Porteus maximum security set up, maximum lock down

Post here if you are a new Porteus member and you're looking for some help.
xenos
Black ninja
Black ninja
Posts: 40
Joined: 20 Aug 2016, 22:20
Distribution: Porteus
Location: Blackhole

Porteus maximum security set up, maximum lock down

Post#1 by xenos » 22 Oct 2018, 20:14

Are there threads that particularly deal and focus on how to set up maximum security using Porteus Linux? Because the last we want is having our Porteus box hacked by others.

1. the default users and groups, and suggestions for maximum lock down

2. firewall setting for maximum lock down, application manually added, otherwise block incoming and outgoing by default,

Any other ideas or practices for maximum lock down?

User avatar
Ed_P
Contributor
Contributor
Posts: 8341
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Porteus maximum security set up, maximum lock down

Post#2 by Ed_P » 23 Oct 2018, 14:37

The Porteus Kiosk system is secure.
Ed

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Porteus maximum security set up, maximum lock down

Post#3 by donald » 23 Oct 2018, 15:06

Keep the router firmware up to date and check the settings.
( no remote maintenance, no UPnP ..etc.)
With some brands you're out of luck...(cisco anyone?)..LOL

Activate the Firewalls (router and porteus)

Keep the software (browser) and the system up to date/patched.
It is usually the browser whose vulnerabilities are exploited.
Disable javascript whenever possible.
Avoid Adobe Flash like the devil the holy water.

Don't confuse security with privacy ....privacy is a different playground...

about porteus:
you could install/configure the OS and make a settings module.
Porteus will assist you to create such a module.

When done you could use the allways fresh mode + the settings module
or make use of the changes-ro cheatcode.
(read /boot/docs/cheatcodes.txt)
there are many ways to get an extra layer of security...

Personally i'm not that scared, I have backups/images,
so i could restore the system within minutes if something does not seem right. B)

User avatar
wread
Module Guard
Module Guard
Posts: 1255
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v5.0-kde-64 bits
Location: Santo Domingo
Contact:

Porteus maximum security set up, maximum lock down

Post#4 by wread » 28 Oct 2018, 21:16

Well, my Porteus version (KDE5) seems to be vulnerable; to what extent, I don't know. I have had no attaks as yet, but I examined my system using the tool tiger-3.2.3-x86_64-2.xzm which I built from slackware.

I ran the application and found this long terror novel...

Code: Select all

Security scripts *** 3.2.3, 2008.09.10.09.30 ***
Fri Oct 12 11:41:29 AST 2018
11:41> Beginning security report for porteus.example.net (x86_64 Linux 4.15.2-porteus).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass013w] Username `guest' is not using an acceptable password hash 
         (sha256). 
--WARN-- [pass015w] Login ID halt does not have a valid shell (/sbin/halt). 
--WARN-- [pass016w] User mail has / as home directory 
--WARN-- [pass016w] User nobody has / as home directory 
--WARN-- [pass014w] Login (operator) is disabled, but has a valid shell. 
--WARN-- [pass016w] User oprofile has / as home directory 
--WARN-- [pass016w] User pop has / as home directory 
--WARN-- [pass013w] Username `root' is not using an acceptable password hash 
         (sha256). 
--WARN-- [pass016w] User rpc has / as home directory 
--WARN-- [pass015w] Login ID shutdown does not have a valid shell 
         (/sbin/shutdown). 
--WARN-- [pass016w] User sshd has / as home directory 
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). 
--WARN-- [pass012w] Home directory / exists multiple times (5) in /etc/passwd. 
--WARN-- [pass012w] Home directory /sbin exists multiple times (2) in 
         /etc/passwd. 
--WARN-- [pass012w] Home directory /var/empty exists multiple times (2) in 
         /etc/passwd. 
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck 
         -r). 

# Performing check of group files...
--WARN-- [grp006w] Integrity of group files questionable (/usr/sbin/grpck -r). 

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID halt appears to be a dormant account. 
--WARN-- [acc006w] Login ID mail's home directory (/) has world write access. 
--WARN-- [acc006w] Login ID nobody's home directory (/) has world write 
         access. 
--WARN-- [acc006w] Login ID oprofile's home directory (/) has world write 
         access. 
--WARN-- [acc021w] Login ID polkitd appears to be a dormant account. 
--WARN-- [acc006w] Login ID pop's home directory (/) has world write access. 
--WARN-- [acc006w] Login ID rpc's home directory (/) has world write access. 
--WARN-- [acc021w] Login ID shutdown appears to be a dormant account. 
--WARN-- [acc006w] Login ID sshd's home directory (/) has world write access. 

# Performing check of /etc/hosts.equiv and .rhosts files...
--WARN-- [rcmd010w] /etc/hosts.equiv contains the following hosts: 
 localhost

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...

