Looking for Advice to Secure MX Linux Installation

Message
Author
pedaltothemetal

Looking for Advice to Secure MX Linux Installation

#1 Post by pedaltothemetal »

Hi folks,
I'm planning to install MX Linux on an i5 Acer laptop computer this weekend. And I'm looking for advice about how to make the newly installed MX Linux more secure. Besides setting up a firewall and separate accounts, are there other tips for installing MX Linux on my 6 year old Acer laptop?
I'm interested to hear suggestions about these topics:
-Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
-Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
-Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
I'm a dissatisfied Windows 10 user and I'm planning to switch to a Linux distro such as MX Linux. I will be using the MX Linux system for word processing, web browsing, Netflix, and some software coding. Thanks!

User avatar
AK-47
Developer
Posts: 1052
Joined: Sun Mar 24, 2019 7:04 pm

Re: Looking for Advice to Secure MX Linux Installation

#2 Post by AK-47 »

Yes to Firejail. I use it on Firefox and Claws-Mail as well as a handful of other applications. It takes a bit of getting used to though, since it restricts the applications to portions of the file system.

Another thing to do is uninstall Adobe Flash (why it's included is beyond my understanding), and remove tumbler/tumblerd.

Also decide whether or not you are going to share files and printers with Windows machines, and if not, make sure you unselect the Samba option from the installer.

Install and run chkrootkit every now and then, and also checkout spectre-meltdown-checker. As far as antivirus programs for Linux are concerned, unfortunately they are scarce. There's ClamAV which is known for it's fantastic track record of picking up Windows viruses from 2005 (something I'm still getting to grips with after over 20 years of using Windows) and it's now all about other defensive strategies.

You mention you have an i5. If you have at least 8GB RAM then consider running Firefox in a Linux VM (antiX Linux is great for these kinds of containers).

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Looking for Advice to Secure MX Linux Installation

#3 Post by Jerry3904 »

...Adobe Flash (why it's included is beyond my understanding)
Check the Users Manual, Section 1.7, for our position on this.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
AK-47
Developer
Posts: 1052
Joined: Sun Mar 24, 2019 7:04 pm

Re: Looking for Advice to Secure MX Linux Installation

#4 Post by AK-47 »

Jerry3904 wrote: Fri May 17, 2019 6:37 amCheck the Users Manual, Section 1.7, for our position on this.
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.

User avatar
JayM
Qualified MX Guide
Posts: 6793
Joined: Tue Jan 08, 2019 4:47 am

Re: Looking for Advice to Secure MX Linux Installation

#5 Post by JayM »

Especially on a laptop, I would recommend doing either an automated installation using the full disk with encryption enabled and a strong Diceware or similar passphrase with a lot of entropy, or a custom installation to separate boot, root, home and swap partitions with all but boot encrypted. The reason being, a laptop is small, portable and valuable so it will be more susceptible to theft, which I think is a greater real-world threat potential than hackers trying to break into it over the network. With an encrypted file system your data is safe from strangers even if they remove the disk and put it in a different machine, as long as your passphrase is such that a brute-force attack would take an average lifetime to succeed.
Please read the Forum Rules, How To Ask For Help, How to Break Your System and Don't Break Debian. Always include your full Quick System Info (QSI) with each and every new help request.

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Looking for Advice to Secure MX Linux Installation

#6 Post by Jerry3904 »

AK-47 wrote: Fri May 17, 2019 6:48 am
Jerry3904 wrote: Fri May 17, 2019 6:37 amCheck the Users Manual, Section 1.7, for our position on this.
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Many users were running into problems with sites such as banking, gaming, etc.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
richb
Administrator
Posts: 10323
Joined: Wed Jul 12, 2006 2:17 pm

Re: Looking for Advice to Secure MX Linux Installation

#7 Post by richb »

Jerry3904 wrote: Fri May 17, 2019 7:08 am
AK-47 wrote: Fri May 17, 2019 6:48 am
Jerry3904 wrote: Fri May 17, 2019 6:37 amCheck the Users Manual, Section 1.7, for our position on this.
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Many users were running into problems with sites such as banking, gaming, etc.
I do use a site that requires it. And they are not fun sites. One is my security camera system. Google Chrome is set to ask whether to use flash. So I do have control over where it is used.
Forum Rules
Guide - How to Ask for Help

richb Administrator
System: MX 23 KDE
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB

User avatar
Head_on_a_Stick
Posts: 919
Joined: Sun Mar 17, 2019 3:37 pm

Re: Looking for Advice to Secure MX Linux Installation

#8 Post by Head_on_a_Stick »

pedaltothemetal wrote: Fri May 17, 2019 4:04 am -Should I install a sandbox program such as Firejail to run applications like web browsers in sandbox?
Yes, probably a good idea.

Note that the protection provided isn't fantastic though, consider disabling javascipt whenever possible if you are concerned about security.

Interesting article: https://www.lesswrong.com/posts/AwAA4y6 ... g-noscript
pedaltothemetal wrote: Fri May 17, 2019 4:04 am -Should I run memory-resident antivirus program? I heard Sophos has a good antivirus software for Linux. Or is on-demand Antivirus such as ClamAV good enough for Linux?
Although malware exists in GNU/Linux[1], the viruses which are encountered under Windows do not affect it.

The anti-virus solutions available under GNU/Linux are for preventing your box spreading the viruses to Windows machines.
pedaltothemetal wrote: Fri May 17, 2019 4:04 am -Are there ways I can "lock down" the Linux system to avoid serious problems such as Rootkits, and vulnerabilities such as Meltdown and Spectre?
Your system should already be protected against Meltdown & Spectre as long as you keep it updated.

There are rootkit checkers for GNU/Linux, for example https://packages.debian.org/stretch/chkrootkit

And you can use intrusion detection software such as https://packages.debian.org/stretch/tripwire

Debian have a hardening guide, it's a bit old now but mostly still applicable:

https://www.debian.org/doc/manuals/secu ... ian-howto/

Apparmor is now enabled by default in Debian buster and this should also be true for the next release of MX Linux.

https://wiki.debian.org/AppArmor
mod note: Signature removed, please read the forum rules

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Looking for Advice to Secure MX Linux Installation

#9 Post by Jerry3904 »

richb wrote: Fri May 17, 2019 7:19 am
Jerry3904 wrote: Fri May 17, 2019 7:08 am
AK-47 wrote: Fri May 17, 2019 6:48 am
That explanation might have made sense before 2017 when a lot of site were still using it, but many of those sites have since moved to HTML5 and popular browsers like Firefox and Chrome disable Flash by default. Adobe is ending support for it next year anyway.
Many users were running into problems with sites such as banking, gaming, etc.
I do use a site that requires it. And they are not fun sites. One is my security camera system. Google Chrome is set to ask whether to use flash. So I do have control over where it is used.
Yeah, that's the thing now: browsers block and ask (at least most of them) by default.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
Stevo
Developer
Posts: 12776
Joined: Fri Dec 15, 2006 8:07 pm

Re: Looking for Advice to Secure MX Linux Installation

#10 Post by Stevo »

We also have a newer chkroot in the test repos, though I will try to update it to 0.53: https://repology.org/project/chkrootkit/versions

You should update your kernel if any spectre-meltdown-checker results come back in red. We just updated it and some of the kernels. Debian just pushed an emergency intel-microcode update that we also get to help mitigate the new possible exploits.

If you have a router, it's already better than any software firewall, but we do ship with ufw and I think also a GUI for it, gufw. (Firewall Configuration in the menu)

Post Reply

Return to “Software / Configuration”