Bulletproofing OpenSUSE?

I guess that the default settings are more than enough for most people, but as my windows machine has been recently hacked by a retard that works for accenture (last week I removed another trojan) I wonder the settings, the programs/services that I should install or remove to get openSUSE to a new level of security. I mostly use firefox. Thanks in advance.

Linux.com :: Running Windows viruses with Wine

Just us an anti virus on your Linux machine.To keep from infecting a windows machine.

That’s what you hear all the time, ha, ha. Sadly you can’t get rid of windows yet, in my case there are no linux drivers for my dell 964 printer.

Any security tweaks for those really paranoid people out there?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I guess I don’t entirely understand what the issue is here. Viruses
from windows won’t likely run in Linux unless they are made to be
cross-platform (difficult at best). Assuming you are following all the
basic computing rules that apply to any operating system including least
privileges (don’t run as a privileged user… almost ever), being smart
about your browsing/downloading/emails (don’t go bad places, get bad
things, or open e-mail from people you know and NEVER open an attachment
you aren’t expecting, even from people you know as address books are
accessible to viruses as much as the user on the system) and possibly
run antivirus software (there are native options for Linux like AVG) you
should be fine. The default firewall blocks everything so if you open
ports do so taking the necessary precautions but you should be fairly
safe from outside attacks.

There are lots of “hardening” books, papers, etc. online and in stores
that you can investigate. I’d start online just because it’s fast and free.

Good luck.

opensusejunkie wrote:
| That’s what you hear all the time, ha, ha. Sadly you can’t get rid of
| windows yet, in my case there are no linux drivers for my dell 964
| printer.
|
| Any security tweaks for those really paranoid people out there?
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIWSQY3s42bA80+9kRAjXKAJ4um4WyAeQxxxa4K/fwd8A/iVvdKACbB5Wz
pr2lN5/6wY/+iJppEh1z2LU=
=Co8K
-----END PGP SIGNATURE-----

The easiest way would be to stay out of Windows.:smiley:

I think openSUSE is pretty secure. You can use decent passwords and keep current on the updates and you should be O.K… I have been running it since 9.1 and never had any issue with being hacked, virus infections, malware, etc. and all I did was follow standard practices.

If you are running a server that has ports open to the public, then you might want to do some hardening, but otherwise, it seems like a lot of unnecessary work.

ClamAV, any windows virus should be destroyed, so you don’t have to worry about them going to windows, while being downloaded on linux :wink:

Honestly though, the SuSE firewall works fine, just follow these rules:

  1. Never run anything as root/su, unless your sure you can trust it
  2. Don’t try building anything, almost everything you will ever need can come from packman, or the build service search

That said, if you do ever indeed run a virus as a user, it can only harm whatever that user has access to, I would recommend shutting the computer off, then login in as root, start yast, delete the account, and keep the files, after you make a new one, delete the virus and everything should be back to normal :slight_smile:

AppArmor, firewall, and anti-virus if you share anything with Windows.

AppArmor is amazing. Check out the administration guide and the wiki as well as the AppArmor profile exchange

On Wed, 18 Jun 2008 15:04:58 GMT
ab@novell.com” <ab@novell.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I guess I don’t entirely understand what the issue is here. Viruses
> from windows won’t likely run in Linux unless they are made to be
> cross-platform (difficult at best). Assuming you are following all
> the basic computing rules that apply to any operating system
> including least privileges (don’t run as a privileged user… almost
> ever), being smart about your browsing/downloading/emails (don’t go
> bad places, get bad things, or open e-mail from people you know and
> NEVER open an attachment you aren’t expecting, even from people you
> know as address books are accessible to viruses as much as the user
> on the system) and possibly run antivirus software (there are native
> options for Linux like AVG) you should be fine. The default firewall
> blocks everything so if you open ports do so taking the necessary
> precautions but you should be fairly safe from outside attacks.
>
> There are lots of “hardening” books, papers, etc. online and in stores
> that you can investigate. I’d start online just because it’s fast
> and free.
>
> Good luck.
>
>
>
>
>
> opensusejunkie wrote:
> | That’s what you hear all the time, ha, ha. Sadly you can’t get rid
> of | windows yet, in my case there are no linux drivers for my dell
> 964 | printer.
> |
> | Any security tweaks for those really paranoid people out there?
> |
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIWSQY3s42bA80+9kRAjXKAJ4um4WyAeQxxxa4K/fwd8A/iVvdKACbB5Wz
> pr2lN5/6wY/+iJppEh1z2LU=
> =Co8K
> -----END PGP SIGNATURE-----
Hi
You could also look at nessus, it’s available for 10.3, would assume
one for 11 wouldn’t be far away.

