Securing your Linux system
Since I recently performed a fresh Arch Linux install on brand new hardware, I decided to delve into a somewhat new topic for myself, security. I am not saying that I know nothing about computer security, but previously I never delved any deeper into the topic than learning security best practices. This was my journey to teach myself computer security on a slightly more advanced level. Please don't take this as a tutorial on how to secure your system, but as a starting point, or perhaps inspiration, on specific topics that you may want to research. I am most definitely no expert on the topic, and even though I do my best to educate myself there will always be the chance that I might have misinterpreted something or even made a mistake in my article. This is something important to keep in mind no matter what you read, especially when it comes to important topics such as this.
Securing your system is always a compromise between how useful your system is and how secure it is. I have seen it mentioned online that the most secure your system can be is powered off, locked in a safe with the key thrown away. That is obviously very secure, but also not very useful. So with that in mind I began my little journey into this rather broad topic. I will obviously not be able to touch on every topic related to this, but I found some areas where I wanted to learn more and apply stronger security on my system.
Encrypting the data on your disk does not protect you against remote attackers, but it keeps your data secure in the case of theft, or if you give away your hard drive without properly wiping it first. There are many different ways to go about this, but in my case I went for a single encrypted partition. The same hard drive also hosts my EFI partition with the bootloader, which can't be encrypted. That means that for my case, it is clear that I have encrypted data. If you want to be able to claim that it is an unused/garbled hard drive, you would need to encrypt the entire drive, which I obviously have not done since the EFI partition can't be encrypted. One way you could work around this would be to keep the EFI partition on a removable USB drive. Personally I didn't see a point to take it that far as it would be a bother to remember to plug in a USB drive whenever I have to reboot, but it was something I considered briefly.
I am on Linux, so I rely on dm-crypt with a LUKS partition. In most cases, you might want to create LVM on the encrypted partition. LVM lets you create more logical partitions at a later time without the danger of damaging data. It is very useful in case you are unsure how many partitions you need. However, I went with the btrfs filesystem and the subvolume feature of this filesystem. Even though subvolumes share the same partition space, they can be mounted individually and in that sense operate similar to partitions. So I am able to create new subvolumes on demand and according to need.
Having an encrypted partition means that you need to type a password to unlock it when you boot your computer. This is obviously a different password from your regular user password or it would not add any security. It is also an important point to use a completely open source implementation of encryption, otherwise you don't know if it actually is secure. This might be paranoia on my side, but every single closed source implementation of encryption has a backdoor in my opinion. You can't check or prove that there is no backdoor, so I work with the assumption that there is. So my advice is to stick with open source standards, and dm-crypt with LUKS is the way to go.
Restricted user account
I have a regular user account that I use for most tasks. This includes web browsing (with added security which will be covered in under the next heading), personal documents, and development of my hobby projects. This user account has access to elevated system privilege through the use of sudo, which you would expect for your primary user account on your home system. But when I run closed source software then I don't really know if the program could be accessing my other personal files or maybe even attempting to gain elevated privilege. So for all my gaming needs I created a separate user account. This user account can't use sudo, and even the use of su is turned off for this second user account.
I don't use a desktop environment, or a login manager, so when I want to play a game I will switch TTY (Ctrl + Alt + F1-12), log in as the second user and launch the graphical environment. I suspect most people use a full desktop environment with a login manager, so if you are reading this and consider doing something similar then you probably just need to click on your desktop menu and select "Switch user", provided you already created the restricted user account.
To prevent this user from being able to use sudo, you simple ensure this user is not a member of a group that gives access to sudo. On most Linux distributions this would be the "sudo" group, or the "wheel" group. If you use a full graphical environment and create users through graphical tools, then you probably just want to ensure the new user is not tagged as having administrator rights.
This is something that adds an extra step before you can play games, but in my opinion it is worthwhile. In case a game, or possibly patch for a game, does something that it is not supposed to do, then the impact on my system is minimized and should be contained to only compromising other game files since that is all this restricted user account has access to.
Sandboxing the web browser
Your web browser is very frequently the target of many malicious websites. Taking steps to secure your browser, or rather secure your system from your browser, is very important in my opinion. For this purpose, I am using Firejail. It is very easy to use, I simply launch my web browser (firefox) through the command "firejail firefox" and then my browser can't access any of personal files, except for those in the Downloads folder. In case the browser is compromised in some way at least I know my files are kept safe. There are a lot more security features at work, but even more so it is important to realize what this does not protect you against.
