Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ A complete yet beginner friendly guide on how to secure Linux

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š A complete yet beginner friendly guide on how to secure Linux


๐Ÿ’ก Newskategorie: Linux Tipps
๐Ÿ”— Quelle: reddit.com

Securing linux: - Iโ€™ve seperated categories by โ€œ_โ€œ - Iโ€™d recommend using sudo -s at the beginning to avoid having to constantly enter your password

Note: For arch based distros I mention pamac as opposed to pacman, as itโ€™s easier to use, and all arch based distros for e.g Garuda, Manjaro, etc have pamac. Since some of these packages are AURs, you need to go to the pamac gui app, settings, and enable the AUR repo.

__________________________________________________________________________________________

UsbGuard: Protect yourself from physical usb attacks and executing malware/backdoors, this can work by making usbโ€™s read only, unless you explicitly whitelist it.

Ubuntu based: sudo apt install usbguard

Arch based: sudo pamac install usbguard

To allow a usb device permanently simply run:

usbguard list-devices

usbguard allow-device EnterTheIdHere -p

_____________________________________________________________________________________________

SSH: Essentially, remote access to your devices terminal.

If this is enabled and you donโ€™t use it, itโ€™s best to disable it.

ubuntu based: sudo systemctl disable ssh.service

Arch based (manjaro, Garuda, etc): sudo systemctl disable sshd

_____________________________________________________________________________________________

If you do use it:

Changing the ssh port:

Thereโ€˜s a few ways to secure ssh, the most obvious being to change the port. A lot argue that this is pointless, but itโ€™ll at least deter less advanced attackers.

The default port is 22 for everyone.

sudo nano /etc/ssh/sshd_config

Change โ€œPort 22โ€ to any unused port. If ur unsure which port hasnt been used, try 22000.

_____________________________________________________________________________________________

Fai2ban - deters brute force attacks

Ubuntu/debian based: sudo apt install fail2ban

Arch based: sudo pamac install fail2ban-client

Configuring fail2ban:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

โ€œBan timeโ€ = how long attackers are banned, โ€œfind timeโ€ = if an attacker enter a password incorrectly, how long do you have to wait before the incorrect password counter resets, โ€œmaxretryโ€œ = the max amount of incorrect passwords before the ban, โ€œignore ipโ€ = you may want to whitelist your own ip. Make sure to change fail2banโ€™s port to the one you chose in the previous step. โ€œport = yourporthereโ€œ

_____________________________________________________________________________________________

Ssh keys (advanced) * see the bottom of this post

_____________________________________________________________________________________________

Network firewall: Only allow internet access to applications which need it.

This can mitigate spyware/trojans, which are rare on linux anyways, and stopping apps from collecting unnecessary info.

Opensnitch does a decent job at this, has a gui which prompts you once when an app wants to use the internet. Although installing this is a bit of a pain since itโ€™s not on any repos, so youโ€™ll have to manually install it.Ubuntu based:

  1. Getting the dependencies
  2. sudo apt-get install protobuf-compiler libpcap-dev libnetfilter-queue-dev python3-pip
  3. go get github.com/golang/protobuf/protoc-gen-go
  4. go get -u github.com/golang/dep/cmd/dep
  5. python3 -m pip install --user grpcio-tools
  6. Getting opensnitch and building it
  7. go get github.com/evilsocket/opensnitch
  8. cd $GOPATH/src/github.com/evilsocket/opensnitch
  9. If command 8 didnโ€™t work, just cd into the downloaded opensnitch folder
  10. make
  11. sudo make install
  12. Enabling the service
  13. sudo systemctl enable opensnitchd
  14. sudo service opensnitchd start
  15. opensnitch-ui

Arch based: Someone made an aur, which saves you so much time:

  1. pamac install opensnitch-git
  2. sudo systemctl start opensnitchd

_____________________________________________________________________________________________

Malware/rootkit scanner: I wouldnโ€™t really say this is necessary, but if you think you have malware then you can run a scan:

Ubuntu based: sudo apt-get install clamav clamav-daemon

Arch based: sudo pamac install clamav

_____________________________________________________________________________________________

File permissions: You may want to get familiar with chmod, and chown, to change file permissions. For e.g, if you store important files somewhere you may want to make it require root access in order to read/write: in which case youโ€˜d run:

sudo chown root:root /path/to/application

sudo chmod 700 /path/to/application

_____________________________________________________________________________________________

Sandboxing

Iโ€™d suggest learning firejail, or bubblewrap (more advanced), to sandbox and isolate apps.

