Manjaro Difference between revisions of "Linux Security"

Difference between revisions of "Linux Security"

From Manjaro
imported>Tele
m (add template Box...)
 
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<languages/>
__TOC__
__TOC__


<translate>
=Overview= <!--T:1-->


=Overview=
<!--T:2-->
 
System security is a complicated topic that individuals study for many years.  It would be impractical to impart even a fraction of that knowledge in a Wiki article.  What this page will attempt to do is provide a primer in the most basic elements of Linux security and identify common pitfalls for beginners
System security is a complicated topic that individuals study for many years.  It would be impractical to impart even a fraction of that knowledge in a Wiki article.  What this page will attempt to do is provide a primer in the most basic elements of Linux security and identify common pitfalls for beginners




=Users=
=Users= <!--T:3-->


<!--T:4-->
User accounts are used to log into the system and provide one of the basic building blocks for permissions.  You could loosely categorize users into a few categories:
User accounts are used to log into the system and provide one of the basic building blocks for permissions.  You could loosely categorize users into a few categories:
* Regular user accounts like the one created for you during install.
* Regular user accounts like the one created for you during install.
Line 15: Line 18:




<!--T:5-->
The root account is an administrator or superuser account.  This account to everything in the system and be used with extreme care.  In most cases, it shouldn't be used at all.  Instead use {{ic|sudo}}.
The root account is an administrator or superuser account.  This account to everything in the system and be used with extreme care.  In most cases, it shouldn't be used at all.  Instead use {{ic|sudo}}.




=sudo=
=sudo= <!--T:6-->


<!--T:7-->
The command {{ic|sudo}} lets you run a command as the root user without actually switching to the root user.  In many cases this is safer than using the root user directly as only a single command is being run as root.  For example, your normal user account would not be able the file {{ic|/etc/fstab}} because it is owned by root.  However, you can edit it with sudo like this:
The command {{ic|sudo}} lets you run a command as the root user without actually switching to the root user.  In many cases this is safer than using the root user directly as only a single command is being run as root.  For example, your normal user account would not be able the file {{ic|/etc/fstab}} because it is owned by root.  However, you can edit it with sudo like this:
  sudo nano /etc/fstab
  sudo nano /etc/fstab




When you run this command, you will be asked for a password, this will be the password of your normal user account. For more information about editing configuration files owned as root see [[Viewing_and_editing_configuration_files|this article on configuration files]
<!--T:8-->
When you run this command, you will be asked for a password, this will be the password of your normal user account.<br />
For more information about editing configuration files owned as root see [[Viewing_and_editing_configuration_files|this article on configuration files]].




==sudo vs su==
==sudo vs su== <!--T:9-->


<!--T:10-->
While {{ic|sudo}} and {{ic|su}} look similar and both involve root access they are very different.  {{ic|sudo}} runs a single command as another user and requests the password of your normal user account.  {{ic|su}} lets you *become* root and requests the password of the root user.  In general, it is usually safer to use sudo than to use su.
While {{ic|sudo}} and {{ic|su}} look similar and both involve root access they are very different.  {{ic|sudo}} runs a single command as another user and requests the password of your normal user account.  {{ic|su}} lets you *become* root and requests the password of the root user.  In general, it is usually safer to use sudo than to use su.


 
<!--T:11-->
{{warning|Never run a graphical program with as root or with sudo, it should only be used with command line programs}}
{{BoxWarning|Warning|Never run a graphical program as root or with sudo, it should only be used with command line programs}}




==Why am I Asked for a Password==
==Why am I Asked for a Password== <!--T:12-->


<!--T:13-->
Sometimes you will take an action in the terminal or through a GUI application and will get prompted for your password.  This is because the action you are trying to take cannot be completed by you user and requires elevated rights.  Whenever you get a password prompt like this it is important to pause and think if the action you are taking *should* be asking for elevated rights before entering your password.
Sometimes you will take an action in the terminal or through a GUI application and will get prompted for your password.  This is because the action you are trying to take cannot be completed by you user and requires elevated rights.  Whenever you get a password prompt like this it is important to pause and think if the action you are taking *should* be asking for elevated rights before entering your password.


