Secure Linux Desktop

Question

I'm looking for hints about secure linux desktops. Securing servers is no problem. Most recent Software Updates, run only the services required etc. But what about desktops? I'm thinking about details like Noscript for Firefox. ASLR, PIE and similar are enabled in Ubuntu https://wiki.ubuntu.com/Security/Features by default. What should I change additionally? Are there any distributions focusing security?

Answer 1

I recommend the following steps, in rough order of priority:

• Enable automatic updates. This is the best way to ensure you are always running the best, patched version of all software.

• Turn on a firewall. A simple policy often suffices for desktops: roughly speaking, allow all outgoing connections, block all incoming connections. This is a lot easier than tracking down all services that might be listening and disabling them; simply blocking all incoming connections by defaults closes the exposure.

• Enable automatic backups. Set up a backup system to automatically and routinely backup your system, without your involvement. This is one of the best ways to ensure you can recover from a compromise. Security is more than just prevention; it is also about enabling rapid and reliable recovery from compromise.

• Use HTTPS Everywhere. Install HTTPS Everywhere (or ForceHTTPS, or equivalent) into your browser, to ensure you use HTTPS (SSL/TLS) on every site that supports it.

• Use SSH. For all remote logins, use SSH. Create a private keypair. Protect your private key with a password. Put your public key in the authorized_keys files of all accounts you want to be able to log into remotely. Avoid all unencrypted traffic (e.g., telnet, FTP, IMAP, POP); use encrypted variants instead.

• Encrypt email traffic. If you use a mail client with POP or IMAP, configure it to use SSL/TLS protection (e.g., imaps instead of imap), so that the connection with the mail provider is encrypted. Most good email providers will offer an option for connecting via SSL or TLS.

• Use an email service that scans your email. Use a good email provider with a good reputation for blocking spam in incoming email. Good spam-blocking software often will also block many email-based scams, phishing attacks, and worms.

• Optional: Consider full-disk encryption. If you have a laptop, you might want to enable full-disk encryption, to protect against data breach if the laptop should be lost. Truecrypt and PGP's product have a good reputation. If you use Linux, most Linux distributions will enable you to set up full disk encryption when you install the Linux OS.

• Optional: Enable SELinux. Turn on SELinux, if you use a distribution that supports it.

• Optional: Harden your browser. You might consider modifying your browser settings to protect yourself. e.g., consider disabling third-party cookies. Consider installing AdBlock Plus.

• Optional: Log out, when you're not present. Whenever you leave your computer unattended, you might want to log out (or engage a password-protected screensaver).

Answer 2

First let me say, I'm not a security expert by any means. While you ask about securing linux desktops, I take your question to mean "how do I implement overall security using free unixes as a person who does personal computing as opposed to web serving." So I thought I would gather my thoughts on the subject and see what other people have to say about it. I share this in the spirit of helping people not to have to rediscover the whole process from scratch. I won't give howto tutorials--many are on the web and this is already incredibly long. This is meant to be a starting point for searching the web.

Security is a process and also a system that needs several computers to implement effectively. For example, it's not enough to configure your computers properly. You also have to read logs and respond to alerts. For the best possible security, one must also make some commonsense behavioral changes in the way one uses a computer. Some operating systems are better suited to certain aspects of security than others. Since they are free, it costs nothing except your time to use all of them.

The first part of this process is figuring out what you are protecting your computers from. For example, if you live in a high crime neighborhood, you might want to lock them in a securely locked safe anchored to the building. I assume though that you want all the normal forms of general security available when doing things with a computer that can be implemented either in software, computer hardware or with behaviors towards software and hardware.

Also, I'm not sure how big your setup is. Many of my recommendations are things that get used all the time by businesses but there's no reason in the world why an individual couldn't and shouldn't also use them at home. If any of these things were done by a business they would be praised for doing due diligence, following regulatory standards, implementing best-in-breed practices and whatever other buzzwords are current.

Network Security

The most important tip I have for network security is to isolate computers containing sensitive data from the internet. Most people have more than one computer. Use one of them exclusively offline. You can get updates and software for any debian/ubuntu-based distribution using utilities like apt-offline.

If you have one or more computers not exposed to the internet, it makes it much more difficult to hack them. Theoretically you could still download binaries or documents from the internet that could gather information about this unconnected computer that could then relay the information back on a corrupted USB flash drive. Some people try to get around this by only mounting their flash drives in a virtual machine running on their offline computers. You can also reformat the flash drive before bringing it back to computers exposed to the internet. This still leaves a remote risk of trojaned flash drive bios. I think buying a drive that you can flip a switch on the side to make it read only would prevent your drive from gathering information from the non-connected computer. If I'm not mistaken, Ridata sells such drives. Most SD cards have them too but you'll need to find an adapter that enforces the read-only switch in hardware.