However, if that sounds too complicated, then downloading apps as flatpaks is a great way to have some security, whilst not a silver bullet, its extremely easy to use and permissions can be managed through itโ€™s gui app: flatseal, or just cli.

_____________________________________________________________________________________________

Other, more general tips below:

_____________________________________________________________________________________________

DNS: not really linux related, but Iโ€™d recommend doing this.

By default, ur using plain text dns, itโ€™s vulnerable to mitm attacks, your isp can log all traffic, etc. By doing this, youโ€™d also have the ability to block ads/trackers/malware/and malicious ipโ€™s reported for ssh attacks

Youโ€™ll be selfhosting adguard home (only takes 1 command), and can even use this on other devices, but if you donโ€™t want to leave your computer on 24/7, then you can use it solely on your own device.

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

Thatโ€™s it, then go to http://localhost:3000, to access its web gui. (It might not be port 3000, as I did this ages ago, but it says in the terminal, change the ports to anything else within the web gui if planning on selfhosting the apps below)

Itโ€™s best to setup https for its web interface, but feel free to skip this step:

openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out adguard1234g.crt -keyout adguard1234g.key

Go to settings > encryption settings > enable https, force https, and quite simply copy and paste adguard1234g.crt into the certificate field, and adguard1234g.key into the key field. Thatโ€™s it. You can access it through https not http now. https://localhost

_____________________________________________________________________________________________

Adguard Home recommended settings

Configuring adguard home should be common sense since it has an easy to use gui. But hereโ€™s my recommendations:

Settings > dns > in the first box enter any dns provider. Iโ€™d recommend using quad9 as its recent move to switzerland, and change in privacy policy, makes it the best dns provider in terms of privacy imo. Its also one of the fastest.

Quad9โ€™s Dnscrypt: 2.dnscrypt-cert.quad9.net

Quad9โ€™s dns over tls: tls://dns.quad9.net

Filters > Blocklist

Iโ€™d recommend using oisd.nlโ€™s blocklist for ad/tracker/malware/crypto/etc blocking without false positives, or if youโ€™re brave use energised unified/ultimate but be willing to whitelist a lot of stuff.

Why not pihole? Because by default it doesnโ€™t support, dns over tls not dnscrypt, not https for its web interface, etc.

dont use dns-over-https as itโ€™s useless in terms of privacy. Why? The SNI, and OCSP fields arenโ€™t encrypted, which allow seeing the ip address of all queries.

_____________________________________________________________________________________________

Secure cloud storage:

Use cryptomator to auto encrypt files when uploading files to cloud. Use veracrypt for a more secure, but manual option, or just GnuPg which is included by default in most distros, however gnupg doesnโ€™t support folder encryption.

Or selfhost nextcloud on a device which is on 24/7 for your own cloud storage. Itโ€™s incredibly easy to setup (with https), and requires 2 commands.

sudo snap install nextcloud

sudo nextcloud.enable-https self-signed

https://localhost

_____________________________________________________________________________________________

Password manager:

Use bitwarden for a free hosted option, keepassxc for an offline/local option, or vaultwarden for a selfhosted option.

_____________________________________________________________________________________________

*ssh keys are a great way to secure ssh logins, as itโ€˜ll be unique to you and can even be combined with a passphrase. Bare in mind, this causes issues with a lot of ssh clients, filezilla (sftp file transfer)โ€™s ssh key implementation isnt compatible with openssl, most mobile clients lack this feature.

ssh-keygen

ssh-copy-id username@remote_host - change to ssh key for login.

If ssh-copy-id doesnt work, youโ€™ll need to manually copy the key to your authorised keys.

Now, the server has your public key, and you ssh via your private key.

_____________________________________________________________________________________________

Lastly, use lynis for system audit, and overview of security risks

cd

git clone https://github.com/CISOfy/lynis

cd lynis

lynis audit system

_____________________________________________________________________________________________

if anyone else has any other advice that Iโ€™ve missed, share it in the comments and Iโ€™ll edit this post with ur username

submitted by /u/SombreSerenity
[link] [comments] ...



๐Ÿ“Œ A complete yet beginner friendly guide on how to secure Linux


๐Ÿ“ˆ 61 Punkte

๐Ÿ“Œ Summary of my experience of a few months as a complete beginner and why I think Linux is not yet ready for the general public


๐Ÿ“ˆ 35.44 Punkte

๐Ÿ“Œ Build Complete REST API Feature with Nest JS (Using Prisma and Postgresql) from Scratch - Beginner-friendly - PART 1


๐Ÿ“ˆ 35.02 Punkte

๐Ÿ“Œ Yet another family unnerved by yet another voice coming from a nursery webcam serves as yet another argument against password reuse.


