I want to make some settings for my Linux but I want to make this first before I learn how to handle Linux. Because I need some time to find this settings out by my self I just thought to ask you these and then I take the other configurations for my Linux.
My Linux is installed on a USB-Stick (openSUSE-Tumbleweed-KDE-Live-x86_64-Snapshot20221019-Media). I use this Linux that I try to minimize the risk for Viruses on my PC. Linux should be more save agains Viruses than Windows so I decided to use Linux to surf in the Internet on âquestionable-websitesâ so if anything happens that my Windows is save.
My first Question:
I have the possibility to swith off my HardDrive (with Windows on it) in BIOS (deactivate SATA) and to run Linux.
But I hope I can make this easyer and can somehow deactivate the accesibility in Linux. I want to use my Linux withought access on my HardDrive. So Iâm searching for a way to set up Linux that it is not possible to access the HardDrive of my PC. So that Linux has no possibility to make changes to it and so that I can not accedently make changes on it and no Viruses can reach my HardDrive if I get one while using Linux.
Is there a way how I can âturn-offâ any way to reach the HardDrive (or most possible to reach this satus in the settings)?
My second Question:
I want to surf in the WWW on âquestionable-websitesâ like private administrated sites that are not public companys and have a higher risk for viruses.
I had many times viruses so that I needed to reinstall my whole PC and now I try to save my PC as good as possible. Linux is a good solution against simple viruses while surfing. I want to give it a higher chance with security software.
Is there a good security center in Linux where I can simply set up anti-virus protection or any Software-packetes to install that can help agains Viruses?
Hehehe - this are great news for me. I thought there could be some and some anti-virus program in linux. Was just a question. Thanks
And can you help me with the configuration how I can turn off the access to a harddrive in my PC (so that I can not accidently change/deleate/damage it)?
I must be a bit more precise about my utterance. See e.g. http://linuxmafia.com/%7Erick/faq/. A bit dated, but still valid. You do not have to read all of it to get the message.
There are no known viruses that can act as such in Linux. Anti-virus programs work on fingerprints of know viruses, and they can not detect a virus that is not âknownâ by those that fill the database of anti-virus programs.
Nevertheless you will find anti-virus programs that run on Linux, just browse with YaST > Softwate Management. But they only are able to detect viruses that attack MS Windows systems. They are there for those who want to detect MS Windows viruses in data that passes through their Linux system. E.g. when one runs a mail server, you could decide to run an ant-virus program on those mails and their attachments as a service to the poor MS Windows users that are going to receive those mails.
When you do not want to use the file systems that are used by the MS Windows installation on the same system, do not mount any of those file systems.
You should keep in mind that a virus is not the only âattack scenarioâ when you are surfing the www. Therefore using an up-to-date web browser is mandatory. Some browsers like Mozillas Firefox can be âhardenedâ (e.g. by using DoH-DNS-Servers directly; by installing addons like noscript, umatrix, privacybatcher, etc.; by tweaking their configuration; âŚ).
To give your Linux system even more protection there are tools tools like pam, apparmor, selinux, iptables/nftables/firewalld, dnscrypt-proxy and more. Some of them are probably already active (to a certain extend) in your Linux system.
However before you are using any of these tools or modifying their current configuration you should make yourself familiar with them. You need to understand how they work, what they can do for you and what their limits are.
And keep in mind: If you increase your âprotection levelâ it is quite likely that your system might become âless convenientâ to use (e.g. you might not be able to visit some websites; you probably have to enter passwords more frequently; âŚ).
now I know that there are real security solutions against hacks and viruses, thank you. I can understand that this are solutions that are good working and so it is not âeasyâ to understand and use them. Overall I understand now that Linux is âmoreâ secure than p.e. âWindowsâ and that I can even make more for the security. I think that there do not have to be a necessary âeasy-solutionâ (like Security-Center in Windows) because Linux is âmoreâ secure.
I will first learn more about Linux it self and enjoy Linux first and learn to handle it.
And maybe I will learn how to make it âmoreâ secure since I now understood that Linux is simple good secured.
These explanations you both wrote was good - thanks:
hcvv:
Nevertheless you will find anti-virus programs that run on Linux, just browse with YaST > Softwate Management. But they only are able to detect viruses that attack MS Windows systems. They are there for those who want to detect MS Windows viruses in data that passes through their Linux system.
susejunky:
You should keep in mind that a virus is not the only âattack scenarioâ when you are surfing the www. Therefore using an up-to-date web browser is mandatory. Some browsers like Mozillas Firefox can be âhardenedâ (e.g. by using DoH-DNS-Servers directly; by installing addons like noscript, umatrix, privacybatcher, etc.; by tweaking their configuration; âŚ).
