Welcome!

The kernel problem with recent updates has been solved. Find the solution here

Important information
-- Required MX 15/16 Repository Changes
-- Information on torrent hosting changes
-- Information on MX15/16 GPG Keys
-- Spectre and Meltdown vulnerabilities

News
-- Introducing our new Website
-- MX Linux on social media: here

Current releases
-- MX-18.3 Point Release release info here
-- Migration Information to MX-18 here
-- antiX-17.4.1 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Looking for Advice to Secure MX Linux Installation

User avatar
pedaltothemetal
Forum Novice
Forum  Novice
Posts: 2
Joined: Fri May 17, 2019 3:43 am

Looking for Advice to Secure MX Linux Installation

#1

Post by pedaltothemetal » Fri May 17, 2019 4:04 am

Hi folks,
I'm planning to install MX Linux on an i5 Acer laptop computer this weekend. And I'm looking for advice about how to make the newly installed MX Linux more secure. Besides setting up a firewall and separate accounts, are there other tips for installing MX Linux on my 6 year old Acer laptop?
I'm interested to hear suggestions about these topics:
-Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
-Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
-Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
I'm a dissatisfied Windows 10 user and I'm planning to switch to a Linux distro such as MX Linux. I will be using the MX Linux system for word processing, web browsing, Netflix, and some software coding. Thanks!

User avatar
AK-47
Developer
Posts: 382
Joined: Sun Mar 24, 2019 7:04 pm

Re: Looking for Advice to Secure MX Linux Installation

#2

Post by AK-47 » Fri May 17, 2019 5:41 am

Yes to Firejail. I use it on Firefox and Claws-Mail as well as a handful of other applications. It takes a bit of getting used to though, since it restricts the applications to portions of the file system.

Another thing to do is uninstall Adobe Flash (why it's included is beyond my understanding), and remove tumbler/tumblerd.

Also decide whether or not you are going to share files and printers with Windows machines, and if not, make sure you unselect the Samba option from the installer.

Install and run chkrootkit every now and then, and also checkout spectre-meltdown-checker. As far as antivirus programs for Linux are concerned, unfortunately they are scarce. There's ClamAV which is known for it's fantastic track record of picking up Windows viruses from 2005 (something I'm still getting to grips with after over 20 years of using Windows) and it's now all about other defensive strategies.

You mention you have an i5. If you have at least 8GB RAM then consider running Firefox in a Linux VM (antiX Linux is great for these kinds of containers).
MX Linux 18.3 - Panasonic CF-30 - 3GB RAM - 160GB HDD - Core 2 Duo

User avatar
Jerry3904
Administrator
Posts: 25815
Joined: Wed Jul 19, 2006 6:13 am

Re: Looking for Advice to Secure MX Linux Installation

#3

Post by Jerry3904 » Fri May 17, 2019 6:37 am

...Adobe Flash (why it's included is beyond my understanding)
Check the Users Manual, Section 1.7, for our position on this.
Production: 4.15.0-1-amd64, MX-17.1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, SSD 120 GB, Data 1TB
Testing: AAO 722: 4.15.0-1-386. MX-17.1, AMD C-60 APU, 4 GB
Personal: XPS 13, 4.18.0-19.3-liquorix, 4 GB

User avatar
AK-47
Developer
Posts: 382
Joined: Sun Mar 24, 2019 7:04 pm

Re: Looking for Advice to Secure MX Linux Installation

#4

Post by AK-47 » Fri May 17, 2019 6:48 am

Jerry3904 wrote:
Fri May 17, 2019 6:37 am
Check the Users Manual, Section 1.7, for our position on this.
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
MX Linux 18.3 - Panasonic CF-30 - 3GB RAM - 160GB HDD - Core 2 Duo

User avatar
JayM
Qualified MX Guide
Posts: 2173
Joined: Tue Jan 08, 2019 4:47 am

Re: Looking for Advice to Secure MX Linux Installation

#5

Post by JayM » Fri May 17, 2019 6:52 am

Especially on a laptop, I would recommend doing either an automated installation using the full disk with encryption enabled and a strong Diceware or similar passphrase with a lot of entropy, or a custom installation to separate boot, root, home and swap partitions with all but boot encrypted. The reason being, a laptop is small, portable and valuable so it will be more susceptible to theft, which I think is a greater real-world threat potential than hackers trying to break into it over the network. With an encrypted file system your data is safe from strangers even if they remove the disk and put it in a different machine, as long as your passphrase is such that a brute-force attack would take an average lifetime to succeed.
Please read How To Ask For Help and How to Break Your System.
MX User Manual: hold down ALT and press F1. Further information may be found in the MX Wiki.