So…

Tip 1: Have a computer that you use only offline.

Tip 2: View/check material gotten from the internet in a VM.

Some would call this "sneaker net".

Tip 3: Scrub your flashdrive, or whatever kind of storage you are using to transfer data between computers before it goes back to a computer connected to the internet.

Tip 4: Better yet than tip 3, use USB drives with read-only switches.

OpenBSD does manage to do some things right. For example, they make it relatively simple to set up a bridging firewall, an ipsec VPN, run a virtual honeynet, or make a wireless access point with authpf authentication. By simple, I mean really simple and fast to set up--so much so that you will not want to use anything else. Bridging firewalls are desirable since they have no network address(es). You set them up between your DSL/cable/internet router and your wireless access point. Since OpenBSD is secure in that it has no remote holes using the default installed setup (choose packages bsd,base.tgz,etc.tgz,and man.tgz), the extra configuration you need is minimal.

Here is some config to get started with

In /etc/hostname.bridge0:

if0
if1
blocknonip
up

(where if0 and if1 should be replaced by the names of your network interfaces)

In /etc/hostname.if0 (and if1):

up

In /etc/sysctl.conf:

net.inet.ip.forwarding=1

That's it, you have a bridge. Then you edit /etc/pf.conf to do your firewalling. Here is an extremely basic firewall that blocks incoming connections and allows outgoing ones.

In /etc/pf.conf

set skip on lo
block in log all
block out log all
pass in quick on if1    # only firewall on one interface of the bridge
pass out quick on if1
pass out quick on if0 modulate state
antispoof quick for lo

There's much more you can do with pf, and it's described in the man page for pf, the pf faq, and the Book of PF.

Tip 5: For a firewall invisible to attackers, use a bridging firewall with OpenBSD/pf.

Tip 6: If the box has enough power, you can/should also have at least two NIDSes like snort or bro on this box.

You'll need to hand apply new signatures at least weekly.

Many people will buy a separate low powered computer for this purpose like an Alix or a Soekris because of their low power consumption. You can find them used online at various websites like ebay too. You could also use just about any old computer with 32mb of ram or more, and 486 or better processor (which is all some Soekrii have). Whether you should buy a separate computer or use an old one depends on how much electricity you will save and how much electricity costs where you live.

Another indispensible security product from the OpenBSD crowd (not forgetting SSH of course!) is a computer running a honeyd virtual honeynet. There is an entire book called Virtual Honeypots by an author of honeyd Niels Provos. A virtual honeynet is a suite of virtual honeypots, and a honeypot is a computer which appears to be running a service that an attacker can interact with from which you can gather information about the methods and means of attacks on your network. You can configure tens of thousands of virtual honeypots running various different services with honeyd. Any interaction with any of them is a sure sign that your firewall has been compromised, and they allow you to learn much more about your attackers. It also hides your own computer from the network more effectively since it appears to be one computer among many.

Tip 7: have a computer running a virtual honeynet with honeyd.

Tip 8: tee logs off to a dot-matrix line printer, and if you have yet another spare computer lying around, a separate computer whose sole purpose is to collect logs from network computers on a UDP port.

rsyslog can configured to do this.

There's a lot more you can do with network security, but the main ones are to do what you can offline, use a firewall, use at least two NIDS, use honeynets, and be vigilant in monitoring and responding to attacks. In general though, I recommend you keep your setup as simple as possible depending on how interested you are in doing things like reviewing logs and the value of what you are trying to protect.

Data Security

Securing data means many things such as protecting it from corruption and from being lost, to making sure it's securely erased or that only certain people can access it. (The CIA triad in information security.)

Whole disk encryption is something that everyone should be using at a minimum. It's offered now everything time you install a debian based linux, and can be set up in BSDs too with a little more effort. For example, look at softraid for OpenBSD.

Tip 1: use whole disk encryption

Offsite storage is also recommended. I recommend using a computer with some hot swappable or external drives, at least for all files containing documents and files you create yourself. Then regularly rotating these drives through bank safe deposit boxes or friend's homes. Then if your harddrives do get stolen, you haven't lost any data/writings/family photos etc. I DO NOT recommend cloud storage!

