Looking for Advice to Secure MX Linux Installation
Looking for Advice to Secure MX Linux Installation
Hi folks,
I'm planning to install MX Linux on an i5 Acer laptop computer this weekend. And I'm looking for advice about how to make the newly installed MX Linux more secure. Besides setting up a firewall and separate accounts, are there other tips for installing MX Linux on my 6 year old Acer laptop?
I'm interested to hear suggestions about these topics:
-Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
-Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
-Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
I'm a dissatisfied Windows 10 user and I'm planning to switch to a Linux distro such as MX Linux. I will be using the MX Linux system for word processing, web browsing, Netflix, and some software coding. Thanks!
I'm planning to install MX Linux on an i5 Acer laptop computer this weekend. And I'm looking for advice about how to make the newly installed MX Linux more secure. Besides setting up a firewall and separate accounts, are there other tips for installing MX Linux on my 6 year old Acer laptop?
I'm interested to hear suggestions about these topics:
-Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
-Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
-Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
I'm a dissatisfied Windows 10 user and I'm planning to switch to a Linux distro such as MX Linux. I will be using the MX Linux system for word processing, web browsing, Netflix, and some software coding. Thanks!
Re: Looking for Advice to Secure MX Linux Installation
Yes to Firejail. I use it on Firefox and Claws-Mail as well as a handful of other applications. It takes a bit of getting used to though, since it restricts the applications to portions of the file system.
Another thing to do is uninstall Adobe Flash (why it's included is beyond my understanding), and remove tumbler/tumblerd.
Also decide whether or not you are going to share files and printers with Windows machines, and if not, make sure you unselect the Samba option from the installer.
Install and run chkrootkit every now and then, and also checkout spectre-meltdown-checker. As far as antivirus programs for Linux are concerned, unfortunately they are scarce. There's ClamAV which is known for it's fantastic track record of picking up Windows viruses from 2005 (something I'm still getting to grips with after over 20 years of using Windows) and it's now all about other defensive strategies.
You mention you have an i5. If you have at least 8GB RAM then consider running Firefox in a Linux VM (antiX Linux is great for these kinds of containers).
Another thing to do is uninstall Adobe Flash (why it's included is beyond my understanding), and remove tumbler/tumblerd.
Also decide whether or not you are going to share files and printers with Windows machines, and if not, make sure you unselect the Samba option from the installer.
Install and run chkrootkit every now and then, and also checkout spectre-meltdown-checker. As far as antivirus programs for Linux are concerned, unfortunately they are scarce. There's ClamAV which is known for it's fantastic track record of picking up Windows viruses from 2005 (something I'm still getting to grips with after over 20 years of using Windows) and it's now all about other defensive strategies.
You mention you have an i5. If you have at least 8GB RAM then consider running Firefox in a Linux VM (antiX Linux is great for these kinds of containers).
Re: Looking for Advice to Secure MX Linux Installation
Check the Users Manual, Section 1.7, for our position on this....Adobe Flash (why it's included is beyond my understanding)
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Re: Looking for Advice to Secure MX Linux Installation
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Re: Looking for Advice to Secure MX Linux Installation
Especially on a laptop, I would recommend doing either an automated installation using the full disk with encryption enabled and a strong Diceware or similar passphrase with a lot of entropy, or a custom installation to separate boot, root, home and swap partitions with all but boot encrypted. The reason being, a laptop is small, portable and valuable so it will be more susceptible to theft, which I think is a greater real-world threat potential than hackers trying to break into it over the network. With an encrypted file system your data is safe from strangers even if they remove the disk and put it in a different machine, as long as your passphrase is such that a brute-force attack would take an average lifetime to succeed.
Please read the Forum Rules, How To Ask For Help, How to Break Your System and Don't Break Debian. Always include your full Quick System Info (QSI) with each and every new help request.
Re: Looking for Advice to Secure MX Linux Installation
Many users were running into problems with sites such as banking, gaming, etc.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Re: Looking for Advice to Secure MX Linux Installation
I do use a site that requires it. And they are not fun sites. One is my security camera system. Google Chrome is set to ask whether to use flash. So I do have control over where it is used.Jerry3904 wrote: ↑Fri May 17, 2019 7:08 amMany users were running into problems with sites such as banking, gaming, etc.
Forum Rules
Guide - How to Ask for Help
richb Administrator
System: MX 23 KDE
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB
Guide - How to Ask for Help
richb Administrator
System: MX 23 KDE
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB
- Head_on_a_Stick
- Posts: 919
- Joined: Sun Mar 17, 2019 3:37 pm
Re: Looking for Advice to Secure MX Linux Installation
Yes, probably a good idea.pedaltothemetal wrote: ↑Fri May 17, 2019 4:04 am -Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
Note that the protection provided isn't fantastic though, consider disabling javascipt whenever possible if you are concerned about security.
Interesting article: https://www.lesswrong.com/posts/AwAA4y6 ... g-noscript
Although malware exists in GNU/Linux[1], the viruses which are encountered under Windows do not affect it.pedaltothemetal wrote: ↑Fri May 17, 2019 4:04 am -Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
The anti-virus solutions available under GNU/Linux are for preventing your box spreading the viruses to Windows machines.
Your system should already be protected against Meltdown & Spectre as long as you keep it updated.pedaltothemetal wrote: ↑Fri May 17, 2019 4:04 am -Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
There are rootkit checkers for GNU/Linux, for example https://packages.debian.org/stretch/chkrootkit
And you can use intrusion detection software such as https://packages.debian.org/stretch/tripwire
Debian have a hardening guide, it's a bit old now but mostly still applicable:
https://www.debian.org/doc/manuals/secu ... ian-howto/
Apparmor is now enabled by default in Debian buster and this should also be true for the next release of MX Linux.
https://wiki.debian.org/AppArmor
mod note: Signature removed, please read the forum rules
Re: Looking for Advice to Secure MX Linux Installation
Yeah, that's the thing now: browsers block and ask (at least most of them) by default.richb wrote: ↑Fri May 17, 2019 7:19 amI do use a site that requires it. And they are not fun sites. One is my security camera system. Google Chrome is set to ask whether to use flash. So I do have control over where it is used.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin
Re: Looking for Advice to Secure MX Linux Installation
We also have a newer chkroot in the test repos, though I will try to update it to 0.53: https://repology.org/project/chkrootkit/versions
You should update your kernel if any spectre-meltdown-checker results come back in red. We just updated it and some of the kernels. Debian just pushed an emergency intel-microcode update that we also get to help mitigate the new possible exploits.
If you have a router, it's already better than any software firewall, but we do ship with ufw and I think also a GUI for it, gufw. (Firewall Configuration in the menu)
You should update your kernel if any spectre-meltdown-checker results come back in red. We just updated it and some of the kernels. Debian just pushed an emergency intel-microcode update that we also get to help mitigate the new possible exploits.
If you have a router, it's already better than any software firewall, but we do ship with ufw and I think also a GUI for it, gufw. (Firewall Configuration in the menu)