 
<!--T:14-->
{{note|Usually these password prompts will be looking for the password of your normal user account but occasionally they will need the password of the root account}}
{{BoxInfo|Note|Usually these password prompts will be looking for the password of your normal user account but occasionally they will need the password of the root account}}




=Changing Passwords=
=Changing Passwords= <!--T:15-->


<!--T:16-->
To change the password of the user account you are logged in as you can use the command:
To change the password of the user account you are logged in as you can use the command:
  passwd
  passwd




<!--T:17-->
To change the password of a different user on the same system you can use sudo:
To change the password of a different user on the same system you can use sudo:
  sudo passwd theusername
  sudo passwd USERNAME




=Groups=
=Groups= <!--T:18-->


<!--T:19-->
Users on a Linux system are commonly arranged in groups. A user group is a convenient way of assigning more users access to a common task like sound, media, printing and mounting of removable drives etc.
Users on a Linux system are commonly arranged in groups. A user group is a convenient way of assigning more users access to a common task like sound, media, printing and mounting of removable drives etc.




<!--T:20-->
A list of the current groups can be seen on the system with the command:
A list of the current groups can be seen on the system with the command:
  getent group | awk -F : '{print $1}'
  getent group | awk -F : '{print $1}'




<!--T:21-->
To see which groups a given user belongs to use the command
To see which groups a given user belongs to use the command
  groups theusername
  groups USERNAME




==Primary Groups==
==Primary Groups== <!--T:22-->


<!--T:23-->
A user can be a member of any number of groups but they have only one primary group.  The primary group is the group used when files are created.
A user can be a member of any number of groups but they have only one primary group.  The primary group is the group used when files are created.




=Understanding File Permissions=
=File Permissions= <!--T:24-->


<!--T:25-->
At the most basic level, files are designated as '''r'''ead, '''w'''rite or e'''x'''ecute to the '''u'''ser(owner), the '''g'''roup and '''o'''ther.  To understand how this works let's look at a real world example.
At the most basic level, files are designated as '''r'''ead, '''w'''rite or e'''x'''ecute to the '''u'''ser(owner), the '''g'''roup and '''o'''ther.  To understand how this works let's look at a real world example.


<!--T:26-->
To get the permissions on the file we can use the command {{ic|ls -l}}.
To get the permissions on the file we can use the command {{ic|ls -l}}.
  ls -l /etc/fstab
  ls -l /etc/fstab
Line 80: Line 97:




<!--T:27-->
That first group of letters and dashes indicate the permissions.  It is 10 characters long and the dashes indicate a lack of permissions.
That first group of letters and dashes indicate the permissions.  It is 10 characters long and the dashes indicate a lack of permissions.


<!--T:28-->
* The first character "-", represents the file type, "-" indicates that it is a normal files.
* The first character "-", represents the file type, "-" indicates that it is a normal files.
* The next three characters "rw-" indicate the permissions for the user or owner of the file.  In this case reading and writing are allowed but not executing.
* The next three characters "rw-" indicate the permissions for the user or owner of the file.  In this case reading and writing are allowed but not executing.
Line 88: Line 107:




<!--T:29-->
From more detailed information on how file permissions are broken down take a look at [https://en.wikipedia.org/wiki/File_system_permissions#Traditional_Unix_permissions this Wikipedia article]
From more detailed information on how file permissions are broken down take a look at [https://en.wikipedia.org/wiki/File_system_permissions#Traditional_Unix_permissions this Wikipedia article]




==Changing File Permissions==
==Changing File Permissions== <!--T:30-->


<!--T:31-->
The command {{ic|chmod}} can be used to change permissions on a file or directory.  It is probably easier to demonstrate than explain.
The command {{ic|chmod}} can be used to change permissions on a file or directory.  It is probably easier to demonstrate than explain.




<!--T:32-->
Add read rights to the user(owner) of the file
Add read rights to the user(owner) of the file
  chmod u+r filename
  chmod u+r filename




<!--T:33-->
Remove execute rights to members of the group owner of filename
Remove execute rights to members of the group owner of filename
  chmod g-x filename
  chmod g-x filename




<!--T:34-->
Set the rights for the other group to read only
Set the rights for the other group to read only
  chmod o=r filename
  chmod o=r filename




<!--T:35-->
Of course, in normal use you would combine everything like this:
Of course, in normal use you would combine everything like this:
  chmod u+rw,g=r,o-rwx filename
  chmod u+rw,g=r,o-rwx filename