Tip 2: Store copies of data offsite

For preventing corruption of data due to device failure and age there is a fairly standard set of processes like using multiple copies on mulitple media and types of media, (allows for restoration with utilities like ddrescue), checksumming the data, then checksumming the checksums (the BSD utility mtree is a great tool for this), migrating the data every few years to new media, checking media every year or so for corruption problems, and storing media properly.

For example, let's consider optical media. For your important documents and multimedia, these should be burned at low speed on archival grade gold media (for example MAM-A, JVC, or Verbatim gold archival media) in a single session. The cd burning program should then verify them. Then you should go through and manually verify they were burned correctly. Nothing should be written on them with markers. They should be placed into a non-transparent jewel case holding them only by the outer edges. The jewel cases can then have labels attached to them. Then they should be stored upright not stacked on top of each other in a dark place with constant temperature somewhere between 40-60 degrees F with low relative humidity. This is the gist of the NIST guidelines at least.

Tip 3: Make multiple copies

Tip 4: Test them initially and periodically using checksum tools

Tip 5: Follow guidelines for proper storage and handling of media

Tip 6: Migrate data as new media become available

ZFS can be used to do a lot of this and easily, however ZFS is still somewhat experimental and future versions are not guaranteed to be backwards compatible with previous ones. Thus, I recommend running a distribution like Open Indiana when the first stable release is released, and using it for backup, mirroring, taking snapshots and exporting/importing pools.

Tip 7: use ZFS for backups/mirrors as opposed to original archives

Another issue in data security is verifying its origin for data and binaries you haven't produced yourself. If a trusted friend hands you a flash drive with a program she says she wrote, then there is no problem. However, if this friend has you go to her website to get it you will probably use the public key infrastructure (PKI) to verify it. Then you should have gotten her public key, and she should have signed it in your presence. Often, the end person offering the software or source code is someone you don't even know. In that case, it helps if more people get together to exchange public keys and sign each other's keys. You might not trust these people as much as your friend, but at least you will be able to verify the origin of their data, if only through a chain of key signatures.

In many cases, you won't have any friends of friends who have developed something you want to download. In that case you'll have to download untrusted signature files. A possible way to mitigate rogue signature files is to download the same file using several proxies and then compare them.

thus,

tip 8: use the PKI and tools like gpg to verify the origin of what you download

tip 9: Verify checksums of files you download when checksums are provided

tip 10: Whenever you meet someone exchange and sign keys if you haven't already

For secure deletion, you need to have a non-journaling filesystem like EXT2 (not EXT3 and EXT4) to use utilities like shred effectively. shred -uz filename for files and find -type f -execdir shred -uz '{}' \; at the root of directories to shred directories. In BSD, you can use the -P flag to rm to erase securely.

For whole disk erasure, you can use HDDerase which implements the native erase built into modern harddrives, followed by the DBAN utility.

tip 11: use available utilities like shred, rm -P, HDDerase and DBAN to securely delete files and drives

Finally, for files and photos that you want to be sure to preserve, keep hardcopies on acid-free paper. Hardcopies when well preserved should outlast any digital media by at least a century.

tip 12: make hardcopies

Program Security

Programs usually have bugs. In addition the program or protocol architecture itself can be a source of security exploits. For example, most graphical web browsers and programs from adobe or microsoft (since they are so widely used, not because they are significantly worse than any others) are an inexhaustable source of bugs and security exploits.

Furthermore, you can harden your operating system until it's as hard as you want with all available tools, audit the source code until you die, verify the source with proof checkers etc. but the web browser itself by becoming compromised could still compromise you even if it doesn't compromise your operating system.

Even so it's worth taking a few minutes to harden the operating system. Again, OpenBSD makes it easy by providing most security features like correct permissions by default.

Tip 1: Take a few minutes to harden your OS.

Here are my suggestions for OpenBSD. Some of them probably also apply to other BSDs and linux, like points f.) and g.) for example.

a.) Write a decent pf.conf (there are good examples in the pf faq, the pf man page, or The Book of PF). Use logging to monitor attacks that don't get past your firewall. So remember to review your logs. You can have a script and cron job that flags interesting bits.

b.) change /etc/rc.securelevel so that the securelevel is 2. Then go through your files and chflags -R schg them. I would do this for most of /etc, all of /bin,/sbin,/usr,/bsd,/boot and sappend on some other files/directories like /root and /altroot and on key logs in /var/log. You may need to hand-tune log rotation.

c.) turn off ttys/gettys. If you're the only one using your computer, you only need one and you shouldn't be logging in as root. So remove the word "secure" from /etc/ttys and close off the rest except for one. If you need to work as root, do it through sudo as another user. To grant more sudo priviledges, you can always boot -s at the boot prompt and edit /etc/sudoers with visudo from there.

