Tiny Core Linux
Tiny Core Base => TCB Talk => Topic started by: Pats on November 28, 2009, 11:07:17 PM
-
While discussing abt TCL in our group, the natural Question was raised abt Security aspect of TCLs cloud mode !
1) Is TCLs cloud mode really secure as far as private data of the user is concerned ?
2) What security can be provided to the user for production level setup of any enterprise ?
3) Has anybody exploited the possible loop-holes in TCL - perticularly in Cloud Computing mode ?
Experts may provide some clues on the subject.
Thanks !
~ Pats
-
No computer connected to the internet can be guaranteed to be totally secure.
I suggest installing Tiny Core, not using cloud mode on a long term basis.
Use Iptables and basic firewall.
To start a basic firewall each time Tiny Core is started, add
sudo /usr/local/sbin/basic-firewall
to /opt/bootlocal.sh.
If you do this, Tiny Core is in stealth mode. Anyone trying random IP addresses will not get a response from Tiny Core, so they won't know it is there.
Anything sent to your computer which you have not requested, by clicking on something, will be dropped. It won't be allowed into your computer.
Another big advantage of Tiny Core is the frugal installation. If something was to go wrong, when you turn off the computer and restart it, the problem would be rectified.
Linux is inherently much more secure than Windows to begin with.
-
No computer connected to the internet can be guaranteed to be totally secure.
I suggest installing Tiny Core, not using cloud mode on a long term basis
VVery Important point , you said !
To start a basic firewall each time Tiny Core is started, add
sudo /usr/local/sbin/basic-firewall
to /opt/bootlocal.sh.
Thanks ! :)
If you do this, Tiny Core is in stealth mode.
I hope none of the tricks explained here :
http://linuxreviews.org/news/2004/06/11_kernel_crash/
apply to TCL !
Another big advantage of Tiny Core is the frugal installation. If something was to go wrong, when you turn off the computer and restart it, the problem would be rectified.
???
Can the persistant direcrory be exploited by hackers ?
Linux is inherently much more secure than Windows to begin with.
That is for sure ! :)
Thanks !
~ Pats
-
I hope none of the tricks explained here :
I don't know about the specifics of that info.
Because of the frugal installation, if Tiny Core works the first time, it will work every time. It has huge advantages over conventionally installed operating systems, which may have files corrupted as a result of malfunctions, malware, user error, or just because the operating system is imperfect.
Can the persistant directory be exploited by hackers ?
It is extremely unlikely that hackers will get into Tiny Core with a firewall. If they did, no one can predict what they might do.
-
Will it be timely and convinient - if TCL is ported with the basic firewall already built in the distribution ISO - considering TCLs cloud mode AppBrowser nature?
And then a shell script to dis-able it , if somebody not want it ?
If someone forget to start the fire-wall during live boot session or a boot code to start the FW at start-up ?
~ Pats
-
Regular cloud mode runs no servers, so how could an attacker connect to you. Servers anyway should be run as some other user (usually "nobody"), that doesn't have sudo rights.
OTOH, if someone has control of your DNS, they can point ibiblio to their comp.
-
I said above, it is better to install Tiny Core and set up a firewall.
However, if people choose to regularly run Tiny Core from the CD and use cloud mode, that is also very secure.
There is nothing on the CD which is of any value to hackers.
Don't have anything of value to hackers on your hard drive, such as bank account details.
Don't have your hard drive mounted, so they cant access it anyway.
If run like this, cloud mode is very secure.
-
Sorry for venturing off topic...
Linux is inherently much more secure than Windows to begin with.
Ipse dixit. Linux enjoys security through obscurity. Windows' 95% market share makes it a more lucrative target than something that's greatest market penetration remains servers (where it's also quite vulnerable to compromise). No system is "inherently secure," particularly since users don't always keep their systems patched even if distros and upstream project leaders are on the ball; it also doesn't help that most users -- server or workstation -- exercise little restraint, common sense, or caution when using them. Also, there's this madness affecting most distros to use the most recently released version of any software rather than patch only for bugs and/or security; most "testing" has nothing to do with auditing/testing and more to do with making sure something doesn't repeatedly segfault or cause issues with other packages.
http://blogs.zdnet.com/security/?p=268
http://blogs.computerworld.com/14723/no_more_linux_security_bragging_botnet_discovery_worry
http://lucky13linux.wordpress.com/2009/08/23/linux-security-hole-goes-back-eight-years/
etc.
To get back to the topic, any persistent (rw) partition in TCL can be compromised by attack. So while the base can be "reset" via reboot, persistent config files can be overwritten and any data stored on media connected to your computer could be read, etc.
Per the second question about enterprise/production use, I wouldn't ever recommend TCL for such use without some deliberate changes. Those would start with tightening sudo rules and requiring a login rather than booting to a prompt or with an X desktop. I'd also ditch cheatcodes (norestore, base, etc.) that could be used to override my changes at least by local attack.
-
Servers anyway should be run as some other user (usually "nobody"), that doesn't have sudo rights.
I think, even for Stand-aone server, the well-known shell script by nixCraft is famous - which
goes something like this:
....
....
IPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
echo "Starting IPv4 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
modprobe ip_conntrack
[ -f /root/scripts/blocked.ips.txt ] && BADIPS=$(egrep -v -E "^#|^$"
/root/scripts/blocked.ips.txt)
PUB_IF="eth0"
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
...
...
( incomplete - given just for example.. )
Don't have anything of value to hackers on your hard drive, such as bank account details.
Don't have your hard drive mounted, so they cant access it anyway.
any persistent (rw) partition in TCL can be compromised by attack. So while the base can be "reset" via reboot, persistent config files can be overwritten and any data stored on media connected to your computer could be read, etc.
In short, TCL is currently of no use for any production/critical level installations - if we should not mount even our HDD - then we should be just happy with TCLs experimental value ! :)
I'd also ditch cheatcodes (norestore, base, etc.) that could be used to override my changes at least by local attack..
Very Important & clever thinking - I think , but then w/o these chit-codes TCL may be paralysed - is not it ?
The Q is - is TCL Team going to keep TCL Diskless status for-ever ?
TCLs 2nd anniversary is very near (12/1) - Should we - the interested users demand more from TCL ? :)
~ Pats
-
Demand?
Whose project is this anyway?
-
A few demand more user friendliness, another few demand more security. You cannot please everyone with a default offering.
If you want to run a firewall, it is only a couple of steps. If you want to lock your machine further like for an always-on server, you can do that too. Remove sudo and disable on demand package installation? Go for it. The whole point of TC is that is up to you what kind of system you want. The team and contributors try to give you the tools and packages to enable you to get what you want.
It is normally advised security-wise to have installed and running only what you need. TC is ideal on that point. You have to have a service installed and running for it to be compromised. And while larger distros often have more of a security structure, their default install also may be running almost a dozen services that a newer user doesn't even know exist.
Like Burger King, one of the TC concepts is "have it your way".
-
I've got iptables/firewall installed, but I'm not sure I really need it. About all I do is web surfing. Also I'm behind a router although it doesn't have any firewall as far as I know.
-
I have a TC firewall/dhcp server installed on an old box that I have my network behind. Mainly to give me a dhcp server when my DSL (internect connection) router is down, which sometimes happens in bad weather. I have one TC machine that has nfs and ssh servers running that is my file server, so I like to have a firewall between it and the web.
As for security, cloud mode is pretty good if your intent to to do some banking or other sensitive operations, stay on only as long as needed, and then reboot. The security there would be more web browser related than firewall related anyway.
One saying I heard is that practicing security is more important than patching for security. Ideally, both should occur. If you practice security but your apps are a little behind in receiving the latest security patches, there is a chance that you can be compromised. But if you have all the latest patches applied but don't practice security, you are worse off than in the former case. If you run the latest Firefox or Opera but you leave your desk in a public setting while logged in to your bank account, guess what can happen. Similar for using weak passwords.
-
Also if you are concerned about security you should disable icmp request reponses and uptime detection.
-
In short, TCL is currently of no use for any production/critical level installations - if we should not mount even our HDD - then we should be just happy with TCLs experimental value !
Note I wrote "connected" and not "mounted." Mounting is no problem if anyone gets in as users tc or root, whether local or remote. The only safe media is disconnected.
Experimental? It's fine for nomadic/portable use. I only use TinyCore from USB even though I still have it installed on my Aspire One's hard drive (Liinux has proven utterly unusable with Atheros time outs and I grew wary of trying to sort out if it was with the Atheros drivers, WPA, or the card itself -- which functions flawlessly under XP so I only use XP). It's quite fine for a portable system. If you want enterprise-level Linux, you need something which is branded and -- most importantly -- supported as such. That means SLED and RHEL (and its clones, e. g., Oracle Unbreakable Linux, Scientific Linux, CentOS, etc.). I'd include Debian since it isn't tied to a fixed release cycle and has a fairly length support cycle, but that's only relative to other distros that focus less on security/stability than bleeding edge release numbers. FWIW, I'm currently using Scientific on my "new" laptop and also my desktop and am quite happy with it even though it's not bleeding edge (it's well-patched, though, with SL's security patches coming <= 48 hours after RH's).
Very Important & clever thinking - I think , but then w/o these chit-codes TCL may be paralysed - is not it ?
Thanks and I concur with your kind words. I like to think I'm very important and that my thinking is clever.
The answer to your question: No. The user should always have the final say in how it functions on his own hardware. The compromises I pointed out aren't "limitations" or vulnerabilities or necessarily bad. TCL's philosophy is to be portable and modular. Those are things a user can un-do on his own but are necessary compromises to allow users more control over how things work. The very things that make things easier for users -- things like "sudo su" and cheatcodes -- are also things that make it easier for others to affect your system.
I agree with Jason that other traditional on-disk distros offer their own set of compromises by offering more security infrastructure if you can live with additional default services. Those are typically compromises that *do* matter in an enterprise/production scenario and the trade off is worth it. The "tightest" default install I've encountered is NetBSD's which requires the admin/user to even start SSH (OpenBSD's default is to start SSH unless the user says no at install). Most Linux distros are going to start a variety of default services which must then be shut down if the admin/user doesn't want or need them. TCL takes an approach I like better: if you know you need a particular service (CUPS, SSH, httpd, etc.) you're likely to set it up yourself.
Should we - the interested users demand more from TCL ?
Only if you make your own demands on your own hardware; if you think its default options are unsuitable for your intended use(s), remaster it so that it is. This is one of the great things about something as flexible as TCL. There's an annoying problem that pops up with nearly every open source project which manifests itself by suggesting something like "I need or want it to behave like this so the developers should implement this ASAP." What works for everyone else never matters when this problem pops its ugly head. Make it work on your own hardware or work with those who share your own peculiar needs, then offer your changes to others in the community.
-
Thanks guys !
The whoe exercise for this thread is to get good feedback from TCL experts to know what can be done to port our current setup (RHLinux) on TCL - since from the very first day of installing TCL we loved it ! :)
The whole concept of TCL is very new and interesting from the users POView. We are really excited abt TCL...
Our current setup is something like this:
1) A gateway server connected to the internet via a cable with only must needed services enabled. It has ony Admin a/c ( no users at all ). It also acts as pass-thru mail service. It is simply a Celeron with 128MB RAM.
This m/c in turn is then connected to the LAN thru another intranet server (INServer).
2) This 2nd INServer has most of our needed services like File/Print server, WebProxy,mail,DNS,DHCP etc with proper authenticaion needed. It is a powerful P4-2.2GHz with 4GB RAM. It has 2 NWCards - one connected to GWServer and other to local LAN m/c.
3) All local users must login with a proper login/pw to access any net service thru this INServer.
4) Since most common users are comfortable with WinOS - so provision is given for Win as well as Linux m/c.
We want to retain our INServer and local LAN as it is - and just want to configure the GWServer with TCL. :)
Thats why I wanted to have you experts feedback on security aspects - which you guys have responded positively . Thanks realy !
As for security, cloud mode is pretty good if your intent to to do some banking or other sensitive operations, stay on only as long as needed, and then reboot.
No the GWServer will be always on !