<!--T:36-->
This adds read and write to the owner, set the group as read only and remove read, write and execute from other users
This adds read and write to the owner, set the group as read only and remove read, write and execute from other users




<!--T:37-->
The chmod command can do a lot more than that.  For more information take a look at [https://en.wikipedia.org/wiki/Chmod Wikipedia's chmod reference]
The chmod command can do a lot more than that.  For more information take a look at [https://en.wikipedia.org/wiki/Chmod Wikipedia's chmod reference]




=Understand the Internet=
=Firewalls= <!--T:38-->
 
==Firewalls==


The [[Firewalls]] article has a full description of the Firewall solutions available on Manjaro
<!--T:39-->
The [[Firewalls]] article has a full description of the Firewall solutions available on Manjaro.


==DNS==
Computer knowledge to whom to send data thanks to IP addresses. We write names instead of IP in the browser. The browser asks the servers what IP has the given name. DNS can be the target of an attack.


==VPN==
=File Integrity Monitoring= <!--T:40-->
Well-designed VPN server can protect against attacks wi-fi in the local network. Because the main advantages are encryption and data requirements from a specific IP.


==HTTPS==
<!--T:41-->
I have doubts about the safety, but it certainly has great advantages.  
Your first line of defense should always be security practices that prevent an intrusion such as firewalls, intrusion prevention systems and keeping your system patched and up-to-date.  However, it is also useful to try to ensure that your system has not been compromised. One way to help with this is by using a file integrity monitoring solution. These solutions work by comparing the checksums or the files on your system to their previous versions and alerting about changes.
* The main advantage is data encryption. For example, if the password is not in the link, it should be encrypted.
* Now the browser or you can verify the web page.


<!--T:42-->
An open source tool which provides this service is [https://aide.github.io/ AIDE](Advanced Intrusion Detection Environment.  You can install it with the command:


=Understanding Checksum=
<!--T:43-->
pamac install aide


Are used to validate the processed data / files.
By checking the file checksum, you can detect changes to the file, but the method is not perfect.
* The larger the file, the greater the probability of receiving the same checksum. This phenomenon is called collision. This is a disadvantage for checking whether a file is identical and it is also a security defect.
* Algorithms ( MD5, SHA-0, SHA-1) are not recommended to use. Because collisions were found.
* On servers are stored checksums instead of passwords. Because it is almost impossible to recover your passwords. But it is possible to generate several passwords that will match the same checksum.
* Algorithms in which it is more important to detect changes in files than encryption are used to detect changes in the system. Sample programs for check file integrity Tripwire, AIDE.


List of hash functions
https://en.wikipedia.org/wiki/List_of_hash_functions#Unkeyed_cryptographic_hash_functions


=Sandboxing= <!--T:45-->


=Understanding GPG keys=
<!--T:46-->
* They can be used to encrypt messages in asynchronous encryption. In theory, a thief can steal the key message and steal private and will not be able to decrypt the message. Therefore, this method is considered the most secure method.
A '''Sandbox''' is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading.  
* Keys are used to sign the files, but does not give it a high level of safety. Because you can copy, edit the key from file. But it is useful for checking from which the package repository comes from, if we use several repositories and if we are able to verify.




=Understanding processes=
<!--T:47-->
* You can change the priorities of processes.
One method of sandboxing is using Firejail. Please the [[Firejail|Firejail Wiki page]] for more information on installing and configuring Firejail.
* You can display the process tree. '''pstree''' command
</translate>
* You can check what file the process comes from. You can also check to which package a file belongs.
* You can detect "zombie" processes and delete them.
* You can limit the maximum number of processes. This is protection against fork bomb attack, but it does not guarantee system stability, if the user's process will be important for the stability of the system.
* "'''Sandbox'''" is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. I heard about two. The first is to set up a separate account with restricted rights for programs. Second this is '''Firejail''', but when I tested it it does not work efficiently. During the system start, all rules are loaded instead of just for only programs which will running. You can also use virtual machines, but this is not their main purpose.


[[Category:Contents Page]]
[[Category:Contents Page{{#translation:}}]]

Latest revision as of 10:05, 18 January 2023

Other languages:
English • ‎Türkçe • ‎русский

Overview

System security is a complicated topic that individuals study for many years. It would be impractical to impart even a fraction of that knowledge in a Wiki article. What this page will attempt to do is provide a primer in the most basic elements of Linux security and identify common pitfalls for beginners


Users

User accounts are used to log into the system and provide one of the basic building blocks for permissions. You could loosely categorize users into a few categories:

  • Regular user accounts like the one created for you during install.
  • Accounts used to run specific processes. These users are often named after the service they run. For example the dbus users is user to run the master dbus process.
  • The root account.


