Tools for security scanning or audits?

Message

dandennison84 · Post by **dandennison84** » Thu Aug 10, 2023 5:48 pm

Hi, as I am going through my linux learning journey with Linux, I am at a place where I want to understand security issues and how to protect my system. This is more in the nature of an educational journey. It is a plain Linux desktop with Gentoo as my daily driver. I don't have anything on this computer that I'm worried about it at this point.

I'm really looking for a tool or set of tools that are free and open source. If not free, really cheap

At any rate, I was wondering if there is either a tool I can install or something online that will scan my system, show any security issues and make recommendations. Does something like that exist that will work with Gentoo? I see lots of options out there, but frankly they are too deep for me right now to really understand the pros/cons. File permissions, passwords, port and network stuff, wifi, logging in, etc.

I just want to learn for now. If I port more of my stuff over to Linux, then I'll re-evaluate paid tools.

I have been reading a lot on the internet and gentoo on security. But frankly I'm fairly lost. There is so much to learn. So I just want to take some baby steps and focus on one set of problems at a time.

alamahant · Post by **alamahant** » Thu Aug 10, 2023 6:12 pm

Maybe look at these kind of areas.
1.Firewalls like iptables or other
2. A MAC implementation like Apparmor or Selinux
3.Hardened profile and kernel.
4.Best practices for daemons like apache,sshd etc.
5.Intrusion detection and other network tools like snort,nmap.tcpdump,wireshark etc.
6. Antivirus like app-antivirus/clamav
7.Regularly checking the logs for anything unusual.
8.Common sense.
But if you are safely behind a router I think it is safe more or less.

Post by **NeddySeagoon** » Thu Aug 10, 2023 8:13 pm

dandennison84,

Make list of the threats that you want/need to defend against.
Then research defences and deploy them.

e.g. If you might leave your laptop on public transport, encryption at rest would be a good idea,

You will want validated backups. That's a part of any security system.

Security is a trade off with usability.
You can be secure from attacks over the network ... if you never connect to networks but that may limit the usability of your system.

No hints ... just a few questions to start you thinking on the right lines.

As its been brought up about routers. Domestic routers/firewalls are not safe. They are normally what is called 'half open'
That is, everything is allowed out but nothing is allowed in unless its a response to a request.
That means that anything that does get in is free to phone home.
It's much more secure to have a fully closed router except where things are explicitly allowed out. This is harder to set up and most domestic users would not want to bother.

You do need to check logs. After a while you get used to Android trying to phone home and being blocked.

dandennison84 · Post by **dandennison84** » Fri Aug 11, 2023 12:34 am

Thanks for the ideas so far. This is what I have so far.

1. I use rsnapshot for backups to an removable usb disk. I do daily, weekly, monthly for awhile now. I do hourly when I messing around a lot. It snaps my entire drive minus proc, sys, dev, etc.
— TODO: I haven’t tried testing the backup though. Too scared I’ll break something. I was thinking of restoring either into a chroot, a virtual or a newly mounted drive. Any recommendations?

2. I spent the afternoon installing and testing a firewall, ufw, by following the gentoo handbook.

My next thought is to get the backup restoration working and tested, then look at encryption. I’d also like to figure out secure boot and all that. I basically disabled it all to get dual boot working.

Post by **NeddySeagoon** » Fri Aug 11, 2023 4:08 pm

dandennison84,

What are your perceived threats?

dandennison84 · Post by **dandennison84** » Fri Aug 11, 2023 10:22 pm

Losing my laptop or using it on public wifi.

Post by **pietinger** » Sat Aug 12, 2023 9:10 am

dandennison84 wrote:Losing my laptop [...]

Encrypt your /home partition OR encrypt your whole disk (=FDE; full disk encryption)

dandennison84 wrote:[...] using it on public wifi.

=>

alamahant wrote:1.Firewalls like iptables or other
2. A MAC implementation like Apparmor or Selinux
3.Hardened profile and kernel.
4.Best practices for daemons like apache,sshd etc.
5.Intrusion detection and other network tools like snort,nmap.tcpdump,wireshark etc.
[...]
7.Regularly checking the logs for anything unusual.