Sandboxing will protect your private files from being snooped on by a compromised browser. It prevents the browser from being able to execute code to gain further access to your system. But it will not prevent you from doing stupid stuff, such as giving away details that would let others steal your money. It also does not protect you from downloading malicious software and then running it yourself. Sandboxing is just an additional security layer against potential security holes in your browser, but nothing can secure your system from irresponsible use. It falls outside the scope of this article to delve into best online practices, I just wanted to point out that such things fall into the responsibility of the user, yourself.
Some Linux distributions have this enabled by default, and you might not need to do anything, but for Arch it needs to be installed and enabled manually. Apparmor works by having profiles for applications, and each profile defines what system resources an application can access. This means that even if a program runs with root privilege it still might not be able to access the entire system if there is an apparmor profile for the program in question. Apparmor is useless for programs that don't have any associated profile, but most Linux distributions have several profiles enabled for many common applications.
Personally I didn't bother to create additional profiles beyond the default, mostly since I run the browser sandboxed, and all games and other closed source applications is run by a very restricted user profile.
I have pretty much always had a firewall on so it is definitely not something new in my setup. I still want to mention it because I feel it is important. I always ensure that I don't have any processes running that accept incoming network connections, unless it is something I specifically want. The linux command "ss -tulpn" will show you all processes listening on the network, and what ports. As for the firewall, I use ufw since it is rather simple to setup. I simply deny all incoming traffic, except for a select few that I specifically want to keep open.
If you don't have any network processes that is listening for incoming connections, then theoretically speaking a firewall is useless. But I still like to have that added layer of security, especially to help protect against security holes in running software.
A lot of people advertise Linux as being "virus-free", which is far from the truth. There is a lot less malware created for Linux, so you are less likely to actually encounter any malware. And the way that the Linux system is built makes sure that any malware on your system will rarely be able to do anything else than snoop on your particular user. This might be bad enough on its own, which is why I sandbox my browser and use a restricted second user account for closed source software like games. In addition to this, I also run antivirus software on my Linux system.
The software I use is ClamAV, and I have it set up to automatically update the virus database, and I added some unofficial signatures in addition to the automatic updates. I have used clamav for years and never detected anything on my system, but it's still nice to have that little added protection. Even if potential malware would hopefully not be able to do much damage on my system, I would not want to potentially spread it to other people.
Your computer's USB ports is one attack vector, and USBGUARD makes use of the device blocking infrastructure in the Linux kernel to help protect your system from some types of USB attacks. By default, USBGUARD will block all USB devices and you need to specifically allow each device. You can create rules to automatically allow specific devices by default, which is very important if you use a USB mouse and keyboard otherwise you will not be able to interact with your computer when you start usbguard.
It is important to realize that this does not prevent anyone from booting your computer from a live usb, this level of protection works with the Linux kernel, in other words it works after your operating system is up and running. In all honesty, this kind of protection might not be that important if you have a desktop computer in your home, assuming you don't accept usb sticks from strangers and plug them into your computer. It's a weird world we live in when usb sticks from strangers can be dangerous. In any case, laptop owners are more likely to benefit from this protection. Just keep in mind that it takes some setting up, and it is especially important to ensure that your normal usb devices are already whitelisted before you start usbguard.
I just wanted to put in a few words here in regards to some useful browser extensions. Personally I use Firefox, and you will never catch me using Google's evil browser (chrome/chromium) except to test that my website works there as well. To further secure my web browsing I use a couple of browser extensions, specifically "NoScript" and "uBlock Origin".
uBlock Origin is an ad blocker, and a very good one. You can easily whitelist websites if you want to support a them. But for other websites, especially those that utilize annoying ads or simply overuse ads, then you can keep it disabled. Ads usually also contribute to tracking your online activities, which I strongly oppose, so that's another benefit to blocking ads.
There is obviously a lot more you can do to secure your system, but in my case I felt that these steps should be sufficient for my personal home computer. And even with all these security measures, your system is only as secure as your own habits when using your computer. It is especially important to be careful when browsing the web, and dealing with files you downloaded. Never ever run a script you downloaded from some website/forum without carefully reading it and fully understanding what it does. I would hope that everyone know this, but it seems like a lot of people are far too trusting when it comes to code they find online. A script you find online might not even be malicious by intent, but if the script author is incompetent then their script might become malicious by mistake.
The most important thing you can do to secure your system is to educate yourself on best security practices, and take the time to learn how your computer works and how it can be compromised. Enabling a lot of security features without understanding what they protect against might be useless, and in many cases give you a false sense of security. So if any of the topics I have mentioned seems interesting to you, do your own research. Just the act of researching a topic will help teach you better security practices.
Once again, I am no expert, just an enthusiast. But I would be more than happy to answer questions or engage in discussion so don't hesitate if there's something that caught your curiosity.
Categories: Privacy, GNU/Linux, Free Software
You need to Log in to comment.
If you don't have an account, then feel free to Create an account