Putting some security

Chat about anything related to Linux Mint
User avatar
lisabonne citadel
Level 3
Level 3
Posts: 126
Joined: Fri Oct 13, 2017 5:13 am

Putting some security

Postby lisabonne citadel » Tue Oct 31, 2017 11:38 am

I search a little bit about it and i found two essential configuration that allows you make a better safe web surf.

BLOCK ALL TCP PORTS EXCEPT 80 (HTTP) AND 443 (HTTPS)

create a script with this iprules and put as start up command (sh /directory/filename.sh)

#!/bin/bash
IPTABLES=/sbin/iptables

#start and flush
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT

#SSH traffic
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
#HTTP traffic
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

#loopback
iptables -A INPUT -i lo -p all -j ACCEPT

SOME INFO that maked me surprised it was some insecurity level on RFC 5961 implemented on all lastest kernels :shock: (source:hackernews)
to block tcp attacks add this line on /etc/sysctl.conf
#net.ipv4.tcp_challenge_ack_limit = 999999999

User avatar
Pjotr
Level 19
Level 19
Posts: 9015
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Putting some security

Postby Pjotr » Wed Nov 01, 2017 6:51 am

A web link to your source, please. Because so far, it has all the looks of a misinformed incorrect warning. And I've seen many, far too many, of such false alarms in the past decade. :wink:
Last edited by Pjotr on Wed Nov 01, 2017 8:05 am, edited 2 times in total.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
CaseyMarie
Level 1
Level 1
Posts: 23
Joined: Mon Oct 23, 2017 5:28 am
Location: Newcastle

Re: Putting some security

Postby CaseyMarie » Wed Nov 01, 2017 7:57 am

I should read up on this, so far all I've done in terms of security is: sudo ufw enable.

Just out of interest if mint is aimed at the beginner who might never use the terminal why does the distro ship with the firewall turned off by default?

User avatar
Pjotr
Level 19
Level 19
Posts: 9015
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Putting some security

Postby Pjotr » Wed Nov 01, 2017 8:00 am

CaseyMarie wrote:I should read up on this, so far all I've done in terms of security is: sudo ufw enable.

Which is enough: it's probably false alarm. No worries. :)

why does the distro ship with the firewall turned off by default?

Because a firewall isn't needed when you are already behind the firewall of your router at home.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
karlchen
Level 18
Level 18
Posts: 8027
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Putting some security

Postby karlchen » Wed Nov 01, 2017 8:26 am

Hi, CaseyMaire.
I should read up on this, so far all I've done in terms of security is: sudo ufw enable.
Just out of interest if mint is aimed at the beginner who might never use the terminal why does the distro ship with the firewall turned off by default?

I will have to verify on my Mint 18.x xfce whether gufw is present there as well. Yet, I can assure you that on Linux Mint 18.1 64-bit Cinnamon, the graphical interface for the terminal command ufw, gufw, is present out of the box.
All you have to do in the Mint menu is enter the word "firewall" in the search box (without the double quotes); and you will be presented the launcher of "Firewall Configuration". The executable behind this launcher item is gufw.
gufw permits you to enable the firewall software ufw without resorting to the terminal.
Once you have done so, you may start wondering whether a graphical application is always more friendly for new Linux Mint users than entering a really brief commandline like sudo ufw enable. :wink:

Here is one more brief commandline which will check the status of ufw: sudo ufw status verbose

I am not quite sure whether it is really wise to leave the firewall ufw disabled by default, at least not without telling the user that ufw exists, but has to be enabled in case it is needed.
Yet, the decision to install ufw, but leave it disabled by default is common to Ubuntu and Linux Mint.
I am sure we can have a very long and controversial discussion about it. No matter whether the result would be to enable ufw by default or to leave it disabled by default half of the users would be dissatisfied with the decision, I guess.

Best regards,
Karl
Image
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.

User avatar
Moem
Level 12
Level 12
Posts: 4014
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Putting some security

Postby Moem » Wed Nov 01, 2017 11:06 am

karlchen wrote:Once you have done so, you may start wondering whether a graphical application is always more friendly for new Linux Mint users than entering a really brief commandline like sudo ufw enable. :wink:

Yes, it is, because new users don't know that that is a thing that they can enter, while they may find the GUI for UFW by just looking around in the menu.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
CaseyMarie
Level 1
Level 1
Posts: 23
Joined: Mon Oct 23, 2017 5:28 am
Location: Newcastle

Re: Putting some security

Postby CaseyMarie » Wed Nov 01, 2017 11:32 am

I agree that using the command line can be the simplest and fastest way of doing things which is why despite being a novice user I try to use it frequently because I don't want to be scared of it, however if you read YouTube comments and watch videos about Linux a lot of people will complain about how we are geeks married to the command line and Linux will never see significant market share until it's like a Mac where every last thing can be done in the gui. Finding gufw was interesting, I guess we're trying to move towards something like that.