๐Ÿ“ˆ 32.24 Punkte

๐Ÿ“Œ [Beginner Friendly] Transform Your Web App with Formbricks Surveys: A Must-Know Guide๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ


๐Ÿ“ˆ 31.12 Punkte

๐Ÿ“Œ 3 Key Encoding Techniques for Machine Learning: A Beginner-Friendly Guide


๐Ÿ“ˆ 31.12 Punkte

๐Ÿ“Œ A Beginner-Friendly Illustrated Guide to Verifiable Credentials


๐Ÿ“ˆ 31.12 Punkte

๐Ÿ“Œ Making Your First Open Source Contribution: A Beginner-Friendly Guide


๐Ÿ“ˆ 31.12 Punkte

๐Ÿ“Œ BEGINNER-FRIENDLY STEP BY STEP GUIDE ON HOW TO CREATE AWS VIRTUAL MACHINE USING WINDOWS 10


๐Ÿ“ˆ 31.12 Punkte

๐Ÿ“Œ What is Amazon ElastiCache? A Beginner-Friendly Guide


๐Ÿ“ˆ 31.12 Punkte

๐Ÿ“Œ All of the "linux is hard or linux is not beginner friendly" post make me laugh and scratch my head.


๐Ÿ“ˆ 29.44 Punkte

๐Ÿ“Œ Linux Mint: The Beginner-Friendly Linux Operating System for Everyone


๐Ÿ“ˆ 29.44 Punkte

๐Ÿ“Œ Python Variables โ€“ The Complete Beginner's Guide


๐Ÿ“ˆ 28.85 Punkte

๐Ÿ“Œ How to Use McAfee True Key: A Complete Beginnerโ€™s Guide


๐Ÿ“ˆ 28.85 Punkte

๐Ÿ“Œ The Complete Beginner Guide to Learn Ethical Hacking


๐Ÿ“ˆ 28.85 Punkte

๐Ÿ“Œ Why isnโ€™t Kali Linux beginner friendly?


๐Ÿ“ˆ 26.96 Punkte

๐Ÿ“Œ New Arch-Based Linux Distribution Aims to be Beginner-Friendly


๐Ÿ“ˆ 26.96 Punkte

๐Ÿ“Œ Best beginner friendly linux version with good security/privacy


๐Ÿ“ˆ 26.96 Punkte

๐Ÿ“Œ CVE-2022-42122 | Friendly Portal/DXP Friendly URL Module sql injection


๐Ÿ“ˆ 25.63 Punkte

๐Ÿ“Œ I am trying to find a user friendly-semi user friendly distro and desktop/window manager combo with very little overhead.


๐Ÿ“ˆ 25.63 Punkte

๐Ÿ“Œ A Beginner's Guide to Radix Sort: Step-by-Step Guide and Python Code


๐Ÿ“ˆ 24.95 Punkte

๐Ÿ“Œ O11y Guide: Beginner's Guide To Open Source Instrumenting Java


๐Ÿ“ˆ 24.95 Punkte

๐Ÿ“Œ Before Ubuntu existed, what distro was considered the easiest, most beginner-friendly one?


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ Reverse Engineering Walkthrough (Beginner Friendly) - Pwnable.kr


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ 4 Best Non-Ubuntu-Based Distros That Are Beginner Friendly


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ Robust and beginner friendly dotfiles skeleton. Did not find anything robust to restore easily with backups.


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ This beginner-friendly Python training bundle is just $40 for a limited time


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ Karkinos โ€“ Beginner Friendly Penetration Testing Tool


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ If Ubuntu is a beginner friendly distro, why does it use vim-tiny despite all the confusion is causes even to regular vim users?


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ Beginner-friendly tutorial on how to create AppImages out there?


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ If Debian isn't beginner friendly than what are the best Debian-based distributions besides Ubunutu?


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ Monoprice's Cadet compact and beginner-friendly 3D printer is down to $200


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ Karkinos โ€“ Beginner Friendly Penetration Testing Tool


๐Ÿ“ˆ 24.48 Punkte

๐Ÿ“Œ A Beginner-Friendly Introduction to MLOps


๐Ÿ“ˆ 24.48 Punkte











matomo