This would be my minimum recommendation - in order of importance:
1. Hardened kernel / Hardened profile
2. Use your own DNS resolver; best with DoT (DNS over TLS); I am using "unbound" for this; "dnsmasq" is also a possible solution
3. Secure your browser; maybe "firejail"; better with a MAC implemantation; SELinux can be hard on a desktop; I am using AppArmor for this
4. Do a firewall; either with iptables or nftables; forget UFW or other add-ons

I am using also:
- IMA (from kernel) as additional protection against modification of executable binaries

I dont use clamav because:
a) It had its own security problems in the past, AND
b) My mail application dont use http mails

Post by **NeddySeagoon** » Sat Aug 12, 2023 11:57 am

dandennison84,

Public Wifi is a big threat.

The only thing you should use it for is connecting to a VPN, then everything else is tunnelled over the VPN.
As others have said, do your own DNS.

I agree with the firewall advice but not so much to keep things out, as you do that on Gentoo by not running internet facing services that you don't need, so there is nothing listening for "evil_hacker"
Set up correctly, a firewall can stop "evil_hacker" from phoning home to tell they they have got in.

If you run sshd, make it key based login only. Then you can ignore all the dictionary attacks in your logs.

dandennison84 · Post by **dandennison84** » Sun Aug 13, 2023 12:05 am

So many questions. Not sure where to begin. So given everyone's advice, I guess I'll start with the wireless network security portion first. My current system setup is a dual boot with Windows on an Alienware x17 R1. I ran Gentoo for about 2 months as a daily driver on VirtualBox. I decided to migrate but taking baby steps. I now have a dual booting system running a basic desktop environment with openrc. I'm using Awesome WM and no login manager (I use startx). I'm using Network Manager for my wifi needs.

1. I installed and configured ufw. I noticed a recommendation that I don't use it but use the underlying iptables alone. Why is that? I have ipsec, iptables and ufw currently installed and running.
2. I have nordvpn that I use on Windows and other devices. Should I install it on my Gentoo as well?
3. I know very little about DNS. So running my own version scares me a bit. How will my own DNS server know how to resolve addresses? Is this something I have to keep constantly insync with some set of files on the internet?

I know my questions seem very basic, but I pretty much learn by doing. Thanks everyone for being patient and helping educate me.

Does this all apply to my home network as well? I have a cable modem hooked up to a tp-link a9 wireless router. No, it doesn't have strong passwords, I guess I could change that even though my wife and kids will raise holy hell for their phone and device connections

szatox · Post by **szatox** » Sun Aug 13, 2023 12:27 am

I on the other hand see little value in a commercial VPN as means to keeping yourself safe on a public wifi. Pretty much all services use TLS, right? And your system comes with a bunch of trusted root certificates.
This provides both, encryption and authentication on a connection level, so your connection is already protected on its way though a public network. Also, your commercial anonymous vpn is not even remotely anonymous unless you pay for it anonymously.

A local DNS may or may not cache responses. They usually do. Either way, if it doesn't know what response to give you, it will ask some public dns just the way your system would., making it the easiest network service to setup: it will kinda work even without any configuration at all.

Post by **pietinger** » Sun Aug 13, 2023 10:00 am

dandennison84,

maybe you are interested in my (german) guide for an installation of unbound (you will need only the steps and /etc/unbound/unbound.conf) to see how easy it is:

viewtopic-t-1125184.html

If you have now DoT you can check it later with these links:

https://internet.nl/connection

https://rootcanary.org/test.html

(or maybe before to see the differences)

Your browser should not be able to open this link:

https://www.dnssec-failed.org

unbound is a caching resolver; so, you have an additional advantage: faster DNS lookups ...

(P.S.: If you search the "dig" command you will find it in "net-dns/bind-tools)

kolibri · Post by **kolibri** » Tue Aug 15, 2023 9:08 am

I'd like to mention lynis for auditing your system: https://www.howtogeek.com/674288/how-to ... ith-lynis/

dandennison84 · Post by **dandennison84** » Wed Aug 16, 2023 9:44 am

kolibri wrote:I'd like to mention lynis for auditing your system: https://www.howtogeek.com/674288/how-to ... ith-lynis/

Wow, very nice, exactly what I was looking for! Thanks!