To give your Linux system even more protection there are tools tools like pam, apparmor, selinux, iptables/nftables/firewalld, dnscrypt-proxy and more. Some of them are probably already active (to a certain extend) in your Linux system.
You both maybe can tell me to the next question a solution for me:
I can see now that the intern hard-drives are not âmountâ and so there are no data exchange unless I mount them. In Linux I could mount them and change them (format, create partitions, delete etc.) or simple can copy files into it. So I can make also some mistakes if I do some settings ins Linux that could damage the data or Windows on my hard-drive by my own fault. I search a solution that I can set Linux that I have no possible to do change to the hard-drive.
Is there a way that I can set Linux to never give access to the Hard-Drives (a overall setting that I can not accidental change the Hard-Drive)?
(Would be a protection that I can not somehow to some mistakes)
lol! (lol because that some funny question to ask experts)
If you login any Linux system as user ârootâ you will be able to do what ever you like on that system. So from my point of view the only way to absolutely protect your MS Windows drives against all odds is to use different machines and never exchange data between the two.
Get a cheap second hand laptop, install openSUSE on it and use it to surf âall those dangerous websitesâ. As long as you never exchange any data between this laptop and your MS Windows machine and never connect the two via any sort of network there should be no way for any malware to move from the laptop to your MS Windows machine.
However keep in mind that if your MS Windows machine is connected to any network (e.g. WAN, LAN, WLAN, Bluetooth, âŚ) and as long as you connect any external devices (e.g. USB-storage, Smartphones, âŚ) to your MS Windows machine there are still a lot of âattack scenariosâ left which have nothing to do with you surfing the internet on a separate laptop. So if your MS Windows machine needs to be absolutely safe from any attack you need to do much more than moving some of your activities to a second machine.
IMHO the only good solution is to install openSUSE on the disk on the system, overwriting what is there now. Thus there is no MS Windows anymore then can bother you. Simple and sufficient.
I was asking like just ideas and I found that solutions from you are good. To protect Windows on a Hard-Drive from the access from other Operating System there could be a solution in Windows or on the Hard-Drive that need to protect and there is no special need for it. Of course a Operating System (Linux and Windows) should be able to control the whole PC (and the Hard-Drives). A setting to restrict permissions to a Hard-Drive or to the System-Settings is something like on public PC p.e. schools/library. Yes, a overall safety/security solution like you said is a not dual Operating System running PC and using not connected PCs with control of every Data in-/out-coming and Iâm looking forward to buy me a Laptop. Yes because Linux is more safe then Windows it would be more secure to just use Linux. I understood now that this solution I have got with the USB-LIVE-System is good for the security which I need. The questions was if I can do more to secure it as good as possible and Iâm happy now, thanks
Susejunky you told me that the Live-System has a single administrative User that I use here. Can I set up a second user account that has no administrative rights?
(So maybe this could work on a Live-System as more secure (especially if I use this user-account only to surf with the browser through the WWW and do everything else with the admin-account).
Of course there are solutions to block access to disks and/or partitions. Write udev rules to prevent creating device files for them and they will cease to exist for all users, including root. But as you probably do not even know what udev rules are, better start with doing something and learning from that.
I use an openSUSE Tumbleweed KDE LIVE system (for rescue purposes) which was installed to an NVMe (placed in an external USB3.0-case) roughly a year ago. So all what follows will probably only apply to a comparable system.
That LIVE-system offers two users for login:
one called âlinuxâ who has a limited set of privileges
one called ârootâ who has all privileges (e.g. to do system administration)
Both users âlinuxâ and ârootâ do not have a password set.
When the system is started it does an automatic login for the user âlinuxâ (who has limited privileges). Due to the fact that none of the two users has a password set it is quite easy to switch between the two and everybody who gains access to the system can become ârootâ.
So if you want to use a LIVE-system on a regular basis and/or to work with for a longer period it might be a good idea to set a password for the user ârootâ (and probably for the user âlinuxâ as well). Disabling the automatic login will give some additional protection.
But from a security point of view there is more to be considered:
It is very likely that your LIVE-system is placed on a portable device (e.g. USB storage device) which is not encrypted (what is the default). Everybody who can get hold of the device (what might be easy for a portable device) will be able to manipulate its contents.
udev does not create device files. Today device files are created internally and exposed via devfs and udev only creates convenience aliases (links) to the canonical names.
hcvv: yes thatâs right, I need to learn much and I canât simple do such things. I ask this because these thinks I want to set up first and make sure so that I do not accidental make some mistakes. So I have time them to learn more about Linux. I write also because if some people help me it wonât take so much time for me and Iâm sure that itâs right. But itâs an good advice from you and I thank you. I maybe look what udev rules are.
susejunky: Sorry it was a wrong interpretation. Yes you wrote not that what I said, I just had it in mind that you said something like this.
