| View previous topic :: View next topic |
| Author |
Message |
luoleicn
n00b
Joined: 25 Jun 2009
Posts: 31
Location: China
|
 Posted: Sun Jan 24, 2010 11:11 am Post subject: Is firewall or SELinux needed for my personal laptop |
 |
|
Hi, I have to say I know little about Linux security, while I used windows , Kaspersky sometimes tells me that Kaspersky stopped an attack from Internet, i think maybe I need a firewall on Linux, too, but some guys told me if I keep my Linux up-to-date, it will be OK, I don't need anything. So I'm confused  |
|
| Back to top |
|
 |
Mike Hunt
Watchman
Joined: 19 Jul 2009
Posts: 5287
|
| Posted: Sun Jan 24, 2010 3:45 pm Post subject: |
|
|
A firewall is a good idea. There are a bunch of links to Gentoo iptables  here.
It is unlikely that you would need selinux unless you know that you need it and why. |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
|
| Back to top |
|
|
kernelOfTruth
Watchman
Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)
|
|
| Back to top |
|
|
aCOSwt
Bodhisattva
Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space
|
| Posted: Sun Jan 24, 2010 10:04 pm Post subject: |
|
|
| kernelOfTruth wrote: | je crois que francais est un peu compliqué pur quelqu'un de Chine ?  |
C'est réciproque ! 
Only kernelOfTruth's locals managed a far more universal langage than english !
I speak of music of course...  |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Sun Jan 24, 2010 10:14 pm Post subject: |
|
|
so...basically, SELinux isn't really a *bad* idea (even though I think grsec is a vastly superior, and spender from grsec has ripped selinux a new ass repeatedly), it can just be a bit cumbersome to get working effectively on a machine that's going to be serving as a desktop or laptop. X and the miscellaneous GUI apps introduce a good many challenges.
SO, it depends largely on if you want to deal with a bit of pain getting things set up, just to protect a laptop which really isn't going to be attacked in the same fashion a server might be.
Before you decide to go through the route of building a ridiculously hardened system, you should understand the potential attack vectors.
With a laptop, unless you have something that's actually listening for an incoming connection from the outside world, what is the point of running any sort of firewall?
As well consider the limited ability of a firewall to block connections that you've initiated, and the hugely granular ruleset you'd have to have.
Personally - I don't see a point in running a firewall on a laptop. A server yes, a laptop no. Nothing is going to be connecting to my laptop anyway unless *I* initiate the connection, since I have nothing listening.
Verdict: firewall on laptop == pointless. You may use iptables if you need to do any funky routing, but none of my laptops will ever have a need for iptables.
Now, in terms of RBAC, running a hardened kernel, that sort of thing. It is not a BAD idea at all - it's just reasonably painful to get things working, and you are going to be limited in the apps you can run because far fewer desktop apps are going to play nicely with a hardened kernel+toolchain. You get to the point where you're spending so much time *relaxing* restrictions that are enabled by default (e.g. paxctl'ing half your bloody binaries), begs the question - am I still experiencing any of the advantages of this?
I have run servers under Gentoo Hardened for years (pax+grsec+grsec RBAC). Only once have I run a desktop under Hardened, and it proved to be such a huge pain I vowed never to do it again.
Some people are paranoid enough to do it - personally I'm less worried about my laptop being hacked/infected, than I am about it being stolen and someone getting information off of it. For this reason I have shit tonnes of crypto on here, enough to where even a chunk of government agencies are going to struggle.
Summary Verdict:
firewall == pointless
hardened == painful, not inherently a bad idea, but painful
disk crypto == absolute must
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Last edited by cach0rr0 on Mon Jan 25, 2010 4:29 am; edited 1 time in total |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Mon Jan 25, 2010 12:44 am Post subject: |
|
|
| kernelOfTruth wrote: | je crois que francais est un peu compliqué pur quelqu'un de Chine ?