http://www.nessus.org/nessus/


Cheers Malcolm °¿° (Linux Counter #276890)
SLED 10.0 SP2 x86_64 Kernel 2.6.16.60-0.23-smp
up 7 days 13:21, 0 users, load average: 0.13, 0.10, 0.09
GPU GeForce 8600 GTS Silent - Driver Version: 173.14.09

You could also put a hardware firewall in front of your computer, as I did. I used ipcop. All you would need to do this is an older computer (pentium 2 or 3, or even pentium 1), with at least 16 MB of ram, an old hard drive or flash drive even, and it could even be fanles to limit the noise. IPCop.org :: The bad packets stop here!

yes you can make more secure, if you nwant added security you need SELinux. very very hard to set up though in my opinion, but it’s very very good. maybe you are a little too paranoid, for general good security a good root password is needed, never ever log in as root, and only install things from a trusted source and you will be fine. stop thinking the windows way :smiley:

in my opinion for a normal desktop, linux as it is is secure enough for what most people need, SELinux takes it to the next level which is not needed for most people, maybe for top secret info like nasa or something.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I’m not sure I’d say AppArmor or SELinux were just for NASA or
super-secret orgs, but aside from the default AppArmor policies anything
additional is probably overkill for home users to try and tinker with
unless they are planning to use those skills for a server that will be
accessible to potentially untrusted users (employees, the Internet,
in-laws… in that order ;-)).

Good luck.

thestig wrote:
| yes you can make more secure, if you nwant added security you need
| SELinux. very very hard to set up though in my opinion, but it’s very
| very good. maybe you are a little too paranoid, for general good
| security a good root password is needed, never ever log in as root, and
| only install things from a trusted source and you will be fine. stop
| thinking the windows way :smiley:
|
| in my opinion for a normal desktop, linux as it is is secure enough for
| what most people need, SELinux takes it to the next level which is not
| needed for most people, maybe for top secret info like nasa or
| something.
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIWYNz3s42bA80+9kRAqEvAJ9f/y+X5NC/Rij740m4WEGXlkkW+QCfYocm
R4SQPayQ8heLH518iXegkG8=
=bRUR
-----END PGP SIGNATURE-----

I have the easiest method of all. This method is so advanced it works for very operating system(Yes, including windows) it is guaranteed to bulletproof your computer as long as the step is followed. It is also very simple to use. All you have to do to keep your data safe is:

unplug your internet.
http://help.insightbb.com/images/help/general/networkcard_connect.jpg
that is the only true guaranteed way of keeping your stuff safe.

  • do a custom install and install only what you need
  • disable “services” that you do not use
  • use a seperate root account with a complex password and no passwordless sudo
  • have a complex user password and change it once a month
  • tweak the linux firewall
  • do not start a window manager (for a server) and if you must anyway start just what you need or use a lighter WM like XFCE or openbox
  • use less (3rd party) browser addons or a more secure browser
  • use tripwire to check for modified files
  • install on an encrypted filesystem
  • install / on a seperate partition from /home
  • use AppArmor or preferably SELinux
  • use CentOS 5.x/debian for really stable, secure and patched binaries.
  • use WPA2 for wireless

cheers,
stefan