What you wrote now is this what I mean with something like, sorry for that. Would be better if I wrote âsomething likeâ and then what I thought that you wrote.
Thanks for the fresh start.
I will check it up.
So I give the both accounts passwords.
I will look if I can set up a third account what has low ârightsâ like a âguestâ account that can not âmountâ any devices and can in best case make no new settings for Linux and only can use chosen programs like firefox or little games (programs i set for use) and maybe has access to a folder to store some files on the usb-stick. If this is possible. I will look and write it what I have reached. Thank you so far
(The USB-STICK itself is not in danger that someone else could use it on a PC, so it is not encrypted and thereâs no need for this security.)
Hey, overall now, thanks to your help community, i found a solution for me that would be all right.
It is more secure for me if I handle the user and root logins on this Linux Live operating system.
I tried now to found out how this could work. I need some help here. These things I found out:
Tumbleweed KDE Linux Live has one user witch is used from beginning: name âLive-CD Userâ - no password
In the ->Settings->User Settings the user-status (Kind of user) shows this user as a ânormalâ user-status/privileges (not system administration / not root) (There are two kind of user to choose (ânormalâ and âsystem administratorâ) . But I guess it is a âsystem administratorâ user.
I gave this user (Live-CD Userâ now a password.
If I log out from this user Linux shows me a log in screen. There âLive-CD Userâ is the only possible user that is shown.
But I can also type in ârootâ and Linux starts with a complete new Desktop. So This is also a working account and it has no password.
The root account is not shown under ->settings->User Settings (there is only the âLive-CD Userâ listened).
Under ->YaST->Security and User->User- and Group-administration I can set under the List âUsersâ the Filter to âSystem-usersâ and see many possible users.
One of them is ârootâ, if i click on this user and click on âeditâ I could select a password for it.
If I set here a password for the ârootâ account (and I already set a password for the âLive-CD Userâ account) is then Linux completely password secured (so that there is no other login without password possible)?
And (because I guess âLive-CD Userâ is a root account too) if I create a new user ( under ->Settings->User Settings and choose under âkind of userâ the ânormalâ option) as normal user (and give this new user a name and a password) would I have then a user what i could use to surf more secure in the web without many risk that could damage Linux/my PC?
Is this possible and work as a bit more secure against viruses from âquestionableâ-websites? :\
root (UID=0), of which there is only one. sometimes called âsuperuserâ.
all other users (with UIDâ 0), by convention (thus not by the system/kernel). UID<1000 are considered as system users (also by convention), which means that many are considered never to log in and thus most users (you and I when doing our daily scores like using the bank, seeing movies, learning from Wikipedia, etc, etc.) are numbered UID>999.
There is no âsystem administratorâ in Linux, although many people that are burdened by their Microsoft background may use the term for the Linux superuser.
Canât you try to search for some basic *very basic" information/tutorial about Unix on the internet? We are not here to repeat or copy/paste what is already there in abundance.
That is a good explanation.
Yes I thought the âLive-CD Userâ account is some kind of admin in compare to windows because it can make many configurations. O.k. you wrote me that is something different and that I can search for some explanations.
Yes you people are some professionals and I already read your answers that has solutions for âdeeper/otherâ questions then my simple ones.
Thatâs the point why Iâm asking in this forum to get a âeasyâ and âfastâ start as a âbeginnerâ.
I see my questions are basic and most of them i could study or just try withought asking.
I will try to ask my questions in a other public forum before I simple try settings because I think always I could damage my Windows installation on my HDD (That already happened years ago because I was not asking) and because I will start learn more about Linux after I done this security settings and while I can work and browse with linux. Anyway I can understand you (this is more a beginners tutorial topic) - Thanks for the explanations
Yes I see this as the best solution too. I will buy me Laptop sometimes. I wanted the USB-Stick as a solution until I got one (I thought this could be a simple and fast working solution but it takes some time for me). Maybe I try to install a ânormalâ (not Live) Linux on the USB-Drive again. I have also the choice to âdisableâ SATA-Controller in BIOS but this is a solution that is simple not right. Thanks for the help Susejunky.
I installed now Leap 15.4 as a normal installation (not a Live-System). Now everything (virus security, intern device security) is working good, linux is not so âreachableâ for viruses and there is no accidental access to my windows installation on a intern hard-drive because it canât be mounted from a user account withought the priveleges from the root account and the needed password. It was a good try with the live system but the normal system is better i guess
