How secure is Linux? Patching, static/dynamic analysis, etc...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"Black hats and zero day vulnerabilities" are usually a fairly theoretical threat. Attackers are opportunists. They use scripts to detect potentially vulnerable systems that might be of interest to them, and then to attack those systems relentlessly. "I-f you let them!"
There are a few easily-done practices which can make the security of your system dramatically better:
"The Principle of Least Privilege."
Using certificate-based OpenVPN and "tls-auth" to build "an outer moat with a hidden drawbridge" which must be successfully crossed to gain access to anything else.
(Other VPN technologies are equally secure, if properly deployed using digital certificates, but to my knowledge don't offer "tls-auth" concealment.)
Yes, it takes a little more time. But, once you successfully set it all up, it's "easy as pie." And the number of "unauthorized access attempts" very simply drops to zero.
("Crypto" is intended to be "hard to set up." Until you get the hang of it. The nature of the thing is that it offers no clues.)
Last edited by sundialsvcs; 03-10-2023 at 08:33 AM.
How do I protect myself from black hats who have access to an undisclosed vulnerabilities and thus associated exploits and use them?
Aren't people worried about this?
Unless you run a business and have an enemy attempting to gain access either with the skills or the money to buy the skills, that is not your problem. IF that IS your problem you need some extreme measures and counter intelligence tools, but that is rarely the case.
The more general problems, and what most of us worry about, are the black hats that are looking for targets. They have not picked you out, they are scanning the entire external network for vulnerabilities they can aim scripts and engines at to either discover targets worth the risk or targets in bulk. If your external does not allow their traffic or allows the traffic but appears to have no vulnerabilities then they will seek elsewhere. Some of these are true black hats in it for the big money, others are just script kiddies using black hat tools. Generally if you look like a rough target they will look for easier pickings.
Naturally normal maintenance should include backups, patching and updating as the distribution makes updates available to avoid carrying vulnerabilities forward that have been resolved in the product.
One thing you can do is run services on non-standard ports. These can be detected by a smart network guy, but they are most likely to look for the easy targets and expected services on expected ports and unlikely to look for unexpected behavior using automated scripts.
I am a professional, and use this technique along with a honeypot. An honeypot is a server set up with what looks like all the standard services with unpatched vulnerabilities on the default ports that is monitored: Everything that connect to those services EVEN JUST FOR DETECTION is then blocked at the edge device. This slams the door on their scripts at stage one and they never get another stage. This only needs some fine tuning because your ISP may do some stupid scanning like that, and you may have to block that specifically without totally blocking the IP address. I use Xfinity (they have a zone monopoly here), and they are just that stupid.
The more likely issues you need to worry about are the one that attack the weakest link in your security: you! If they can get you to open a threat site and load you up with malware by way of your browser, email client, or other vulnerable application they can own your machine. This is where running from read-only media (CD or DVD drive, etc) that can be reloaded or replaced painlessly with a simple boot, or running from a transient virtual machine, helps bulletproof you a bit. You cannot avoid making mistakes, but if you can isolate the pain to something you can clean with a reboot or reload in a few minutes then the intruder (or their scripts) gain no useful access and you may never even notice.
Some of this may seem pretty extreme. How much protection you lay down should be determined by the value of what you are protecting and the degree of risk you can handle. I am no longer as great a target these days, so I just block idiot traffic, use non-standard ports, and take some care online. I no longer run the honeypot operation because my threat level has decreases and I have no client data on my machines. I run pretty standard and non-intrusive AV, rootkit detection, and depend upon my backups for anything may need to recover. I really enjoy loading up new distributions, so reinstalling to a clean new system is normal and would not be any hardship if required. Only you can evaluate the value of your data, your risk level, and the amount of protection that makes sense.
I advise getting the easy stuff first: do not expose standard ports to the wild, run a firewall at the edge device if you can, and again on any critical servers in your network AND MANAGE THE RULES (only allow the traffic you need and NOTHING else), and run AV (at least ClamAV). That does not take a lot, and makes you not look like a target. After that add only what you figure you need, what will stay on top of the known threats. Being able to ENJOY your life and work matters a LOT, and there is no need to protect yourself from the dragon that is not there.
I've run 'Puppy' for almost a decade. I've never yet had a single piece of malware find its way onto my system.
People take the view that 'Puppy' is the most vulnerable distro they've ever seen, because we run as root ALL THE TIME. But this isn't a multi-user distro like most; it was designed, from the word go, to be a single-user, 'hobbyist' distro......that loads into, and runs totally from RAM.
IgnorantGuru's article, despite now being some years old, is still as true as it ever was...
-------------------------------
Puppy's secret weapon has always been the 'save-file', or 'save-folder'. The user can choose how to set this up; either saving back at regular intervals, or writing direct to the disk as changes occur.....or, if you so desire, you can set it up to only save if, as & when you, the user, decide you WANT to save.
When run in the latter mode it's as if you're running a permanent 'Live' session. If you choose to never save, then at the end of every session, that session simply disappears into the black hole of cyberspace.....along with any 'nasties' you may have garnered during that session.
Puppy users can customize their 'base' Puppy with any utilities/apps they use on a regular basis, via use of the re-mastering tools that come built-in to every Puppy OOTB. This gives you the ability to have your normal environment in the base, 'read-only' Puppy SFS file.....and thus every session is like every other, and 'squeaky-clean' into the bargain.
These days, we use a range of 'portable' applications which I and a few others pioneered a few years ago. This gets around the need to keep, say, a browser up-to-date.....which as part of the read-only base file would be impossible.
------------------------------
Of course, patching known system vulnerabilities goes without saying. The base Puppy SFS can be re-mastered to include new stuff in a matter of moments.
