Make your Linux desktop more secure

The evil baboons try to port all the desktops to ubuntu. although it is a little uncomfortable, it is acceptable. (Complaints, 1.4 Gcpu + 512 memory run vista I can accept, what else is unacceptable ...) This article introduces some experience and experiences in Linux desktop application security.

Evil babbling

It was hard to transplant all the desktops to ubuntu. although it was a little uncomfortable, it was acceptable. (Complaints, 1.4G cpu + 512 memory run vista I can accept, what else is unacceptable ...)
This article introduces some experience and experiences of steamed stuffed bun in Linux desktop application security. it mainly takes ubuntu as the topic and involves releases such as CentOS and Gentoo, which are relatively common, I am not proficient in learning pax, so I cannot interpret the code level of pax. if you are not familiar with the shortcomings, please take a look. Follow the http://baoz.net and http://xsec.org to get the latest version.
In this article, I am only planning to create a HOWTO to tell us how to protect the security of my linux desktop. I am not going to explain all the terms and programs involved in it very clearly, if you do not know anything about this article, you can google it first.

I. Background
1. Why do I choose ubuntu because it is simple and easy to use? when installed, basically everything is configured. we only need to install a font or something, and you can use it after configuration, I have used gentoo before, and it is undeniable that gentoo is a very good release, but I personally think it is not suitable for the lazy people who love to upgrade, because I always have many RPWT during the upgrade, although most of the questions can be found in forums.gentoo.org, this is a very good place for gentoo. he has a forum where to search, basically, you can find the answer to the question. if you cannot find the answer, you can either become a mouse or RPWT. gentoo also has a good idea that I think they are more concerned about security, obviously there is a hardened-gentoo, which is quite good. There is also his genkernel. if you only need this command, he will configure the kernel for you. what we need is make install, it is very convenient to compile the kernel. In addition, I am afraid to configure X, probably because I was scared when I first started to ACCESS linux in college. what kind of fonts should I set. in the conf file, people are getting dizzy. after a long time, I still haven't done a good job, but this thing has also led me to the right way to learn linux, I personally think that it is best to discard the graphic interface to learn linux, which forces you to use the cli, master more commands as much as possible, and be as familiar with vi as much as possible.

2. environment
IBM R50E 1.4g cpu m memory integrated intel graphics card
Ubuntu 6.10

3. requirements
Readers must use the editor in linux.
The reader must compile the kernel by himself.
Readers must know how to remove comments from the code

4. Target audience
Linux desktop users who care about their system security
Note: If you have recently used RPWT, please use it with caution and back up the old Kernel. I am not jointly liable for any accidents and non-accidents caused by RPWT and non-RPWT in the following process.

II. basic security
1. password security: Do not use a simple password
2. disable the ssh service: if you do not need to remotely control your system, disable the ssh service. ubuntu does not install this service by default.
Baoz @ laptop :~ $ Sudo update-rc.d-f ssh remove
Removing any system startup links for/etc/init. d/ssh...

3. BIOS password: do not allow others to use livecd to enter your system
4. sulogin: ubuntu is doing well in this aspect. a password is required for a single user to enter the system, because sulogin is used. this is already set and we do not need to change it, I will introduce it ,)
5. log on with a common user: this ubuntu is very good, forcing the common user to set the password for the root user first when installing the system. sudo passwd root can change the root password.
6. prevention of social engineering attacks: to put it bluntly, social engineering is to cheat, cheat, and cheat. Oh, of course, this lie may be to someone or N people.
A. cheat A person: for example, if someone sends you an elf program and tells you how it works, let you try it. at this time, you should never execute it at will, especially when the root permission is required to execute this file, we can use the strings command to view some characters in this program, there are no clear backdoor password or bot words.
Baoz @ laptop:/tmp $ strings unknown. elf | more
/Lib/ld-linux.so.2
_ Gmon_start __
Libc. so.6
Stdout
Strerror
Snprintf
_ Strtol_internal
Qsort
Fgets
Memcpy
Feof
Malloc
Optarg
Readdir
_ Stack_chk_fail

