|
9 years ago 5 |
<style type="text/css"> p { margin-bottom: 0.25cm; line-height: 120%; }a:link { } </style>
Tutorial Goal : Tips and techniques to help 'protect' your system using tools like Shields UP!!
NMAP open ports; GUFW firewall; Securer Password, Login and BIOS settings.
System : Linux Mint 17.1 Rebecca x86 / 64 bit Cinnamon 2.4 Kernel 3.13.0 -24.
Call Out : DuckDuckGo (DDG) search words are given to point to a web site for detail on each
specific tool to first evaluate its applicability for your needs and system set up.
1(A) SHIELDS UP!! Test
DDG Search : “GRC Shields UP!!”
This tool provides a 'Common ports' check option; an 'All Ports' check option and security on your system that gives results for UpnP Exposure test, along with an IP DNS profiling analysis.
1(B) NMAP : View open ports on your computer
DDG Search : “ Nmap”
Open Terminal ( LM Menu - “Terminal” → Navigate to Terminal). From the Terminal enter command:
$ sudo apt-get install nmap
Enter your administration password at the Sudo Password prompt
$ Sudo nmap -sS -O localhost ( note this is capital letter O, not a zero)
The output of this command will show in the terminal a list of open ports. You may only see netbios-ssn; ipp and a few others by default. Over time as install packages you may see extra ports opened or listened on. If so, then consider remove the package(s) using that Port if you are not using that package.
LM 17 Menu->”Software Manager” -> Navigate to Software Manager. Enter Admin Password.
In the top right hand side search bar, enter the Package name->Left mouse click on package and then click on “remove” to un-install the package you are no longer using.
Port 22 is assumed port for TCP connections. If you do not use this port to connect to other machines then you can block disable it using the iptables Graphical User Firewall (GUFW) tool.
1 (C) GUFW . Graphical User FireWall interface.
DDG search : “Gufw Firewall”
LM 17 comes pre-installed with the iptables firewall. It is not enabled by default. GUFU is a user interface to simply configure some basic settings. From the Terminal, type in lower case letters:
$ sudo-apt-get install gufw
To Open go to LM17 Menu-> “Firewall Configuration”. Enter Your root password.
The default GUFU configuration has three profiles for 'Home', 'Office' and 'Public' are:
“Status=On”, “Incoming=Deny” and Outgoing=Deny.
To enable firewall activate the “ Status on” Option for each of the three profiles
How to set an individual firewall rule .
LM17 Menu-> “Firewall”-> Select “Firewall Configuration” to open GUFW
Main Screen – Under Rules select “+” plus sign to add rule
A sub menu 'Add a Firewall Rule” appears with three tabs ( 'Preconfigured' 'Simple' and 'Advanced').
To block FTP access-
Select Preconfigured, and Under this “Preconfigured Tab” use drop down setting options as follows:
“Policy” = drop down select “Deny”
“Category” = drop down select “All”
“Direction” drop down select “In”
“Sub Category” = select “File Transfer”
“Application” = “FTP”
Then click on “Add” button on the bottom right hand side of the “Add a Firewall Rule” sub-menu.
You can then check if the rule is also applied on the Main Screen for Profile “Office” and “Public”
To block a Port-
To deny TCP Port 22, from withing the “Add a firewall Rule” sub menu, select the “Simple Tab”
Name: eg “My port 22”
Policy: Deny
Direction: In
Protocol : Both
Port : 22
Then Click on “Add” Rule button
To Block an IP address-
The 'Advanced Tab' under the “Add a Firewall Rule” sub menu can be used in same way to Deny or allow a particular IP for access in, access out or both.
1(D) SECURER PASSWORD, LOGIN and BIOS settings
1(D) (i) Strong Password
Recommended the System root Administration Password is unique by not using it elsewhere as a login for a web site etc. Minimum of 10 characters, upper and lower case letters with some wild card characters like !, $, { digits etc. There are random password generators if you like to use them like KeePassX . These are available for download install in the Linux Mint Software Manager along with password manage tools like LastPass.
LM Menu->Software Manager. Select. Enter in search bar “keepassx” or lastpass
An other alternative is to pick your own memorable password and then check the vulnerability of your password to brute force attacks using the Password Haystacks tool on the GRC website (same as Shields UP!! above). DDG Search words “ Gibson Research Corporation Password Haystacks”.
1(D) (ii) BIOS Boot Setting and BIOS Password
An off-line attacher can potentially use a Live Operating System, USB stick or DVDh to gain access to your machine even if they do not know the Login Password. To make this harder consider: -
*Change BIOS settings to disable boot for any media (USB/ DVD drive) other than your hard drive
* Set a BIOS password. To enter BIOS (eg just after turn on machine hit ESC or F10 etc depending on PC manufacturer). To add/change a BIOS password refer to your computer manufactures manuals.
1(D) (iii) Linux Mint MDN Greeter Login Screen without user Full Name displayed
Consider not enabling auto login as if your PC is stolen, then the thief could not automatically power up system as user. When Auto Login is not enabled the default LM17.1 MDN Login displays the user(s) Full Name e.g. John Smith on screen with prompt for 'Username' (easily guess as lower case jsmith). With LM 17.1 there are Login Menu theme options that do to not show User(s) Full Name so an off- line attacker would have to guess both the Login 'Username' as well as the 'password' e.g. the Leaf Login screen. LM Menu → “Login Window”. Theme-> Leaf Spring GDM.
I hope you found this tutorial useful.
ConorCork December, 2014
I totally agree with the comments below. However, it is great to have an article for administrators! Please keep up the good work and continue to update.
I've noticed you have a number of articles, and perhaps they can be put in an order that can speak to specific audiences as follows:
1) Linux Mint Security: Home User Basics
2) Linux Mint Security: Administrators - Intrusion Detection
3) Linux Mint Security: Administrators - Intrusion Prevention
If you want help on keeping these up-to-date - msg me!
As a side note: This is _not_ Windows XP, and thus, while security is important, a normal Linux user shouldn’t be that paranoiac about it. Nonetheless, your step-by-step tutorial is maybe thorough enough to fit the needs of a server administrator of the kinds of Ubuntu Server or Debian — an average Mint user ought not to have the impression that his system is more permeable than one of the most insecure versions of MS Windows ;-)