d.) use TCP Wrappers (/etc/hosts.allow,/etc/hosts.deny). /etc/hosts.deny should read: ALL: ALL. Then figure out what you will allow. Also consider turning off inetd entirely by putting inetd_flags=NO in /etc/rc.conf.local There's a way to boobytrap TCP Wrappers that's explained in the man page, but I haven't done it yet.

e.) use mtree -cK sha1digest > snapshot_of_filesystem__on_date once you have everything set up. Then cksum -a sha1 that file. ...as explained in the mtree man page. Make it a cron job, and write a script to diff your snapshots. Also keep the main snapshot offline. This can alert you if key files have been tampered with or accessed by someone other than you or your machine. So it's sort of like a host-based IDS.

f.) deny root login and port forwarding/X11 forwarding in /etc/ssh/sshd_config, especially if you are running sshd!

g.) in /etc/fstab mount /usr ro, and /tmp,/var,/home with noexec Consider whether your user can log into an rksh shell.

h.) be very specific about commands allowed to users in /etc/sudoers. So for example don't let them use the more general /bin/cp without qualification if you already know which directories/files they need elevated priviledges in order to cp.

i.) follow "stable". Get alerted whenever a new patch comes out and patch your system immediately. I recommend building everything on separate machine or a separate partition on that machine so you don't have to install comp.tgz on production machines. Alternatively, sometimes it's easier to just reinstall from the snapshot branch and merge your config files. In addition snapshots let you run the latest versions of software if you decide to deviate from the default install. On the other hand, sometimes the snapshot branch breaks some software outside of the default install and tracking down the problems can be an even bigger pain than recompiling userland. When you (re)compile one trick is to mount /usr/obj in a memory file system (MFS) if you have the ram in order to speed things up (just remember never to reboot until you're all done making your new distribution). Also when you recompile, you can disable loadable kernel modules (LKM) in the kernel config--just a pet peeve of mine.

j.) systrace is only useful to determine which network sockets to open, or binaries/libs you use.

k.) If you do use Xwindows, use startx from the command line as opposed to xdm/gdm/kdm. Be sure to add option -nolisten tcp in the serverargs and default_serverargs section of /usr/X11R6/bin/startx.

Although most passwords can be cracked, it helps if they are longer and have high bit entropy per character. You can get passwords with relatively high entropy from /dev/srandom using the command

cat /dev/srandom | tr -dc [:print:] | fold -w PWD_LENGTH | head -n NUM_OF_PWDS

where PWD_LENGTH is an integer representing the desired length of the password, and NUM_OF_PWDS is another integer representing the number of passwords you want. Also change your passwords regularly and store them securely. I use a 40+ character password for root. I don't mean to gloss over the important topic of storing passwords securely, but already this is too long.

Tip 2: Use long passwords (>25 characters) with high per bit entropy

More importantly, I recommend avoiding those things on the web that are known to have the most exploits. For example, I recommend browsing the web with a text based browser like lynx whenever possible, and then when you need images or javascript, using firefox or its unbranded cousins with the noscript addon. There is some further tuning of noscript that can be done under the "advanced" tab, like disabling webbugs, or by trimming down the default whitelist to trusted sites. Another alternative to using a graphical browser would be to get webpages with wget and view them offline in a VM. Some useful wget flags are

• -r -l NUM: allows you to fetch the hierarchy of a website down to level NUM
• -np: don't follow links to other sites
• -k: make the links inside of pages to other pages work
• -p: get pictures and documents linked to on pages
• -nc: don't get the same page twice

Flash and enhanced PDF files are huge security issues. Many flash files can be downloaded directly using youtube-dl and other scripts/utilities.

So

tip 3: Use a text based browser where possible

tip 4: use wget and flash downloaders to get pages where you want to see images and open and view them in a VM.

tip 5: for everything else, use the noscript plugin with firefox.

Of course if you want to spend hours and hours, you can play with RBAC/MAC, Jails, and ACLs with stuff like SELinux, GRsecurity, and other FreeBSD equivalents. Always there is the tradeoff between security and usability. Ultimately you or your users need to make an assessment of how much security to trade off and how much time you are going to spend fine-tuning while trying not to lock yourself out of your own system.