User avatar
Jerry3904
Administrator
Posts: 25815
Joined: Wed Jul 19, 2006 6:13 am

Re: Looking for Advice to Secure MX Linux Installation

#6

Post by Jerry3904 » Fri May 17, 2019 7:08 am

AK-47 wrote:
Fri May 17, 2019 6:48 am
Jerry3904 wrote:
Fri May 17, 2019 6:37 am
Check the Users Manual, Section 1.7, for our position on this.
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Many users were running into problems with sites such as banking, gaming, etc.
Production: 4.15.0-1-amd64, MX-17.1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, SSD 120 GB, Data 1TB
Testing: AAO 722: 4.15.0-1-386. MX-17.1, AMD C-60 APU, 4 GB
Personal: XPS 13, 4.18.0-19.3-liquorix, 4 GB

User avatar
richb
Administrator
Posts: 19484
Joined: Wed Jul 12, 2006 2:17 pm

Re: Looking for Advice to Secure MX Linux Installation

#7

Post by richb » Fri May 17, 2019 7:19 am

Jerry3904 wrote:
Fri May 17, 2019 7:08 am
AK-47 wrote:
Fri May 17, 2019 6:48 am
Jerry3904 wrote:
Fri May 17, 2019 6:37 am
Check the Users Manual, Section 1.7, for our position on this.
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Many users were running into problems with sites such as banking, gaming, etc.
I do use a site that requires it. And they are not fun sites. One is my security camera system. Google Chrome is set to ask whether to use flash. So I do have control over where it is used.
Forum Rules
Guide - How to Ask for Help

Rich
SSD Production: MX 18.1
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB, 350 GB HD

User avatar
Head_on_a_Stick
Forum Regular
Forum Regular
Posts: 490
Joined: Sun Mar 17, 2019 3:37 pm

Re: Looking for Advice to Secure MX Linux Installation

#8

Post by Head_on_a_Stick » Fri May 17, 2019 7:34 am

pedaltothemetal wrote:
Fri May 17, 2019 4:04 am
-Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
Yes, probably a good idea.

Note that the protection provided isn't fantastic though, consider disabling javascipt whenever possible if you are concerned about security.

Interesting article: https://www.lesswrong.com/posts/AwAA4y6 ... g-noscript
pedaltothemetal wrote:
Fri May 17, 2019 4:04 am
-Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
Although malware exists in GNU/Linux[1], the viruses which are encountered under Windows do not affect it.

The anti-virus solutions available under GNU/Linux are for preventing your box spreading the viruses to Windows machines.
pedaltothemetal wrote:
Fri May 17, 2019 4:04 am
-Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
Your system should already be protected against Meltdown & Spectre as long as you keep it updated.

There are rootkit checkers for GNU/Linux, for example https://packages.debian.org/stretch/chkrootkit

And you can use intrusion detection software such as https://packages.debian.org/stretch/tripwire

Debian have a hardening guide, it's a bit old now but mostly still applicable:

https://www.debian.org/doc/manuals/secu ... ian-howto/

Apparmor is now enabled by default in Debian buster and this should also be true for the next release of MX Linux.

https://wiki.debian.org/AppArmor
"Direct action is the logical, consistent method of anarchism." — Emma Goldman

User avatar
Jerry3904
Administrator
Posts: 25815
Joined: Wed Jul 19, 2006 6:13 am

Re: Looking for Advice to Secure MX Linux Installation

#9

Post by Jerry3904 » Fri May 17, 2019 8:24 am

richb wrote:
Fri May 17, 2019 7:19 am
Jerry3904 wrote:
Fri May 17, 2019 7:08 am
AK-47 wrote:
Fri May 17, 2019 6:48 am

That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Many users were running into problems with sites such as banking, gaming, etc.
I do use a site that requires it. And they are not fun sites. One is my security camera system. Google Chrome is set to ask whether to use flash. So I do have control over where it is used.
Yeah, that's the thing now: browsers block and ask (at least most of them) by default.
Production: 4.15.0-1-amd64, MX-17.1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, SSD 120 GB, Data 1TB
Testing: AAO 722: 4.15.0-1-386. MX-17.1, AMD C-60 APU, 4 GB
Personal: XPS 13, 4.18.0-19.3-liquorix, 4 GB

User avatar
Stevo
Developer
Posts: 20158
Joined: Fri Dec 15, 2006 8:07 pm

Re: Looking for Advice to Secure MX Linux Installation

#10

Post by Stevo » Fri May 17, 2019 3:31 pm

We also have a newer chkroot in the test repos, though I will try to update it to 0.53: https://repology.org/project/chkrootkit/versions

You should update your kernel if any spectre-meltdown-checker results come back in red. We just updated it and some of the kernels. Debian just pushed an emergency intel-microcode update that we also get to help mitigate the new possible exploits.

If you have a router, it's already better than any software firewall, but we do ship with ufw and I think also a GUI for it, gufw. (Firewall Configuration in the menu)

Post Reply

Return to “Software / Configuration”