You can use strace-o aa if you want to know what the program has done and are confident. /unknown. elf, use strace and run the more aa Command to check what operations the program has performed on your system.
Baoz @ laptop:/tmp $ strace-o aa./unknown. elf
Baoz @ laptop:/tmp $ more aa
Execve ("./unknown. elf", ["./unknown. elf"], [/* 41 vars */]) = 0
Brk (0) = 0x8066260
Access ("/etc/ld. so. nohwcap", F_ OK) =-1 ENOENT (No such file or directory)
Mmap2 (NULL, 8192, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) = 0x4f336000
Access ("/etc/ld. so. preload", R_ OK) =-1 ENOENT (No such file or directory)
Open ("/etc/ld. so. cache", O_RDONLY) = 3
Fstat64 (3, {st_mode = S_IFREG | 0644, st_size = 90086,...}) = 0
Mmap2 (NULL, 90086, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4f320000
Close (3) = 0
Access ("/etc/ld. so. nohwcap", F_ OK) =-1 ENOENT (No such file or directory)

However, I still recommend that you use a program such as aide to verify our HOME directory when using strace, or let's take a look at the program such as bashrc profile under our HOME directory, because we can prevent unknown programs from modifying our user login script. If you are not very confident, use the strace tracking program when the network is disconnected, restart the system after tracking, and check whether the startup script has been changed. We still need to remind you not to use the root user to trace the program, because the so-called Use of strace tracking is to execute an unknown program once ...... Another thing to remind everyone is that if we use the file command to view this unknown. elf finds that it is not an ordinary elf file, that is, it is encrypted or compressed, so we need to consider whether to give up tracking.

B. Cheat one vote: a higher level of social engineering requires a certain level and level. how can I cheat one vote? There are several methods:
A. create a very useful and popular program, publish its source code, or the code cannot be compiled normally at all. at the same time, release its binary file and implant a backdoor in it. We should be especially careful when we are playing this role. why should we be especially careful when we are Chinese? because many Chinese are doing well and there is nothing Chinese can do. To put it bluntly, when you encounter a program that cannot provide code or code that cannot be compiled, we should not use its elf file. no matter how well this program is written, think about it, we can all migrate from windows to linux, and we can discard so many useful software. isn't it that I can't survive without your software? Haha
B. make your own system upgrade Image websites, including apt/yum of CentOS/RHEL, source of debian/ubuntu, and MIRROR of gentoo, these excellent package management procedures bring us great convenience. at the same time, many enthusiastic domestic friends make full use of their resources to provide you with domestic upgrade images, however, during the upgrade process, we must note that the software you upgraded may have been modified for two reasons (the backup storage owner intentionally places backdoors and the backup storage is compromised, for example, the openssh program is added to a backdoor or the default startup module of apache is replaced). However, during the upgrade, apt may only give you a simple warning, if you press Y, your system may be implanted with a backdoor. The following is a detailed description:
CentOS apt is actually RPM. we can package the program into an RPM file and release it. during installation, the system will not give a special warning, so this is very dangerous... If you are very concerned about system security, we recommend that you update programs from the official website.
Debian/ubuntu series, pure apt. there is a signature verification check during installation. when installing deb that does not match the signature, an alarm will be reported. I am very surprised to say that, I remember that after I installed ubuntu610 and I had apt-get upgrade, the system reported that glftp did not pass the authentication: (so when we installed apt-get install or upgrade, remember to watch it carefully, do not press Y. Warning: The following software packages cannot be verified !"
The gentoo series uses SYNC to download software data and MIRROR to download software packages. These two packages can be downloaded from different sites or on the same site. We recommend that you set SYNC and MIRROR to different servers, so that when the modified software package is downloaded back for installation, verification will fail and installation will be rejected, I think there should be at least MD5 and SHA1 verification. In this way, it is basically safe.
C. The official website has been infiltrated and the related software has been replaced. there is nothing to say about it. let's take a look.

III. preventing overflow attacks
1. what is an overflow attack?
Skip N rows ........ If you are interested in knowing what overflow attacks are, you can search for them by google.

2. linux is inherently safer. after we perform the preceding operations, our ubuntu system can basically defend against physical attacks (unless you detach your hard disk ....), However, in the face of remote threats, we still need to take some measures. let's take a look at what, as a desktop machine, gives others a remote access phrase:
Online communication programs: QQ, MSN, Skype, IRC, etc.
Website browsing and downloading programs: Firefox, Mail, BT, and Emule client. Please note that firefox extention is also very dangerous.
Some files opened locally: pdf, ppt, doc, etc.
Although linux is very