Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Desktop security?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
reddragon
n00b
n00b


Joined: 04 Apr 2017
Posts: 24

PostPosted: Tue Apr 04, 2017 10:10 pm    Post subject: Desktop security? Reply with quote

what's a sensible level of security for a desktop configured with performance in mind?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Tue Apr 04, 2017 11:28 pm    Post subject: Reply with quote

Lock down your web browser as far as you can tolerate. You can expect most Linux malware to target Ubuntu users, so be wary of random websites that only offer .debs. Don't run heavy GUI apps as root, and avoid like the plague anything that uses a web browser as a GUI (there's a growing number of them), because none of your normal browser's protection will apply there. And if you care about performance, those things are kryptonite anyway.

That should cover everything bar a targeted attack.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Fri Apr 14, 2017 1:10 pm    Post subject: sandbox Reply with quote

I can't claim to understand whether this might make anything better, but I came across
Code:
https://wiki.gentoo.org/wiki/Simple_sandbox
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Fri Apr 14, 2017 1:20 pm    Post subject: Reply with quote

I assume a smaller well tested desctop environment is the better use case. e.g. i3wm
when you look at kde you will see how many "open" bugs are in the open world. plasma this or that, this and that. especially kde has a high impact on this forum.

use only a few packages as possible.

do not carelessly start / enable daemons. configure all of those

use only well known software. not exotic, which have a smaller user base

my hdd is encrypted. so there is less a chance of someone tempering the disc when I am away

80 percent of gnome2 was not really needed for my desctop needs

--

Quote:
uses a web browser


The issue is more users not blocking known bad hosts. I add on a daily basis several hosts to the bad host file
known bad hosts => e.g. .online, .eu, .xyz (I never saw anything else as bad content on those endings), any facebook related host,

the issue is guys do not using plugins which restrict
*) media playback => annoying advertisements
*) flash is dangerous, there is a plugin which allows you to see it when you want it, click to run
*) scriptblocker
*) advanced adblocker
*) pop up blocker
*) auto download disable

--

i use 4 different browsers.

each browser for a different task. so there is still a profile, but less obvious linkable
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 117

PostPosted: Fri Apr 14, 2017 2:59 pm    Post subject: Reply with quote

Some years ago I was of particular interest to some (people/bots/whatever), so looked into net-firewall/iptables...
Back to top
View user's profile Send private message
saturnalia0
Tux's lil' helper
Tux's lil' helper


Joined: 13 Oct 2016
Posts: 94

PostPosted: Mon Apr 17, 2017 3:32 am    Post subject: Reply with quote

Ant P. wrote:
Don't run heavy GUI apps as root


I'd say don't run them as your regular user... https://wiki.gentoo.org/wiki/Simple_sandbox

Don't run anything as root unless it's really necessary.
Back to top
View user's profile Send private message
reddragon
n00b
n00b


Joined: 04 Apr 2017
Posts: 24

PostPosted: Sat Apr 22, 2017 10:30 pm    Post subject: Reply with quote

this looks promising

https://github.com/projectatomic/bubblewrap

its available here

https://gpo.zugaina.org/sys-apps/bubblewrap
Back to top
View user's profile Send private message
Proinsias
Tux's lil' helper
Tux's lil' helper


Joined: 06 Oct 2014
Posts: 110
Location: Scotland

PostPosted: Sat Apr 22, 2017 11:48 pm    Post subject: Reply with quote

Ant P. wrote:
Lock down your web browser as far as you can tolerate.


Could you elaborate a little? I use Firefox with noscript & ublock origin, I tend to watch video via mpv. This is more for aesthetics than lockdown, but curious as to the levels of lockdown.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13511

PostPosted: Sun Apr 23, 2017 4:41 am    Post subject: Reply with quote

NoScript is a good start. You might also want Policeman, which lets you define on a whitelist basis which domains can use content from other domains, including specifying on a per-content type basis (e.g. may include styles, but not embed images). Much like with NoScript, you should expect to do some work preparing a whitelist when you first activate it. Once you have the whitelists for your preferred sites done, you can mostly forget about it.

For anti-tracking, Self Destructing Cookies can arrange for cookies to be deleted when you close all the tabs associated with the cookie origin.
Back to top
View user's profile Send private message
fcl
n00b
n00b


Joined: 31 Dec 2016
Posts: 71

PostPosted: Sun Apr 23, 2017 5:25 pm    Post subject: Reply with quote

Hu wrote:
NoScript is a good start. You might also want Policeman, which lets you define on a whitelist basis which domains can use content from other domains, including specifying on a per-content type basis (e.g. may include styles, but not embed images). Much like with NoScript, you should expect to do some work preparing a whitelist when you first activate it. Once you have the whitelists for your preferred sites done, you can mostly forget about it.

For anti-tracking, Self Destructing Cookies can arrange for cookies to be deleted when you close all the tabs associated with the cookie origin.

Policeman: Last Updated: January 18, 2015
I think uMatrix does everything Policeman does and better. I actually used Policeman until uMatrix became available to Firefox. An easier choise is to use just uBlock Origin and block 3rd party frames and scripts with it (advanced mode). It requires way less manual configuring.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sun Apr 23, 2017 6:54 pm    Post subject: Reply with quote

I'm using separate Firefox profiles for separate groups of websites, uMatrix in whitelist-only mode, SDC, and one other extension "Consistent HTTPS". I used to use HTTPS Everywhere but it's too bloated, RAM-hungry and slow to start - it would let http links slip through when the browser first starts.
Back to top
View user's profile Send private message
Proinsias
Tux's lil' helper
Tux's lil' helper


Joined: 06 Oct 2014
Posts: 110
Location: Scotland

PostPosted: Sun Apr 23, 2017 8:47 pm    Post subject: Reply with quote

Decided to try running it in a sandbox starting from scratch. Got SDC, Consistent HTTPS, NoScript, uMatrix, Watch with MPV & Vimperator, still need to set up my other profiles. Everything is peachy at the moment but I suspect only being able to save to /home/ff could become tiresome, time will tell.

Thanks for the tips guys.
Back to top
View user's profile Send private message
fcl
n00b
n00b


Joined: 31 Dec 2016
Posts: 71

PostPosted: Mon Apr 24, 2017 5:21 am    Post subject: Reply with quote

You should be able to allow access to ~/Downloads for the sandboxed Firefox, depending on the sandbox implemention used
Back to top
View user's profile Send private message
saturnalia0
Tux's lil' helper
Tux's lil' helper


Joined: 13 Oct 2016
Posts: 94

PostPosted: Wed Apr 26, 2017 2:12 pm    Post subject: Reply with quote

Proinsias wrote:
Decided to try running it in a sandbox starting from scratch. Got SDC, Consistent HTTPS, NoScript, uMatrix, Watch with MPV & Vimperator, still need to set up my other profiles. Everything is peachy at the moment but I suspect only being able to save to /home/ff could become tiresome, time will tell.

Thanks for the tips guys.


I usually save things to /tmp, though saving them to /home/ff + `chown -R ff:youruser /home/ff` + `find /home/ff | xargs -I'{}' chmod g+rwx "{}"` should work as well. The problem with saving to /tmp is that it has the sticky bit set, and even if you do `chmod -t /tmp` you'd have to do it every time you reboot.

PS If by any chance you're not happy with Vimperator I suggest taking a look at pentadactly.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum