Porteus maximum security set up, maximum lock down

[xenos]

Are there threads that particularly deal and focus on how to set up maximum security using Porteus Linux? Because the last we want is having our Porteus box hacked by others.

1. the default users and groups, and suggestions for maximum lock down

2. firewall setting for maximum lock down, application manually added, otherwise block incoming and outgoing by default,

Any other ideas or practices for maximum lock down?

[Ed_P]

The Porteus Kiosk system is secure.

[donald]

Keep the router firmware up to date and check the settings.
( no remote maintenance, no UPnP ..etc.)
With some brands you're out of luck...(cisco anyone?)..LOL

Activate the Firewalls (router and porteus)

Keep the software (browser) and the system up to date/patched.
It is usually the browser whose vulnerabilities are exploited.
Disable javascript whenever possible.
Avoid Adobe Flash like the devil the holy water.

Don't confuse security with privacy ....privacy is a different playground...

about porteus:
you could install/configure the OS and make a settings module.
Porteus will assist you to create such a module.

When done you could use the allways fresh mode + the settings module
or make use of the changes-ro cheatcode.
(read /boot/docs/cheatcodes.txt)
there are many ways to get an extra layer of security...

Personally i'm not that scared, I have backups/images,
so i could restore the system within minutes if something does not seem right.

[wread]

Well, my Porteus version (KDE5) seems to be vulnerable; to what extent, I don't know. I have had no attaks as yet, but I examined my system using the tool tiger-3.2.3-x86_64-2.xzm which I built from slackware.

I ran the application and found this long terror novel...

Code: Select all

Security scripts *** 3.2.3, 2008.09.10.09.30 ***
Fri Oct 12 11:41:29 AST 2018
11:41> Beginning security report for porteus.example.net (x86_64 Linux 4.15.2-porteus).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass013w] Username `guest' is not using an acceptable password hash 
         (sha256). 
--WARN-- [pass015w] Login ID halt does not have a valid shell (/sbin/halt). 
--WARN-- [pass016w] User mail has / as home directory 
--WARN-- [pass016w] User nobody has / as home directory 
--WARN-- [pass014w] Login (operator) is disabled, but has a valid shell. 
--WARN-- [pass016w] User oprofile has / as home directory 
--WARN-- [pass016w] User pop has / as home directory 
--WARN-- [pass013w] Username `root' is not using an acceptable password hash 
         (sha256). 
--WARN-- [pass016w] User rpc has / as home directory 
--WARN-- [pass015w] Login ID shutdown does not have a valid shell 
         (/sbin/shutdown). 
--WARN-- [pass016w] User sshd has / as home directory 
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). 
--WARN-- [pass012w] Home directory / exists multiple times (5) in /etc/passwd. 
--WARN-- [pass012w] Home directory /sbin exists multiple times (2) in 
         /etc/passwd. 
--WARN-- [pass012w] Home directory /var/empty exists multiple times (2) in 
         /etc/passwd. 
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck 
         -r). 

# Performing check of group files...
--WARN-- [grp006w] Integrity of group files questionable (/usr/sbin/grpck -r). 

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID halt appears to be a dormant account. 
--WARN-- [acc006w] Login ID mail's home directory (/) has world write access. 
--WARN-- [acc006w] Login ID nobody's home directory (/) has world write 
         access. 
--WARN-- [acc006w] Login ID oprofile's home directory (/) has world write 
         access. 
--WARN-- [acc021w] Login ID polkitd appears to be a dormant account. 
--WARN-- [acc006w] Login ID pop's home directory (/) has world write access. 
--WARN-- [acc006w] Login ID rpc's home directory (/) has world write access. 
--WARN-- [acc021w] Login ID shutdown appears to be a dormant account. 
--WARN-- [acc006w] Login ID sshd's home directory (/) has world write access. 

# Performing check of /etc/hosts.equiv and .rhosts files...
--WARN-- [rcmd010w] /etc/hosts.equiv contains the following hosts: 
 localhost

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...

# Performing check of PATH components...
# Only checking user 'root'

# Performing check of anonymous FTP...
--WARN-- [ftp006w] Anonymous FTP enabled, but directory does not exist. 

# Performing checks of mail aliases...

# Performing check of `cron' entries...
--WARN-- [cron005w] Use of cron is not restricted 

# Performing check of 'services' ...
# Checking services from /etc/services.

# Performing NFS exports check...

# Performing check of system file permissions...

# Checking for known intrusion signs...
--ERROR-- [init001e] Don't have required command STRINGS.

# Performing check for rookits...

# Performing system specific checks...
# Performing checks for Linux/4/4.15.2-porteus/x86_64...
--ERROR-- [init001e] Don't have required command STRINGS.

# Performing check of root directory...
--FAIL-- [rootdir002f] The root directory / has group `root' and world write 
         access. 

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/block resides in a device directory. 
--WARN-- [dev003w] The directory /dev/bsg resides in a device directory. 
--WARN-- [dev003w] The directory /dev/char resides in a device directory. 
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory. 
--FAIL-- [dev002f] /dev/fuse has world permissions 
--FAIL-- [dev002f] /dev/kmsg has world permissions 
--FAIL-- [dev002f] /dev/log has world permissions 
--FAIL-- [dev002f] /dev/loop84 has world permissions 
--FAIL-- [dev002f] /dev/loop85 has world permissions 
--FAIL-- [dev002f] /dev/loop86 has world permissions 
--FAIL-- [dev002f] /dev/loop87 has world permissions 
--FAIL-- [dev002f] /dev/rfkill has world permissions 
--FAIL-- [dev002f] /dev/rtc0 has world permissions 
--WARN-- [dev003w] The directory /dev/v4l resides in a device directory. 

# Checking for existence of log files...

# Checking for correct umask settings...
--FAIL-- [misc022f] The umask setting in /etc/profile is insecure 

# Checking listening processes 
--WARN-- [lin002i] The process `nmbd' is listening on socket 137 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `nmbd' is listening on socket 138 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `smbd' is listening on socket 139 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `smbd' is listening on socket 445 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `sshd' is listening on socket 22 (TCP) on every 
         interface. 

# Checking sshd_config configuration files...
--WARN-- [ssh004w] The PasswordAuthentication directive in 
         /etc/ssh/sshd_config is set to the unapproved defult value: yes. 

# Checking printer configuration files...

# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file. 

# Checking ntpd configuration...

# Checking unusual file names...
--ALERT-- [fsys005a] Unusual filename `.wh.VPN connection 1' found: 
-rwxrwxrwx 1 root root 0 Jan 26  2016 /mnt/sda4/Users/W Read/Developing/Trunk/OtroKDE5/modules/Settings/myVPNsettings/etc/NetworkManager/system-connections/.wh.VPN connection 1
--ALERT-- [fsys005a] Unusual filename `.~lock.Project Report Arq Alex 
          Vega.Docx#' found: 
-rwxrwxrwx 1 root root 78 Jun 24 17:23 /mnt/sda4/Users/W Read/Documents/Alex Vega/EstacionGas/Para enviar a Estructuralista/.~lock.Project Report Arq Alex Vega.Docx#
--ALERT-- [fsys005a] Unusual filename `.~lock.curriculum Laury Fatima Ceballo 
          Sanchez.docx#' found: 
-rwxrwxrwx 1 root root 85 Jul  8  2014 /mnt/sda4/Users/W Read/Documents/Varios/.~lock.curriculum   Laury Fatima Ceballo Sanchez.docx#
--ALERT-- [fsys005a] Unusual filename `.~lock.curriculum Natacha Fatima 
          Ceballo Sanchez.docx#' found: 
-rwxrwxrwx 1 root root 85 Jul  8  2014 /mnt/sda4/Users/W Read/Documents/Varios/.~lock.curriculum   Natacha Fatima Ceballo Sanchez.docx#
--ALERT-- [fsys005a] Unusual filename `.~lock.factura biodiesel 4.doc#' found: 
-rwxrwxrwx 1 root root 78 Jun  6  2014 /mnt/sda4/Users/W Read/Documents/Varios/ArchivosWR/.~lock.factura biodiesel 4.doc#
--ALERT-- [fsys005a] Unusual filename `.~lock.Valle Nuevo-Ocoa.doc#' found: 
-rwxrwxrwx 1 root root 65 Oct 12  2013 /mnt/sda4/Users/W Read/Documents/Varios/Cibao-Sur/.~lock.Valle Nuevo-Ocoa.doc#
--ALERT-- [fsys005a] Unusual filename `.VillaLeka antes.png-autosave.kra' 
          found: 
-rwxrwxrwx 1 root root 6027116 Feb 24  2017 /mnt/sda4/Users/W Read/Documents/Villa Leka/.VillaLeka antes.png-autosave.kra
--ALERT-- [fsys005a] Unusual filename `._Perspectiva 1 peque.jpg' found: 
-rwxrwxrwx 1 root root 47903 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Perspectiva 1 peque.jpg
--ALERT-- [fsys005a] Unusual filename `._Perspectiva 2 peque.jpg' found: 
-rwxrwxrwx 1 root root 82 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Perspectiva 2 peque.jpg
--ALERT-- [fsys005a] Unusual filename `._Planta de Conjunto peque.jpg' found: 
-rwxrwxrwx 1 root root 55244 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Planta de Conjunto peque.jpg
--ALERT-- [fsys005a] Unusual filename `._Vuelo de pajaro peque.jpg' found: 
-rwxrwxrwx 1 root root 62010 Jul 21  2013 /mnt/sda4/Users/W Read/Downloads/Planos IR/0708-Apartamentos en Bonita Village/ing reid bonita v perspectivas/pequenas jpg/._Vuelo de pajaro peque.jpg
--ALERT-- [fsys005a] Unusual filename `._A-05 Planta Arquitectonica .dwg' 
          found: 
-rwxrwxrwx 1 root root 4096 Feb 18  2011 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/A-05 Planta Arquitectonica -dwg/._A-05 Planta Arquitectonica .dwg
--ALERT-- [fsys005a] Unusual filename `._planos dwg 26.1' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/._planos dwg 26.1
--ALERT-- [fsys005a] Unusual filename `._nivel 1 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 1 26.1.1 enero  -dwg/._nivel 1 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 2 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 2 26.1.1 enero  -dwg/._nivel 2 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 3 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 3 26.1.1 enero  -dwg/._nivel 3 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 4 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 4 26.1.1 enero  -dwg/._nivel 4 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 5 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 5 26.1.1 enero  -dwg/._nivel 5 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 6 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 6 26.1.1 enero  -dwg/._nivel 6 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 7 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 7 26.1.1 enero  -dwg/._nivel 7 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 8 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 8 26.1.1 enero  -dwg/._nivel 8 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel 9 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel 9 26.1.1 enero  -dwg/._nivel 9 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._nivel de techo 26.1.1 enero.dwg' 
          found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/nivel de techo 26.1.1 enero-dwg/._nivel de techo 26.1.1 enero.dwg
--ALERT-- [fsys005a] Unusual filename `._sotano 1 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/sotano 1 26.1.1 enero  -dwg/._sotano 1 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._sotano 2 26.1.1 enero .dwg' found: 
-rwxrwxrwx 1 root root 82 Jan 27  2010 /mnt/sda4/Users/W Read/Downloads/Planos IR/1001-Gimnasio Body Shop SD/__MACOSX/planos dwg 26.1/sotano 2 26.1.1 enero  -dwg/._sotano 2 26.1.1 enero  .dwg
--ALERT-- [fsys005a] Unusual filename `._GNU GENERAL PUBLIC LICENSE Verson 
          2.0.pdf' found: 
-rwxrwxrwx 1 root root 82 Jul 11  2013 /mnt/sda4/Users/W Read/Downloads/__MACOSX/dmg2iso 2.0/._GNU GENERAL PUBLIC LICENSE Verson 2.0.pdf
--ALERT-- [fsys005a] Unusual filename `.NET CLR Data' found: 
drwxrwxrwx 1 root root 0 Oct 11  2014 /mnt/sda4/Windows/Inf/.NET CLR Data
--ALERT-- [fsys005a] Unusual filename `.NET CLR Networking' found: 
drwxrwxrwx 1 root root 4096 Apr  3  2014 /mnt/sda4/Windows/Inf/.NET CLR Networking
--ALERT-- [fsys005a] Unusual filename `.NET CLR Networking 4.0.0.0' found: 
drwxrwxrwx 1 root root 0 Oct 11  2014 /mnt/sda4/Windows/Inf/.NET CLR Networking 4.0.0.0
--ALERT-- [fsys005a] Unusual filename `.NET Data Provider for Oracle' found: 
drwxrwxrwx 1 root root 4096 Apr  3  2014 /mnt/sda4/Windows/Inf/.NET Data Provider for Oracle
--ALERT-- [fsys005a] Unusual filename `.NET Data Provider for SqlServer' 
          found: 
drwxrwxrwx 1 root root 4096 Apr  3  2014 /mnt/sda4/Windows/Inf/.NET Data Provider for SqlServer
--ALERT-- [fsys005a] Unusual filename `.NET Framework' found: 
drwxrwxrwx 1 root root 4096 Aug 22  2013 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319' found: 
-rwxrwxrwx 2 root root 3704 Oct  4 17:54 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319 64' 
          found: 
-rwxrwxrwx 2 root root 3710 Oct  4 17:54 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319 64
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319 64 
          Critical' found: 
-rwxrwxrwx 2 root root 3476 Mar 20  2015 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319 64 Critical
--ALERT-- [fsys005a] Unusual filename `.NET Framework NGEN v4.0.30319 
          Critical' found: 
-rwxrwxrwx 2 root root 3470 Mar 20  2015 /mnt/sda4/Windows/System32/Tasks/Microsoft/Windows/.NET Framework/.NET Framework NGEN v4.0.30319 Critical


# Looking for unusual device files...
--ALERT-- [fsys006a] Unexpected device files found: 
crw------- 1 root root 5, 1 Oct 12 03:31 /mnt/live/memory/changes/dev/console


# Checking symbolic links...

# Performing check of embedded pathnames...
--ERROR-- [init001e] Don't have required command STRINGS.
11:48> Security report completed for porteus.example.net.

I will try to get a better note after revising every item..

Cheers!

[xenos]

Not sure what are the security checklists we could go through, the last thing we want to see is some unknown users lurking inside our box for days and months without our knowing.

There should be a more transparent and simple method to see who and what are connected.

[wread]

@xenos
Try Nagios

Cheers!