I think english would be better understandable for the poster |
Yep, but google translator is your friend and iptables rules are in English |
|
| Back to top |
|
|
Mike Hunt
Watchman
Joined: 19 Jul 2009
Posts: 5287
|
| Posted: Mon Jan 25, 2010 3:10 am Post subject: |
|
|
| cach0rr0 wrote: | | Verdict: firewall on laptop == pointless. You may use iptables if you need to do any funky routing, but none of my laptops will ever have a need for iptables. |
Good to know.  |
|
| Back to top |
|
|
aCOSwt
Bodhisattva
Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space
|
| Posted: Mon Jan 25, 2010 9:10 am Post subject: |
|
|
| Mike Hunt wrote: | | cach0rr0 wrote: | | Verdict: firewall on laptop == pointless. You may use iptables if you need to do any funky routing, but none of my laptops will ever have a need for iptables. |
Good to know. |
AFAIAC It would had even been better to know that it is the learning of tcpdump which is pointless... |
|
| Back to top |
|
|
fangorn
Veteran
Joined: 31 Jul 2004
Posts: 1886
|
| Posted: Mon Jan 25, 2010 9:44 am Post subject: |
|
|
To make things more clear:
As long as you are behind a router of any kind while connecting to the internet you are pretty safe, even without a firewall. Behind a router you are not directly accessible from the internet. So a firewall could only block accesses that are not happening. Problem starts when your router forwards ports to your box. But then a firewall can't do anything either, because else you could not use the port (for ssh access for example). But that is a more advanced topic.
If you are connected to the internet directly (for example through a modem/cable modem/university network/...) and therefor are reachable by any box around the world, you will have to take care of listening programs yourself (aka build a firewall).
Wireless access points usually are behind a router for internet access, so you are accessible only from participants in the same wireless network. It is up to you how much you trust them and you have to decide if you need a firewall there and then.
Selinux is another topic. It cannot hurt when setup correct, but when done half hearted you will be misguided in a false feeling of security and have security issues anyway. So do it or don't, but don't do it "a little".
_________________
Video Encoding scripts collection | Project page |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Mon Jan 25, 2010 1:59 pm Post subject: |
|
|
| I enable my laptop firewall when I am at an internet cafe, I don't want to be scan by unknown hackers when I drink my coffee |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Tue Jan 26, 2010 1:09 am Post subject: |
|
|
| d2_racing wrote: | | I enable my laptop firewall when I am at an internet cafe, I don't want to be scan by unknown hackers when I drink my coffee |
unless you have something listening on eth0/wlan0/whatever, not really a concern.
and if you do have something listening, is it something that SHOULD be open to the whole world?
In my case
| Code: |
laptop02 ~ # nmap 192.168.1.122
Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-25 19:05 CST
Nmap scan report for 192.168.1.122
Host is up (0.000027s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
8010/tcp open xmpp
|
So, SSH I want open - i wouldn't drop incoming traffic to SSH anyway.
And what is XMPP?
| Code: |
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
laptop02 ~ # netstat -anp |grep 8010
tcp 0 0 0.0.0.0:8010 0.0.0.0:* LISTEN 21343/kopete
udp 0 0 127.0.0.1:8010 0.0.0.0:* 21343/kopete
|
Ah right, so I need that open anyway.
Nothing unwanted listening, nothing to be attacked.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
Mike Hunt
Watchman
Joined: 19 Jul 2009
Posts: 5287
|
| Posted: Tue Jan 26, 2010 2:11 am Post subject: |
|
|
cach0rr0,
Don't you get any brute force attacks on port 22 ? |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Tue Jan 26, 2010 2:17 am Post subject: |
|
|
This is my answer to brute force ssh attack :
| Code: |
#$IPT -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --set
#$IPT -A INPUT -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
|
After 3 attacks, I ban the ip for 10 minutes |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1118
Location: Rep. of Ireland
|
| Posted: Tue Jan 26, 2010 2:30 am Post subject: Re: Is firewall or SELinux needed for my personal laptop |
|
|
| luoleicn wrote: | | Hi, I have to say I know little about Linux security, while I used windows , Kaspersky sometimes tells me that Kaspersky stopped an attack from Internet, i think maybe I need a firewall on Linux, too, but some guys told me if I keep my Linux up-to-date, it will be OK, I don't need anything. So I'm confused |
It's only needed if you're running network exposed services. Otherwise, naw.