Ufw being disabled by default due to a router firewall is interesting, did it detect that I have one or does it just assume everyone does these days? I expect I do have one because my router is relatively modern I think it's been less than a year since talk talk started using it but I don't know for sure. I understand that Linux is a lot more secure out of the box than windows as well so is the idea that you are secure enough without it and leaving it in by default might cause issues from using it as a server? I could understand leaving it disabled on a server distro but a home user distro? I dunno I'm sure they have their reasons but it's still a little strange to me

User avatar
Pjotr
Level 19
Level 19
Posts: 9015
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Putting some security

Postby Pjotr » Wed Nov 01, 2017 12:34 pm

CaseyMarie wrote:Ufw being disabled by default due to a router firewall is interesting, did it detect that I have one or does it just assume everyone does these days?

Default settings are aimed at being reasonable for most people, not for all people....

By default the firewall isn't activated, because a) there might already be an active firewall in the router and b) behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.

I expect I do have one because my router is relatively modern I think it's been less than a year since talk talk started using it but I don't know for sure.

Check your router configuration.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Hoser Rob
Level 9
Level 9
Posts: 2891
Joined: Sat Dec 15, 2012 8:57 am

Re: Putting some security

Postby Hoser Rob » Wed Nov 01, 2017 1:41 pm

Pjotr wrote:... By default the firewall isn't activated, because a) there might already be an active firewall in the router and b) behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.....


100% true.

My netbook, which is what I use to schlep around , is what I've used to do some distro/DE hopping in the past. I'm ashamed to say that there were several times I forgot to enable the firewall after installing. I would never, ever have done that in WIndows. It'd be insane. Once I forgot for over a month.

And guess what? Despite the fact that it's what I use if I'm in a cafe hotspot, I never got hacked once.

User avatar
lisabonne citadel
Level 3
Level 3
Posts: 126
Joined: Fri Oct 13, 2017 5:13 am

Re: Putting some security

Postby lisabonne citadel » Wed Nov 01, 2017 2:23 pm

ITS COMPLETELY A LIE that linux is 100% safe.
In many cases i was able to detect some hacking entering in my linux.
Today i realize THAT SAMBA someone can create net sharing folder without my administration sudo !!
yesterday someone created k350-PC net sharing folder in nautilus while im surfing... and today in another WIFI someone created another net sharing folder in nautilus! - I HATE SHARING TOOLS.
Linux security decreases a lot with RSYNC, SAMBA, BLUEZ, AVAHI-AUTOIPD and SSH already in a bundle.

And YES its true, linux lets you made your own config but at the same time if you dont spent time to study... you lost your privacy.

User avatar
Pjotr
Level 19
Level 19
Posts: 9015
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Putting some security

Postby Pjotr » Wed Nov 01, 2017 2:37 pm

lisabonne citadel wrote:ITS COMPLETELY A LIE that linux is 100% safe.

First of all: don't SHOUT. Because it's rude.

Nobody claims that Linux is 100 % safe (we don't get those security updates for nothing), so I don't know what on earth you're talking about. :shock:

lisabonne citadel wrote:In many cases i was able to detect some hacking entering in my linux.

I don't believe one bit of that. I've been using desktop Linux daily, for over a decade, and I haven't ever seen a hacker entering my Linux. Not once.

So: I think you're talking nonsense.
Last edited by Pjotr on Wed Nov 01, 2017 2:57 pm, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
lisabonne citadel
Level 3
Level 3
Posts: 126
Joined: Fri Oct 13, 2017 5:13 am

Re: Putting some security

Postby lisabonne citadel » Wed Nov 01, 2017 2:45 pm

FIRST
i dont need to justify to you in a rude way
SECOND
i have been honest
THIRD
i already noticed that you, always answers in a same way.
Over a decade, etc - no one entered in my linux... Question: IS a copy paste?
NSA and Secret services have decrypt servers that blow your mind. :lol:

User avatar
Pjotr
Level 19
Level 19
Posts: 9015
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Putting some security

Postby Pjotr » Wed Nov 01, 2017 2:51 pm

lisabonne citadel wrote:FIRST
i dont need to justify to you in a rude way

No, you need to justify what you claimed in a polite way. Then you'll get a polite response from me.

If you don't prove what you claim, you're just spouting FUD:
https://en.wikipedia.org/wiki/Fear,_unc ... _and_doubt

Spreading FUD is bad. Stop it.

lisabonne citadel wrote:SECOND
i have been honest

I don't doubt that. What I do think, is that you're wrong and that what you claim is nonsense.

lisabonne citadel wrote:THIRD
i already noticed that you, always answers in a same way.
Over a decade, etc - no one entered in my linux... Question: IS a copy paste?

No, but if many more people keep posting nonsense about Linux security, I might start using copy/paste. Thanks for the tip.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
lisabonne citadel
Level 3
Level 3
Posts: 126
Joined: Fri Oct 13, 2017 5:13 am

Re: Putting some security

Postby lisabonne citadel » Wed Nov 01, 2017 3:23 pm

I really love this guy... because its nonsense at all.
wait... what is FUD?

is this article? Read first or get informed properly about this post info because you have lost your racionality.

https://drive.google.com/open?id=0B_YpMx2hZLPdall4bE5rNWlJMHM

page 17 please or be inform :lol:


Return to “Chat about Linux Mint”