According to ShieldsUp! - as mentioned above - Puppy doesn't, in fact, exist....
Mike.
Last edited by Mike_Walsh; 03-11-2023 at 07:18 AM.
I'm not the most knowledgeable when it comes to software exploitation. But, I still feel as thiugh I am at risk, that my system is at risk.
If a malicious code is executed on my system, and that program gains root access/permission, then my firewall can be bypassed, correct? Correct me if I'm wrong...
So, how can I protect myself from that one lingering 0-day that is out there undisclosed?
I'm not the most knowledgeable when it comes to software exploitation. But, I still feel as thiugh I am at risk, that my system is at risk.
If a malicious code is executed on my system, and that program gains root access/permission, then my firewall can be bypassed, correct? Correct me if I'm wrong...
So, how can I protect myself from that one lingering 0-day that is out there undisclosed?
Am I right or wrong on this matter?
No, there is no way to protect you against everything. But there is a way to deal with all the well-known and documented cases, so you can definitely reduce the chances of such risks.
No, there is no way to protect you against everything. But there is a way to deal with all the well-known and documented cases, so you can definitely reduce the chances of such risks.
Just so I am clear, you are saying I'm correct then?
Just so I am clear, you are saying I'm correct then?
Correct about what? There can be no dynamic analysis tools which will catch much, that's not how bug discovery works.
You can add many layers to your approach and expect that at least one layer will delay a potential intruder long enough that you can get patched. As has been mentioned, most of the time the attacks are automated and not directed against you and your computer personally. There you don't have to outrun the bear, just the other guy. In those cases, the attackers are looking for specific, easy problems to exploit.
What do the AppArmor profiles for your web browsers look like?
Well, I hate to speculate instead of knowing for sure how secure my system is. I totally understand what you are saying though.
I guess I am just trying to protect myself from the "bad guy" who knows of an undisclosed vulnerability and exploits it.
I guess my only option is to stay updated and patched as soon as they are available.
Could you tell me if I am correct in regards to the post I wrote earlier...
If a malicious code is executed on my system, and that program gains root access/permission, then my firewall can be bypassed, correct? Correct me if I'm wrong...
So, how can I protect myself from that one lingering 0-day that is out there undisclosed?
1) Any software run as root will by definition have full access to your entire system. If that bothers you look at Plan9 or something based on Plan9 rather than something based on Linux. However, if you stay on Linux or even on GNU/Linux then you will have to add layers between root and the outside.
2) Firewalls "protect" from incoming (and outgoing) connections only. Thus a firewall basically does nothing because (if you are talking about a desktop system) the weak point is the browser which will not work if it cannot reach out and get web pages. You can block everything except ICMP, DNS, HTTPS, and HTTP and your browser will still be able to fetch javascript malware and execute it on your system. So an extremely serious problem is the proliferation of javascript "web apps" being spread via HTTPS and HTTP.
The "protect myself from that one lingering 0-day that is out there undisclosed" has already been answered many times over: the method is called defense in depth aka layered security.
3) So therefore, on the topic of layered security, I ask one more time about the file system layer: what have you done with AppArmor to ensure that your browser cannot access non-essential parts of the file system?
If a malicious code is executed on my system, and that program gains root access/permission, then my firewall can be bypassed, correct? Correct me if I'm wrong...
Theoretically, with root privileges everything can be done, for example firewall can be bypassed. The questions are:
1. do you allow any malicious code to enter
2. whether you allow them to be executed
3. do you let them get root rights
1) Any software run as root will by definition have full access to your entire system. If that bothers you look at Plan9 or something based on Plan9 rather than something based on Linux. However, if you stay on Linux or even on GNU/Linux then you will have to add layers between root and the outside.
2) Firewalls "protect" from incoming (and outgoing) connections only. Thus a firewall basically does nothing because (if you are talking about a desktop system) the weak point is the browser which will not work if it cannot reach out and get web pages. You can block everything except ICMP, DNS, HTTPS, and HTTP and your browser will still be able to fetch javascript malware and execute it on your system. So an extremely serious problem is the proliferation of javascript "web apps" being spread via HTTPS and HTTP.
The "protect myself from that one lingering 0-day that is out there undisclosed" has already been answered many times over: the method is called defense in depth aka layered security.
3) So therefore, on the topic of layered security, I ask one more time about the file system layer: what have you done with AppArmor to ensure that your browser cannot access non-essential parts of the file system?
Ok thank you for the clarification! So, as you said, my biggest threat is my browser. That makes sense, right? I mean its the only piece of software that connects to the outside. So, the browser is the attack vector, correct? If I block all ports incoming/outgoing, and leave the ones needed for my browser to function, then making sure my browser is secure is vital to protecting myself from that potential 0day that utlizes javascript, correct?
I should ask, is there a better browser program I can use or is disabling JavaScript on mainstream browsers like Firefox good enough? I have heard of text browsers...
Also, any tutorials on securing my browser, or any other advice regarding any other weaknesses that the browser may have would be greatly appreciated!
If you just want a browser without javascript, you could try the graphical version of links. It's lightweight and very fast. But a lot of sites won't work without javascript.
One of the things uBlock Origin does is allow toggling JS on a per website/domain basis - so you can have it off then selectively turn it on only when you trust a site.
There's also Decentraleyes or LocalCDN - they're more privacy/performance focused, but there's also a degree of security in having a single local copy versus downloading scripts multiple times.
For increased paranoia/control there's also Arkenfox user.js which tweaks/presents a lot of options and explains what they do, so you can make a more educated choice on whether you want that functionality or not.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.