How to configure firewall and software plus user rights

[Geekcalledsick]

Hello,

I am novice user of linux. I need to know how to configure firewall so my system cant be compromised...

In windows my system was greatly compromised. keyloggers were installed without my approval and my desktop was taken on remote.

What should I do so without my knowledge no software can be installed and i can close all ports and only open which ever port is required to open. What should i do so my desktop cant be taken on remote?

How do I configure user rights? So only root and one admin can install softwares and no one else.

Please advise...

[Miikka]

Only root can install software as default. Linux is much much much... much safer than windows as there is basically are viruses or keyloggers. You don't need to do anything to be secure.

EDIT: Did you get your problem solved here: http://forums.fedoraforum.org/showthread.php?t=261558 ?

[Geekcalledsick]

But i hear there are viruses and root kits for linux...How to be secure against those viruses? First linux root kit was discovered in 1996 as per book Hacking Exposed...

[synapsys]

Quote:

Originally Posted by Miikka

Only root can install software as default. Linux is much much much... much safer than windows as there is basically are viruses or keyloggers. You don't need to do anything to be secure.

WRONG! Simply using Linux doesn't make you secure.

Quote:

Originally Posted by Geekcalledsick

But i hear there are viruses and root kits for linux...How to be secure against those viruses? First linux root kit was discovered in 1996 as per book Hacking Exposed...

Yes, there are viruses and root kits for Linux. The best way not to get infected is to use common sense on the internet, and get yourself a decent firewall. I would suggest looking at configuring iptables. By default, only root can install software. I would suggest setting up the administrator account as a "sudoer." This will allow you to run single commands as root without having to login as root. If you need anymore help with this, just ask. Also, you want to use secure passwords for all user accounts, especially root, and disable any unnecessary services you may be running.

[Evil_Bert]

I generally agree with synapsys's suggesitons with the possible exception of the efficacy of sudo - opinions vary on that score. But, I differ on the matter of Linux being more secure than Windows (to which he alludes) - that is, the user is more secure simply by using it (and by "it", I assume a modern, mainstream Linux distro).

And, please, don't turn this into a Windows-bashing thread!

Whereas there are > 1.8 million malware items for Windows and at least one independent study showed 8 out of 10 in-the-wild malware remain a valid concern for Windows 7, the number of Linux-specific malware items is thought to be ~1000 in total with only ~50 "detected" in-the-wild (IIRC). Linux rootkits are more prevalent than viruses per se because normally, outside of scripting in a browser or the like, executables don't run on your Linux machine unless you have given permission to do so. Whilst it's possible to download an executable as a user and run it, this still requires manual permission assignment and execution (again, this is outside of scripting in a browser or similar).

There are some web-based script and cross-platform risks, such as Adobe Flash, where some malware will work in Linux with user-level privileges, but normally (almost always) if the malware runs, its payload will be aimed at Windows vulnerabilities. Overall, in the typical desktop scenario (i.e. the same way a typical user would use Windows online), the risk of using Linux is much reduced.

However, Linux is not "provably secure" in the sense of some software that can be proven by mathematical means to be defect-free. Linux still has defects and vulnerabilities that are announced on CERT lists and the like and it is possible to exploit some of those vulnerabilities at least until they are patched. Linux vulnerabilities are usually patched sooner then Windows counterparts and there are fewer critical vulnerabilities in the first place, but this may change in the future - more Linux malware could be written and/or there could be more vulnerabilities. Personally, I believe using Linux will never become as risky as using Windows has been.

In many, but not all, Linux distributions, a fair degree of attention is already paid to security. For example, in Fedora, the default firewall configuration is quite adequate for home users (IMHO) and services, by default, do not accept external connection requests. The default SELinux configuration (for distros that use it) does add some additional security should a user actually encounter malware for Linux. These features can be tightened of course, particularly if you have unusual needs or are especially security conscious. Disabling unneeded services certainly does no harm, saves resources and may improve security - the basic principle there is the less code running on your system, the smaller the chance of a vulnerability being accessible, so it's a good thing to do if you have the time and knowledge. (In my case, I do prune running services and implement my own custom firewall to suit my needs).

There are several avenues to explore if a Linux user is really keen to lock down their system - some easy, some complicated - but the best recommendation to a new Linux user, IMHO, is to get software only from trusted repositories, that host only signed packages, which is the default in Fedora. If you use third-party repositories, do your research and obtain, verify and import the package signing key carefully.

So is Linux "secure"? Strictly speaking, no, but I can see how some everyday users could be forgiven for saying that it is, especially when they've only ever used Windows.

[mitmblues]

Did you get this fixed - I can coach you through what you ask if need be.

The steps I think you need to take are as follows:

1) Batten down the hatches and make sure there is no direct access to the machine by a hacker. Local crime will prefer to hack a computer by getting direct access to the keyboard if at all possible. It's easier than hacking over the Internet (i.e., a MITM attack). So you need to make sure at a minimum the door is padlocked behind you before you open a root console. If you can install home CCTV and check the footage of you entering and leaving the room before logging into root (crime has the intrusion capabilities of Houdini it is not without reason Houdini wrote extensively on crime) - a very basic setup can be done using webcams and the Motion package. Secure window shutters if possible (you may not think you need these but you do). A good alarm system can add to internal security. Some TEMPEST shielding if you can afford $1000 (I get the feeling local crime has at least one TEMPEST setup that they move around), but otherwise make sure no clear text passwords are displayed on screen - if setting, e.g., a VPN password on a website xclip and 'read -s' can be used to input autogenerated passphrases/keys etc. without displaying.

2) Encrypt and obfuscate passwords (i.e., don't write them down in clear text). I'm sure you can dream up all sorts of schemes personal to yourself. You need schemes to generate a short password that will only be used to login to a user login (something that can be remembered easily for frequent use), but also schemes to generate the passphrase to encrypt the hard disk which you will only use once in a while etc. You need a scheme as well that will allow you to very quickly reset the password to something new if the need arises (which it does). At one time for example I would open a particular webpage on my mobile 'phone listing English castles, and created passwords noting only the login and # of the castle in the list, using encryption schemes residing largely in my head based on the name of the castle - a scheme that was easy to remember for non crytical/throwaway logins, something more complex for longer passphrases, etc.

3) Lock the X desktop down by creating a public kiosk style setup - run an X window manager but without any menu options that will allow any kind of access to the file system. TWM or openbox are good window managers for doing this. Code xterms to only open after a password has been entered, etc.

4) Setup iptables to open only http and https ports. Connecting to your ISP involves bringing up the network interface, 'ifup [device]' (you may have to set config options for the interface for dhcp); create iptables for connecting to your router in the first instance, and then once the network connection is up connecting to your ISP with only (as a starting point) http and https ports open. Also create a table for when you bring the connection down, blocking all network traffic in either direction.

5) If you have a MITM type hacking problem (SSL certificate errors, data injection), find a VPN, I use ivpn.net OpenVPN servers - all VPNs are not unfortunately created equal, iVPN I personally have found to be about the best (in fact the only one I've tried that prevents most hacks). You will have to add an additional iptable for bringing up the VPN connection. (Note though a VPN only encrypts the Internet connection up to the VPN server, not from the server to the website, and doesn't protect you from compromised websites).

6) Run the browser in a SELinux sandbox - this is an absolute must, I'm still working on a data injection problem even with a VPN.

7) Optional Install the Fedora security spin packages (there is a post on the forum with a script to do this) and join the forum, read the chapter on security in the RH docs, and make a career of a network engineer - at which point you can provide consultancy services to myself, as being a programmer I do not particularly want to go down this route

MITM attacks are described in the presentation on this page... http://www.thoughtcrime.org/software/sslstrip/ (which doesn't seem to be working at the moment - I'm sure if you google'd it it will be found elsewhere).

If you want to go down the above route post back and we can make a start The first thing you need to do though you may find is bolt the door of the room behind you, and make sure the windows are secure.