The root account is an administrator or superuser account. This account to everything in the system and be used with extreme care. In most cases, it shouldn't be used at all. Instead use sudo.


sudo

The command sudo lets you run a command as the root user without actually switching to the root user. In many cases this is safer than using the root user directly as only a single command is being run as root. For example, your normal user account would not be able the file /etc/fstab because it is owned by root. However, you can edit it with sudo like this:

sudo nano /etc/fstab


When you run this command, you will be asked for a password, this will be the password of your normal user account.
For more information about editing configuration files owned as root see this article on configuration files.


sudo vs su

While sudo and su look similar and both involve root access they are very different. sudo runs a single command as another user and requests the password of your normal user account. su lets you *become* root and requests the password of the root user. In general, it is usually safer to use sudo than to use su.


Warning
Never run a graphical program as root or with sudo, it should only be used with command line programs


Why am I Asked for a Password

Sometimes you will take an action in the terminal or through a GUI application and will get prompted for your password. This is because the action you are trying to take cannot be completed by you user and requires elevated rights. Whenever you get a password prompt like this it is important to pause and think if the action you are taking *should* be asking for elevated rights before entering your password.


Note
Usually these password prompts will be looking for the password of your normal user account but occasionally they will need the password of the root account


Changing Passwords

To change the password of the user account you are logged in as you can use the command:

passwd


To change the password of a different user on the same system you can use sudo:

sudo passwd USERNAME


Groups

Users on a Linux system are commonly arranged in groups. A user group is a convenient way of assigning more users access to a common task like sound, media, printing and mounting of removable drives etc.


A list of the current groups can be seen on the system with the command:

getent group | awk -F : '{print $1}'


To see which groups a given user belongs to use the command

groups USERNAME


Primary Groups

A user can be a member of any number of groups but they have only one primary group. The primary group is the group used when files are created.


File Permissions

At the most basic level, files are designated as read, write or execute to the user(owner), the group and other. To understand how this works let's look at a real world example.

To get the permissions on the file we can use the command ls -l.

ls -l /etc/fstab
-rw-r--r-- 1 root root 539 Dec 26 23:07 /etc/fstab


That first group of letters and dashes indicate the permissions. It is 10 characters long and the dashes indicate a lack of permissions.

  • The first character "-", represents the file type, "-" indicates that it is a normal files.
  • The next three characters "rw-" indicate the permissions for the user or owner of the file. In this case reading and writing are allowed but not executing.
  • The next three characters "rw-" indicate the permissions for members of the group who owns the file. In this case reading and writing are allowed but not executing.
  • The next three characters "r--" indicate the permissions for other users. In this case reading is allowed but not writing or executing.


From more detailed information on how file permissions are broken down take a look at this Wikipedia article


Changing File Permissions

The command chmod can be used to change permissions on a file or directory. It is probably easier to demonstrate than explain.


Add read rights to the user(owner) of the file

chmod u+r filename


Remove execute rights to members of the group owner of filename

chmod g-x filename


Set the rights for the other group to read only

chmod o=r filename


Of course, in normal use you would combine everything like this:

chmod u+rw,g=r,o-rwx filename


This adds read and write to the owner, set the group as read only and remove read, write and execute from other users


The chmod command can do a lot more than that. For more information take a look at Wikipedia's chmod reference


Firewalls

The Firewalls article has a full description of the Firewall solutions available on Manjaro.


File Integrity Monitoring

Your first line of defense should always be security practices that prevent an intrusion such as firewalls, intrusion prevention systems and keeping your system patched and up-to-date. However, it is also useful to try to ensure that your system has not been compromised. One way to help with this is by using a file integrity monitoring solution. These solutions work by comparing the checksums or the files on your system to their previous versions and alerting about changes.

An open source tool which provides this service is AIDE(Advanced Intrusion Detection Environment. You can install it with the command:

pamac install aide


Sandboxing

A Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading.


One method of sandboxing is using Firejail. Please the Firejail Wiki page for more information on installing and configuring Firejail.

Cookies help us deliver our services. By using our services, you agree to our use of cookies.