_________________
| juniper wrote: | | you experience political reality dilation when travelling at american political speeds. it's in einstein's formulas. it's not their fault. |
|
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Tue Jan 26, 2010 2:35 am Post subject: |
|
|
| Mike Hunt wrote: | cach0rr0,
Don't you get any brute force attacks on port 22 ? |
on my laptop? no
on most networks I'm connected to, 22 on my laptop won't even be accessible by those outside the LAN
within my LAN it's nothing but trusted machines - in the event I'm on an untrusted network, I *still* only have to worry about people within the LAN I'm on reaching my sshd, though in the unlikely event I actually have it running.
On my server that's another matter entirely (we had a long discussion about this on OTW recently). I do get repeated brute force attempts, and although it is not feasible for me to move to port knocking or key-based authentication, I still have zero concern whatsoever that someone will get in via SSH. You don't get bruted unless your passwords are shite. They are far more likely to attack one of the webapps I have up (though, I have those locked down tightly as can be).
Anyway, attacking ssh on my laptop is zero concern. In the few instances where sshd is up and running (trusted LAN), purely from a routing standpoint it is not reachable from the outside world.
Any attacks on my laptop are likely to be ones that I've been a catalyst for through my own ignorance (e.g. attacks on my browser, or one of my IM clients - things that no firewall is going to prevent). These would in theory be mostly mitigated by running a "Hardened Gentoo" setup, but there's the trade-off - hardened+X+any DE == pain in the ass to maintain. Given that I know enough not to click on random binaries or go to dodgy sites, and can avoid running any nefarious code consciously, not a worthwhile trade-off.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
Mike Hunt
Watchman
Joined: 19 Jul 2009
Posts: 5287
|
| Posted: Tue Jan 26, 2010 3:00 am Post subject: |
|
|
| Cool, nice explanation. Thanks |
|
| Back to top |
|
|
d2_racing
Bodhisattva
Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada
|
| Posted: Tue Jan 26, 2010 1:12 pm Post subject: |
|
|
| In fact, thanks |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Tue Jan 26, 2010 2:48 pm Post subject: |
|
|
| Mike Hunt wrote: | cach0rr0,
Don't you get any brute force attacks on port 22 ? |
Who cares? Brute-force attacks on port 22 don't get very far if you're not running sshd.
On my laptop, my default runlevel has only one service - dnsmasq - and it's only bound to loopback. (127.0.0.1) I have a script hooked into dhcp, so that when I get an address assigned, I check to see where the heck I've just connected. Based on the IP I receive, I may start services like sshd, etc. If I'm at home or at work, I start sshd, tell X that I want to allow incoming connections, etc. If I'm anywhere else, nothing else gets started. No listing ports on anything but loopback, at all.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
whitemist23
n00b
Joined: 21 Jul 2023
Posts: 2
|
| Posted: Tue Aug 22, 2023 11:01 am Post subject: |
|
|
| Firewalld is well defined for systems administration where SELinux is intended for processes. SELinux can decide whether an interaction ought to talk over a specific port or not, however the firewall is worried about how to manage the actual traffic on that port/interface |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2007
|
| Posted: Tue Aug 22, 2023 12:44 pm Post subject: |
|
|
| whitemist23 wrote: | | Firewalld is well defined for systems administration where SELinux is intended for processes. SELinux can decide whether an interaction ought to talk over a specific port or not, however the firewall is worried about how to manage the actual traffic on that port/interface |
Necropost!
_________________
Greybeard |
|
| Back to top |
|
|
|
Installing Gentoo
