraday cage or with a Tempest certified computer, avoid public networks such as internet...

All depends on the threat you wish to be protected from: if you work with NSA and want to be protected from Russian spys, you will not apply the same security protections as if you are a home user just wanting to hide his passwords.

My post is oriented to home users, or to people in need of a bit higher level of security (small companies, lawyers, doctors, journalists, activists...).
If you use a computer in a business / institution where security counts a lot, you will use the computer you will be given, with its protections being installed, and security directives to follow...

Regards,

MN
t42
Level 6
Level 6
Posts: 1245
Joined: Mon Jan 20, 2014 6:48 pm

Re: Use Linux Mint securely

Post by t42 »

revmacian wrote:
Mon Sep 13, 2021 10:19 am
the root account exists but there is no password set and this is more secure because an attacker cannot guess a password when it doesn't exist.. everything the attacker guesses will always be wrong. I still feel it is more secure to not set a root password. I feel that users don't need to log into root anyway,
It makes no difference if there is a root password or not with physical access to HHD: accessing the root shell if there is no password or resetting the root password with root=/dev/hdXY rw init=/bin/sh and editing /etc/passwd adn then brute-forcing user accounts with john. The only sensible solution is encrypted with dm-crypt root partition (to defend root password you can limit the encryption to /etc).
-=t42=-
User avatar
revmacian
Level 4
Level 4
Posts: 414
Joined: Wed May 27, 2020 1:50 pm

Re: Use Linux Mint securely

Post by revmacian »

t42 wrote:
Mon Sep 13, 2021 12:44 pm
revmacian wrote:
Mon Sep 13, 2021 10:19 am
the root account exists but there is no password set and this is more secure because an attacker cannot guess a password when it doesn't exist.. everything the attacker guesses will always be wrong. I still feel it is more secure to not set a root password. I feel that users don't need to log into root anyway,
It makes no difference if there is a root password or not with physical access to HHD: accessing the root shell if there is no password or resetting the root password with root=/dev/hdXY rw init=/bin/sh and editing /etc/passwd adn then brute-forcing user accounts with john. The only sensible solution is encrypted with dm-crypt root partition (to defend root password you can limit the encryption to /etc).
Yeah, without proper encryption then all bets are off.
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Re: Use Linux Mint securely

Post by MikeNovember »

revmacian wrote:
Mon Sep 13, 2021 12:48 pm
t42 wrote:
Mon Sep 13, 2021 12:44 pm
revmacian wrote:
Mon Sep 13, 2021 10:19 am
the root account exists but there is no password set and this is more secure because an attacker cannot guess a password when it doesn't exist.. everything the attacker guesses will always be wrong. I still feel it is more secure to not set a root password. I feel that users don't need to log into root anyway,
It makes no difference if there is a root password or not with physical access to HHD: accessing the root shell if there is no password or resetting the root password with root=/dev/hdXY rw init=/bin/sh and editing /etc/passwd adn then brute-forcing user accounts with john. The only sensible solution is encrypted with dm-crypt root partition (to defend root password you can limit the encryption to /etc).
Yeah, without proper encryption then all bets are off.
Hi,

Encryption is among the things I suggested.

One of the best protections is to have full system encryption, with the key stored in a smartcard, and the key itself encrypted with the hash of a password known by the user; you need both to know the password and have the smartcard to run the computer; after three unsuccessful attempts the smartcard is no longer functioning and running the computer is impossible without a new, correctly configured smartcard (this prevents brute-forcing password guess). Though this is not for single home users.

Single home users could launch Lynis audit and apply Lynis recommendations concerning passwords.

MN
User avatar
revmacian
Level 4
Level 4
Posts: 414
Joined: Wed May 27, 2020 1:50 pm

Re: Use Linux Mint securely

Post by revmacian »

MikeNovember wrote:
Mon Sep 13, 2021 1:28 pm
revmacian wrote:
Mon Sep 13, 2021 12:48 pm
t42 wrote:
Mon Sep 13, 2021 12:44 pm

It makes no difference if there is a root password or not with physical access to HHD: accessing the root shell if there is no password or resetting the root password with root=/dev/hdXY rw init=/bin/sh and editing /etc/passwd adn then brute-forcing user accounts with john. The only sensible solution is encrypted with dm-crypt root partition (to defend root password you can limit the encryption to /etc).
Yeah, without proper encryption then all bets are off.
Hi,

Encryption is among the things I suggested.

One of the best protections is to have full system encryption, with the key stored in a smartcard, and the key itself encrypted with the hash of a password known by the user; you need both to know the password and have the smartcard to run the computer; after three unsuccessful attempts the smartcard is no longer functioning and running the computer is impossible without a new, correctly configured smartcard (this prevents brute-forcing password guess). Though this is not for single home users.

Single home users could launch Lynis audit and apply Lynis recommendations concerning passwords.

MN
So, a form of two-factor authentication. That's a good plan, but you're right.. it's overkill for a single home user. There is nothing on my computer valuable enough to warrant that amount of security - I don't trust computers to begin with because they are just machines that do what they're told to do, there is no concept of right and wrong, no emotion, no remorse or regret, etc. Now, if I were running a business, or was entrusted with the personal information of other people, you can bet I would be implementing a two-factor authentication system.
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
MikeNovember
Level 3
Level 3
Posts: 126
Joined: Fri Feb 28, 2020 7:37 am

Re: Use Linux Mint securely

Post by MikeNovember »

Hi,

I have used such protected computers:
"full system encryption, with the key stored in a smartcard, and the key itself encrypted with the hash of a password known by the user; you need both to know the password and have the smartcard to run the computer; after three unsuccessful attempts the smartcard is no longer functioning and running the computer is impossible without a new, correctly configured smartcard"
for years, but it was not at home, and the secrets to protect were not mine.
However, they still were not considered having a high degree of protection, and the information / data they were allowed to contain had a limited confidentiality classification.
They were laptop, they could get out of the walls of the company. Most confidential data were in desktops, inside the protected walls, inside controlled access rooms, often inside a Faraday cage.

MN
Post Reply