Hello. I’m planning to move from Windows 7 to Linux, becouse I’m dissapoitment by newer Windows versions. I was used Mint & Ubuntu Mate before, but I hear about strenght of Yast tool in Opensuse so I will try it (but I will probably install Mate desktop).
And I’d lile to ask for security suggestions for home user. I’m inexperienced Linux user, and I expect to make things through GUI, but I also paranoic Windows user familiar with cracked games full of viruses (and never got serious infectiion).
Mainly I ask about defense against 0-day attacks. You will say: download only from trusted sources. Ok. But it is possible that someone will hack site of trusted software developer and put malware on it. For example You remember, there was situation when someone hacked Linux Mint website and put fake, virused Iso’s.
And imagine viruses in software plugins (for example Python addons for Blender) It also can be target of attacks.
I think, the most annoing, is lack of security GUI tools for Linux. Antivirus is not enugh in modern days.
First, Apps shuld be blocked from internet access. Only trusted apps like browser or system updates should be allowed. So, there is need for Firewall controller with popups.
And is it any HIPS (Host Intrusion Prevention System) for Linux?
That give me popup, when something strange happen and block it untiI l dont’t allow manually.
On Windows I’m using Comodo Firewall which is combo of Firewall & HIPS.
And something for program sanboxing (like Sandboxie) to isolate programs from system?
Or is it possible on standard Linux something like program permissions on Android? For example dont allow access to second hdd by default or don’t allow microphone or USB devices?
Many people say, Linux has no viruses, but it’s not true. See (Linux malware - Wikipedia)
And this list will grow when Linux will have more users.
I have been using Linux for 23 years and I have never had any problems. My security includes different strong passwords for both the root and users, only downloading software from openSUSE, installing patches and updates as soon as possible after they arrive, backing /home up on a weekly basis and storing the backup at a different physical location and not clicking on anything, whether in an email or on a website, which I am not sure about. Over recent years, most browsers and email clients in Linux will warn you if they suspect there is a problem.
So could I ask for any example (preferrably GUI way) how to confogure OpenSuse firewall to do this:
1.Block all programs incoming and outgoing co nections except one (eg. Firefox)
2.Block all exe’s runned by WINE from internet access
Neither of this is possible using standard kernel netfilter (which is what all Linux firewalls use). I could imagine something using network namespace, but there is no provision to run each command in separate namespace in openSUSE. You may look at Qubes which does run each command in separate environment and provides firewall settings for it. I do not know if it also implements interactive “open on request” popups.
IMHO you should try to re-think a lot of what you are after. Switching from Windows to Linux requires a complete fresh insight. The simple saying is: forget everything you know about computers and start anew.
Unix/Linux is a multi-user, multi-session operating system. Now that is easy to say, but it is not so easy to understand the consequences of this. It is far reaching.
E.g. talking about a “personal firewall” is confusing. Most people understand this a s a firewall on their “personal computer”. But in Unix/Linux “personal computer” is not a defined term. It is just the computer and it runs Unix/Linux. Hardware ranges from supercomputers in a data center to hand-held systems.
Yes, apart from the firewall that separates your LAN from to Internet, you also can have a firewall on your desktop/laptop/notebook with Linux. But it is something on the system level (and thus for all users) and not on the individual user level. Do you call that “personal”?
And remember that the system firewall on Linux is basically a real firewall that you can configure to let a system act as a “firewall”, complete with external, internal and demilitarized zones and port forwarding, etc. Usage on a desktop within a LAN is mostly only a subset from the features (just to allow some services and block others, incoming and outgoing).
And maybe you should get less “paranoic” as you call it. Most Linux users will not be very impressed by such a goal. I e.g. do not even run a firewall on my systems. I depend on the functionality of de firewall in my router and on the fact that I manage all the system in my LAN.
Also I (in my function as system manager) do not start network serving programs that are not needed, thus limiting the number of open ports. Also the few services used (ssh, rsync, …) have configurations that allow access only for limited IP addresses. Once done, not much to manage. Maybe check open ports every now and then.
IMHO you should try to understand what OP asks. It is very simple - prevent rogue program from silently accessing Internet, i.e. block outgoing connections by default except for some whitelisted programs. There is no need for preaching how far more advanced Linux is (which it is not) - just show how to do this very simple task.
I do not see how “personal” vs. “system” vs. “multi-user” is relevant here.
Here some continuation, when topic was accidenatly deleted:
Solution is to use user groups to block interent access.
It could be good, and I will try it, but it still not simple and friendly.
And now imagine yourself as 10 year children who just want to run online game, who is also admin of system and takes care about viruses (as I was with my XP machine 15 years ago ). What firewall is easier to learn for this child?
You dont’t like Windows, and Microsoft, I understand. They are spying, they are forcing strange interface solitions, and don’t let people decide, but they not always were so bad. Do You tried run Win95 on VM? Do you see the installer. It let user choose software, just like OpenSuse installer One of options was to keep Win3.1 interface…
But takes look on Android. I was Android user before I first try Linux (this was Mint) I was dissaponited it don’t have program permissions like Android. Ok. Google is more awful company than MS. But apps permission system is very good idea. Even child can use it, if care about privacy & security. Btw. I have rooted and ungoogled smartphone.
I think Linux developers in future should think about something like program peemissions (but with option to block internet)
@JamSpam set up pihole in a container (I use a raspberry pi 3) and use that as the DNS https://pi-hole.net/ you can blacklist any site, not just an add blocker…
One of links in your other topics mentioned OpenSnitch; I do not know if it satisfies your requirements, but the first feature in README is “Interactive outbound connections filtering”. Looking in the documentation, rules may include
process.path (the path of the executable)
process.id PID
process.command (full command line, including path and arguments)
and it has interactive popups “Whenever a process wants to establish a new connection, OpenSnitch will prompt you to allow or deny it”. Seems to do exactly what you want.
But under Yast firewall config I just click public zone (which only allow dhcpv6) accept and it’s enough? Firewall is configured?
As I read SSH is something with remote desktop? So if it’s not in allowed list all remote attacks will be blocked?
Of course not. You probably need to step back (actually I suspect you need to take a lot of steps back) and define your threat model and what you are trying to defend against. Only then makes it sense to start looking for tools to do it.
No, but, you could block WINE from accessing the network – possibly – see below …
The 1st wish:
You may, possibly, be able to use AppArmor to deny network access to specific applications:
<https://unix.stackexchange.com/questions/135115/apparmor-profile-deny-internet-access>
AppArmor Profile – add “#include <tunables/global>” to the top of each relevant Profile file, and then in each Profile for the applications to be denied Network access, include –
For some reason I did never think of running that for Linux as I think I know what is going on but yes checking is better than trusting. I saw there is also something for Linux: