I keep Win10Pro on a different SSD to remind me how good I have it with OSS 15.4: It’s the same differences between a truly free / democratic nation vs a communist country. As a novice who has used linux for over a decade, all the security of the 2nd amendment of the U.S. Constitution is there with only the borders that you can open (secure and insecure) including an idiot proof recovery system (system snapshots).
You can use openSUSE MicroOS to minimize the attack surface, as this system is immutable.
Run all you can inside containers (Docker, Podman, Flatpak). Run apps as a non-root user.
openSUSE packages have signatures, if someone wants to temper it, your package will have a broken signature. Don’t trust any signing keys you don’t know. Don’t add any repositories you do not trust. Don’t install random things.
Encrypt your drives with LUKS, if your device is stolen, your data is mostly safe.
You can use AdGuard Home, which is more friendly than PiHole. AdGuard blocks tracking and also some malware, but only at the DNS level.
You could also look into OPNsense, if you want a firewall for your network.
Avoid products from certain countries/companies, they all phone home.
1 Like
i do this with every new install and add them to this file you will have to create. you can google to see what exactly they do. hope it helps
sudo nano /etc/sysctl.d/70-yast.conf
net.inet.tcp.rfc1323=0
net.inet.icmp.timestamp=0
vm.swappiness=0
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
hard core 0
kernel.exec-shield = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses 1
also install things like
install
firejail
jondo
unbound
and use encrypted dns or atleast cloudflair and a trusted vpn like mullvad.
and maybe consider using a router with a custom firmware like dd-wrt or openwrt or tomato
I’ll save a google search. These settings either have nothing to do with security, or are set to their current default values or don’t even exist or belong on limits.conf.
did you even try to do any research? they have a decent level of security to them for example net.inet.icmp.timestamp=0 makes it to where the packets ur computer sends to a router dont have a timestamp on them. just do some research instead of making a useless post and further keeping people from living in a more private and secure world. thanks
I’m sorry you took I want to prevent people from making their computing more secure. Quite the contrary. I pointed out that a system wouldn’t become more secure with those settings applied. I’m talking about real, effective security, not imaginary security from switching random settings for any random operating system.
Anyway, I followed your advice and did a research on the specific net.inet.icmp.timestamp sysctl setting. I was hoping it was a deprecated/renamed setting. Much to my surprise, it used to apply to Mac OS.
What would be the benefit of promoting such ineffective suggestions? In case you still insist, then explain why setting it results in an error:
$ sudo sysctl -w net.inet.icmp.timestamp=0
sysctl: cannot stat /proc/sys/net/inet/icmp/timestamp: No such file or directory
2 Likes
Run;
sysctl -a | grep -wE "net.inet.tcp.rfc1323|\
net.inet.icmp.timestamp|\
vm.swappiness|\
kernel.randomize_va_space|\
fs.suid_dumpable|\
kernel.exec-shield|\
net.ipv4.ip_forward|\
net.ipv4.conf.all.send_redirects|\
net.ipv4.conf.default.send_redirects|\
net.ipv4.conf.all.accept_redirects|\
net.ipv4.conf.default.accept_redirects|\
net.ipv4.icmp_ignore_bogus_error_responses"
> net.inet.icmp.timestamp|\
> vm.swappiness|\
> kernel.randomize_va_space|\
> fs.suid_dumpable|\
> kernel.exec-shield|\
> net.ipv4.ip_forward|\
> net.ipv4.conf.all.send_redirects|\
> net.ipv4.conf.default.send_redirects|\
> net.ipv4.conf.all.accept_redirects|\
> net.ipv4.conf.default.accept_redirects|\
> net.ipv4.icmp_ignore_bogus_error_responses"
fs.suid_dumpable = 0
kernel.randomize_va_space = 2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
vm.swappiness = 0
this may help
Hi, on Tumbleweed these are already set;
kernel.randomize_va_space = 2
net.ipv4.icmp_ignore_bogus_error_responses = 1
I don’t use swap so swappiness is 0…
As you can see some of the options you set don’t exist…
i know some were examples but again hope this helps anyone who wants to do these kinds of things for security/privacy.
Personally, I find it helpful when making suggestions like this to include why you’re suggesting them.
That helps someone who’s looking to harden their system understand the benefits of the suggestions you’re making.
For example, what is the benefit of disabling timestamps on ICMP packets sent from your machine? according to the research that I found, this is a low-risk vulnerability that can be used only when the system authentication uses a time-based authentication protocol. Most Linux desktop installations don’t use that kind of authentication method, so this parameter being changed is generally pointless from a security exposure standpoint.
Your description:
is actually not correct. It doesn’t turn off timestamps for all traffic from your system to a router - it specifically is related to ICMP (ie, ‘ping’) traffic only - and if the timestamps were removed only between your router and your desktop, that doesn’t affect anything outside of your network.