# Performing check of PATH components...
# Only checking user 'root'

# Performing check of anonymous FTP...
--WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist. 

# Performing checks of mail aliases...

# Performing check of `cron' entries...
--WARN-- [cron005w] Use of cron is not restricted 

# Performing check of 'services' ...
# Checking services from /etc/services.

# Performing NFS exports check...

# Performing check of system file permissions...

# Checking for known intrusion signs...
--ERROR-- [init001e] Don't have required command STRINGS.

# Performing check for rookits...

# Performing system specific checks...
# Performing checks for Linux/4/4.15.2-porteus/x86_64...
--ERROR-- [init001e] Don't have required command STRINGS.

# Performing check of root directory...
--FAIL-- [rootdir002f] The root directory / has group `root' and world write 
         access. 

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/block resides in a device directory. 
--WARN-- [dev003w] The directory /dev/bsg resides in a device directory. 
--WARN-- [dev003w] The directory /dev/char resides in a device directory. 
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory. 
--FAIL-- [dev002f] /dev/fuse has world permissions 
--FAIL-- [dev002f] /dev/kmsg has world permissions 
--FAIL-- [dev002f] /dev/log has world permissions 
--FAIL-- [dev002f] /dev/loop84 has world permissions 
--FAIL-- [dev002f] /dev/loop85 has world permissions 
--FAIL-- [dev002f] /dev/loop86 has world permissions 
--FAIL-- [dev002f] /dev/loop87 has world permissions 
--FAIL-- [dev002f] /dev/rfkill has world permissions 
--FAIL-- [dev002f] /dev/rtc0 has world permissions 
--WARN-- [dev003w] The directory /dev/v4l resides in a device directory. 

# Checking for existence of log files...

# Checking for correct umask settings...
--FAIL-- [misc022f] The umask setting in /etc/profile is insecure 

# Checking listening processes 
--WARN-- [lin002i] The process `nmbd' is listening on socket 137 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `nmbd' is listening on socket 138 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `smbd' is listening on socket 139 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `smbd' is listening on socket 445 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `sshd' is listening on socket 22 (TCP) on every 
         interface. 

# Checking sshd_config configuration files...
--WARN-- [ssh004w] The PasswordAuthentication directive in 
         /etc/ssh/sshd_config is set to the unapproved defult value: yes. 

# Checking printer configuration files...

# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file. 