Internet privacy and anonymity

Even TOR claims not to be able to give you much of it, and that it is just experimental. Given that, I have some tips for relative privacy/anonymity.

tip 1: Use https://startpage.com or https://startingpage.com

Once you've found the site you want to read, use their ixquick proxy service by following the "proxy this" link below the entry. This works for viewing all webpages except ones with certain active content.

tip 2: tunnel your DNS requests through HTTPS

The Swiss and German privacy foundations provide this service. (server.privacyfoundation.de) You'll need to install socat and stunnel. If you do use this service then you can close off port domain in /etc/pf.conf for outgoing requests.

tip 3: Liberte linux

Has Cables Communication, a way of communicating securely and anonymously using tor hidden services or I2P eepsites. See their webpage for a more detailed description.

tip 4: use http://furk.net/ to fetch/proxy torrents and serve them to you over https

Then you can also close off ports having to do with torrents in your firewall.

tip 5: encrypt your email

Goes along with getting people's public keys under data security above.

Even more importantly, don't open spam email, and for goodness sake don't run .exe attachments in spam email on windows computers! Also, don't accept email from anyone you do business with as a means for making communications that involve the exchange of money, or personal or account information. And don't click any links in emails purporting to be from businesses and then enter personal information like your account number and password!

tip 6: Actually examine the certificates at https websites

You'll need to stay current with which ones and which CAs have been compromised. You should also keep a printed out list of the cert fingerprints for all secure websites you visit and compare the fingerprint in the presented certificate to the one on the list.

tip 7: If you must use social networking, use diaspora

tip 8: Don't use public email servers/services whenever possible.

It's far better to give close associates/family/friend ssh access to one of your local boxes and use a persistent IP address from dyndns. Then when your friends/family want to contact you they can log into this box and transfer files/mail as text files to you that way since you're already probably running some kind of local mail server (OpenBSD uses sendmail locally as the MTA, mainly for logging).

This prevents the problem of having untrusted third parties data mining and selling your private communications on their mail servers, or even having access to your encrypted files if you use encrypted email

tip 9: Don't use 3g/4g internet and keep your cell phone battery out of your cellphone except when you are talking on it or expecting a call.

tip 10: randomize your MAC address at public wifi hotspots.

Then follow tip 1 above for end to end encryption. See tip 3 on Liberte Linux which is formulated with this in mind.

tip 11: use the Tor browser bundle.

It's probably the best known way to outwit browser profiling as explained on panopticlick.eff.org. Note from that site that using lynx or any other text based browser can be used to uniquely identify you.

Answer 3

Are you paranoid enough? If yes, try http://qubes-os.org/Home.html It's a very interesting project, still in beta though, developed by Joanna Rutkowska and her team. It uses virtual machines to enforce isolation between user gui applications, and many other nice tricks. It's solely focused on being a secure environment for desktop computing.

If you don't want to go there, there are distribution focused on security.

I could make a list, but Wikipedia has a nice summary already: http://en.wikipedia.org/wiki/Security-focused_operating_system

Answer 4

The problem I think we're all having is saying which is a threat that you are concerned about. Someone that surfs all day long and goes to less than safe websites has a higher risk of being attacked than a grandmother trying to check email. But the grandmother has a higher risk because she can't tell the difference between real emails and phishing attacks.

Also something to consider is the tradeoff with usability. I'd say that running lynx is inherently more secure than running Firefox just because there are less features to exploit with a text based browser than a full featured browser.

For Privacy Paranoia: I really like the Tor Live CD's for the uber paranoid. https://tails.boum.org It's allows a user to create a user session, do their work, and then reboot and wipe all proof that it happened. Privacy and Security are two different games but some of the same precautions overlap.

Overall Security: BSD is intensely secure but I think it's pretty tough to pick up out of the box.

In my opinion, an up to date, actively maintained, well developed distribution like Ubuntu or Centos keeps a balance between security and usability but still gives you the control of the environment to lock it down to the threats that are specific to your environment.

Answer 5

That's a tough problem, with significant differences from the server space in terms of threats, attack surface, and vulnerabilities.

The "easy" part is to start with Hardening Linux Server which also has some links relevant to the desktop.

But then you run into the insecurity of both the older and newer windowing systems:

• Passive and active attacks via X11. Is Wayland any better?

And of course the range of applications that users want is so vast that hardening them all, and the associated hardware, desktop buses,formats etc. is a big task.

Google Chrome attempts to sandbox away lots of dangerous browser issues. Chrome OS expands the approach to the whole desktop.

Answer 6

This is a bit old, but it's a good place to start: http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup--part-1-base-system

For Firefox, DEFINITELY enable NoScript and RequestPolicy, and set up a proper AppArmor profile.

OpenBSD might be of interest as well - it's highly focused on security (but not actually "Linux").