It would be far simpler to just configure your system to not respond to ping (which solves both this issue as well as helping to limit device discoverability within your network, should someone compromise the network and start running tools to enumerate network resources as part of a network-wide vulnerability scan).
3 Likes
i explained the benefit its so ur packets wont sent out timestamp data. im not gonna re google every single little thing just do some research i gave you the tools but its up to you to use them thanks have a good day.
That is simply incorrect. If you’re going to weigh in with advice, please at least do so by not providing bad advice and then saying “do your own research as to why it’s good”. You’re asserting that it’s beneficial in opposition to people who know what it actually does, so the burden of proof is on you to demonstrate why your answer is not factually incorrect.
As I stated, that particular setting only affects ICMP packets - not all traffic from your workstation, and the CVE that it applies to (CVE-1999-0524) is very, very specific about the vulnerability being a low risk vulnerability that only applies to time-based authentication methods, which the vast majority of Linux desktop users are not using.
When providing advice to someone who is looking for best practices, explaining why you’re giving the advice is very important. Telling them “do your own research” is not in the spirit of open source, nor is it helpful to those who have no doubt already spent time googling and are looking for the input of people with actual experience.
Let’s look at another of the supposed “security enhancements” you suggested - installing some specific software packages (install, firejail, jondo, and unbound).
Leaving out for a minute that “install” is a generic enough term that nobody’s likely to have any idea what you’re referring to, simply installing these applications won’t give you any security benefit. They would need to be specifically configured to provide specific benefits - something that you have not spelled out. So, someone who’s completely green with Linux is going to think, based on what you’ve provided, “oh, if I install firejail, I’m going to be secure”. But in actuality, using this application requires you to create security profiles for each application you want to be protected from being exploited. Configuring those profiles - much like AppArmor or SELinux, requires some pretty detailed knowledge of how the application works and what it does. Sure, Firejail says that it’s not as hard to configure as SELinux, but that doesn’t mean that it’s trivial to use, and certainly is not just a matter of installing it in order for your system to be secure.
Using JonDo - which is an anonymizing proxy service - is less about local security and more about privacy - but systems like that (and Tor, and any VPN service on the planet that you don’t run personally) are all about trust of a third party. So, if you use those services, do you trust them? Why do you trust them? What constitutes trust of those providers? Some VPN services say they don’t keep logs, but how do you know they don’t?
These are all important questions the OP needs to be considering as they address their paranoia about being online. You suggest using routers with open firmware as well - I can tell you that that alone is not sufficient (FTR, I use a router with openWRT on it, and I have a travel router that I use when I’m on the road that also has openWRT on it) - you have to configure it properly. Just because it’s open doesn’t mean you can just assume the default configuration is secure for your use case.
6 Likes
did you even bother to read any of the documentation i provided you? please just stop im trying to help the op and you are not providing anything useful when you make my posts seam disingenuous please stop. This is getting to be too annoying and childish to deal with again do some research just take a deep breath and relax we can all get along have a nice day.
I’m amazed that, the openSUSE Security and Hardening Guide has been dismissed with –
It will take weeks to read it
Yes, there’s loads of additional material on “The Net” and, also on Bulletin Boards and also in News Feeds …
Bottom Line:
- “In at the deep end” Linux security ain’t easy – it’s complex and, it’s difficult to administrate – it needs additional security which ain’t part of the Operating System as such …
Such as, secure physical access to each machine’s console and, the machine’s hardware.
Plus, secure network access to the machine.
Plus, security screening of the staff who are assigned to perform the backups.
Plus, secure storage of the backups …
1 Like
yea but what can ya do except try and be helpful oh well life goes on
Well, I did - and I’ve been doing Linux and general computer security for decades. You provided suggestions and then instead of explaining why to the OP they should do these things, you just said “google it”.
I actually did research the things you suggested, and applied my experience to the analysis of the answers you provided, and the suggestions you made are really specific things for very specific situations that don’t seem to apply here.
Your suggestion to disable packet timestamps (which, again, is not what the suggestion you made actually does) applies to a very narrow and specific setup. If you’re not using a time-based authentication method (which most people don’t), this suggestion does nothing to improve security at all.
Your suggestion to “use a router with open firmware” lacks context and specifics; as I said, just because it’s open doesn’t mean it’s secure. If you don’t configure it to be secure, you’re making things worse, not better, from a security standpoint (worse because if you don’t understand the router firmware settings and leave something open that you shouldn’t, you’ve just opened yourself up to a new security attack vector that may not have been previously present).
When talking about security topics, being accurate and complete is actually important. Telling people to do things without explaining why, and then telling them to ‘google it’ is not helpful.
I understand that you want to help. So help the OP. Make recommendations and explain why - or at least provide references that you found helpful rather than saying “the info is out there; just go find it.” That’s not particularly helpful to someone who’s learning.
2 Likes
…silenced by facts…
1 Like