# Checking ntpd configuration...

# Checking unusual file names...
--ALERT-- [fsys005a] Unusual filename `.wh.VPN connection 1' found: 
-rwxrwxrwx 1 root root 0 Jan 26  2016 /mnt/sda4/Users/W Read/Developing/Trunk/OtroKDE5/modules/Settings/myVPNsettings/etc/NetworkManager/system-connections/.wh.VPN connection 1
--ALERT-- [fsys005a] Unusual filename `.~lock.Project Report Arq Alex 
          Vega.Docx#' found: 
-rwxrwxrwx 1 root root 78 Jun 24 17:23 /mnt/sda4/Users/W Read/Documents/Alex Vega/EstacionGas/Para enviar a Estructuralista/.~lock.Project Report Arq Alex Vega.Docx#
--ALERT-- [fsys005a] Unusual filename `.~lock.curriculum Laury Fatima Ceballo 
          Sanchez.docx#' found: 
-rwxrwxrwx 1 root root 85 Jul  8  2014 /mnt/sda4/Users/W Read/Documents/Varios/.~lock.curriculum   Laury Fatima Ceballo Sanchez.docx#
--ALERT-- [fsys005a] Unusual filename `.~lock.curriculum Natacha Fatima 
          Ceballo Sanchez.docx#' found: 
-rwxrwxrwx 1 root root 85 Jul  8  2014 /mnt/sda4/Users/W Read/Documents/Varios/.~lock.curriculum   Natacha Fatima Ceballo Sanchez.docx#
--ALERT-- [fsys005a] Unusual filename `.~lock.factura biodiesel 4.doc#' found: 
-rwxrwxrwx 1 root root 78 Jun  6  2014 /mnt/sda4/Users/W Read/Documents/Varios/ArchivosWR/.~lock.factura biodiesel 4.doc#
--ALERT-- [fsys005a] Unusual filename `.~lock.Valle Nuevo-Ocoa.doc#' found: 
-rwxrwxrwx 1 root root 65 Oct 12  2013 /mnt/sda4/Users/W Read/Documents/Varios/Cibao-Sur/.~lock.Valle Nuevo-Ocoa.doc#
--ALERT-- [fsys005a] Unusual filename `.VillaLeka antes.png-autosave.kra' 
          found: 
-rwxrwxrwx 1 root root 6027116 Feb 24  2017 /mnt/sda4/Users/W Read/Documents/Villa Leka/.VillaLeka antes.png-autosave.kra
--ALERT-- [fsys005a] Unusual filename `._Perspectiva 1 peque.jpg' found: 
-rwxrwxrwx 1 root root 47903 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Perspectiva 1 peque.jpg
--ALERT-- [fsys005a] Unusual filename `._Perspectiva 2 peque.jpg' found: 
-rwxrwxrwx 1 root root 82 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Perspectiva 2 peque.jpg
--ALERT-- [fsys005a] Unusual filename `._Planta de Conjunto peque.jpg' found: 
-rwxrwxrwx 1 root root 55244 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Planta de Conjunto peque.jpg
--ALERT-- [fsys005a] Unusual filename `._Vuelo de pajaro peque.jpg' found: 
-rwxrwxrwx 1 root root 62010 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Vuelo de pajaro peque.jpg
--ALERT-- [fsys005a] Unusual filename `._A-05 Planta Arquitectonica .dwg' 
          found: 
-rwxrwxrwx 1 root root 4096 Feb 18  2011 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/A-05 Planta Arquitectonica -dwg/._A-05 Planta Arquitectonica .dwg
--ALERT-- [fsys005a] Unusual filename `._planos dwg 26.1' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/._planos dwg 26.1
--ALERT-- [fsys005a] Unusual filename `._nivel 1 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 1 26.1.1 enero  -dwg/._nivel 1 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 2 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 2 26.1.1 enero  -dwg/._nivel 2 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 3 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 3 26.1.1 enero  -dwg/._nivel 3 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 4 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 4 26.1.1 enero  -dwg/._nivel 4 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 5 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 5 26.1.1 enero  -dwg/._nivel 5 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 6 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 6 26.1.1 enero  -dwg/._nivel 6 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 7 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 7 26.1.1 enero  -dwg/._nivel 7 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 8 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 8 26.1.1 enero  -dwg/._nivel 8 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 9 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 9 26.1.1 enero  -dwg/._nivel 9 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel de techo 26.1.1 enero.dwg' 
          found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel de techo 26.1.1 enero-dwg/._nivel de techo 26.1.1 enero.dwg
--ALERT-- [fsys005a] Unusual filename `._sotano 1 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/sotano 1 26.1.1 enero  -dwg/._sotano 1 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._sotano 2 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/sotano 2 26.1.1 enero  -dwg/._sotano 2 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._GNU GENERAL PUBLIC LICENSE Verson 
          2.0.pdf' found: 
-rwxrwxrwx 1 root root 82 Jul 11  2013 /mnt/sda4/Users/W Read/Downloads/__MACOSX/dmg2iso 2.0/._GNU GENERAL PUBLIC LICENSE Verson 2.0.pdf
--ALERT-- [fsys005a] Unusual filename `.NET CLR Data' found: 
drwxrwxrwx 1 root root 0 Oct 11  2014 /mnt/sda4/Windows/Inf/.NET CLR Data
--ALERT-- [fsys005a] Unusual filename `.NET CLR Networking' found: 
drwxrwxrwx 1 root root 4096 Apr  3  2014 /mnt/sda4/Windows/Inf/.NET CLR Networking
--ALERT-- [fsys005a] Unusual filename `.NET CLR Networking 4.0.0.0' found: 
drwxrwxrwx 1 root root 0 Oct 11  2014 /mnt/sda4/Windows/Inf/.NET CLR Networking 4.0.0.0
--ALERT-- [fsys005a] Unusual filename `.NET Data Provider for Oracle' found: 
drwxrwxrwx 1 root root 4096 Apr  3  2014 /mnt/sda4/Windows/Inf/.NET Data Provider for Oracle
--ALERT-- [fsys005a] Unusual filename `.NET Data Provider for SqlServer' 
          found: 
drwxrwxrwx 1 root root 4096 Apr  3  2014 /mnt/sda4/Windows/Inf/.NET Data Provider for SqlServer
--ALERT-- [fsys005a] Unusual filename `.NET Framework' found: 
drwxrwxrwx 1 root root 4096 Aug 22  2013 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319' found: 
-rwxrwxrwx 2 root root 3704 Oct  4 17:54 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319 64' 
          found: 
-rwxrwxrwx 2 root root 3710 Oct  4 17:54 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319 64
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319 64 
          Critical' found: 
-rwxrwxrwx 2 root root 3476 Mar 20  2015 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319 64 Critical
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319 
          Critical' found: 
-rwxrwxrwx 2 root root 3470 Mar 20  2015 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319 Critical


# Looking for unusual device files...
--ALERT-- [fsys006a] Unexpected device files found: 
crw------- 1 root root 5, 1 Oct 12 03:31 /mnt/live/memory/changes/dev/console


# Checking symbolic links...

# Performing check of embedded pathnames...
--ERROR-- [init001e] Don't have required command STRINGS.
11:48> Security report completed for porteus.example.net.
I will try to get a better note after revising every item..

Cheers!
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

xenos
Black ninja
Black ninja
Posts: 40
Joined: 20 Aug 2016, 22:20
Distribution: Porteus
Location: Blackhole

Porteus maximum security set up, maximum lock down

Post#5 by xenos » 29 Oct 2018, 08:43

Not sure what are the security checklists we could go through, the last thing we want to see is some unknown users lurking inside our box for days and months without our knowing.

There should be a more transparent and simple method to see who and what are connected.

User avatar
wread
Module Guard
Module Guard
Posts: 1255
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v5.0-kde-64 bits
Location: Santo Domingo
Contact:

Porteus maximum security set up, maximum lock down

Post#6 by wread » 29 Oct 2018, 11:48

@xenos
Try Nagios

Cheers!
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

Post Reply