One saying I heard is that practicing security is more important than patching for security. Ideally, both should occur.
I agree - I remember a story going like this ( FoxNews ): - Clinton e-signs the first digital bill with a smart card using his dog Buddys name as the password -
It speaks volumes abt practicing security , when the worlds then most powerful man was knew nothing abt the digital security. So what abt a common user ! :)
Also if you are concerned about security you should disable icmp request reponses and uptime detection.
Yah , possible ! Thnks !
If you want enterprise-level Linux, you need something which is branded and -- most importantly -- supported as such. That means SLED and RHEL ...
...
FWIW, I'm currently using Scientific on my "new" laptop and also my desktop and am quite happy with it even though it's not bleeding edge (it's well-patched, though, with SL's security patches coming <= 48 hours after RH's).
....
The very things that make things easier for users -- things like "sudo su" and cheatcodes -- are also things that make it easier for others to affect your system.
....
The "tightest" default install I've encountered is NetBSD's which requires the admin/user to even start SSH (OpenBSD's default is to start SSH unless the user says no at install).
Important points to note from my side !
Whose project is this anyway?
"I need or want it to behave like this so the developers should implement this ASAP."
Not at all ! I would dafinately like the TCL Team to concentrate on thier intended goal - to be portable and modular - !
But since TCL is evolving as a competitive contender in the new Linux horizon - my demands ( read requests -if the term pleases all ) are just my wishful thinking to make TCL more robust and secure !
Acutually I foresee TCL as a good case for Embeded Technolgy in future ! :)
I really thanks to all of you for this healthy discusion abt TCLs security aspects !
~ Pats
-
Ipse dixit. Linux enjoys security through obscurity.
In user space, sure. I'm not sure I'd agree with you if we were to talk about running Linux as a server. A properly configured linux box is rock solid. Even the latest root exploit discovered in Linux is only a risk on most distros IF you install WINE, which brings us to...
it also doesn't help that most users -- server or workstation -- exercise little restraint, common sense, or caution when using them.
The biggest security hole in any IT system - The users.
Also, there's this madness affecting most distros to use the most recently released version of any software rather than patch only for bugs and/or security; most "testing" has nothing to do with auditing/testing and more to do with making sure something doesn't repeatedly segfault or cause issues with other packages.
In counterpoint to that, many other packages are far out of date - Ever tried installing FreeRadius from a Ubuntu or RHEL repo? You'll get version 1.x - So outdated it's a security risk in itself, and technically no longer supported. So it goes two ways - Too up to date, and not up to date enough. I find the repo is great for desktop use, but for servers the only "right" way to do things is install the version recommended by the software maintainers, which usually means build from source.
-
@althalus: This is devolving from the topic. I disagree with your dismissive attitude about "user space" (workstations/desktops?), especially since you agreed with my position that the user is the weakest link in security. That's the whole problem with "converting" the least savvy and most susceptible of Windows users to Linux: if they can't manage one learning curve, how do you expect them to manage a second (steeper) one? Then developers dumb things down so that Windows refugees can run everything as root just like they did in Windows. It's freaking stupid. People who can't safely run Windows shouldn't even be allowed near computers, period. And the same applies to servers. Poorly run/configured Linux servers aren't inherently more secure than Windows servers.
I'm not surprised your argument is also founded on a specious point that basically boils down to comparing apples to oranges -- "a properly configured" Linux box versus an improperly configured Windows box. Let's compare apples to apples and oranges to oranges. A properly configured computer -- whether workstation or server -- is going to be more secure regardless of operating system (everything else held constant). And any safely configured computer *used* in a safe manner is going to be more secure than one used without any restraint.
What do you mean by "far out of date"? Software has no expiration date, it doesn't go bad just because developers have newer versions. Enterprise distros' packages *are* patched for known and potential vulnerabilities, to fix bugs, and to add the occasional legitimate feature missing from earlier releases. Is my new laptop's kernel (2.6.18-164.6.1) "far out of date" by your reckoning? I see at least 164 reasons to believe it isn't. The highest release number isn't necessarily the most secure and I've seen way too many cases where it turns out to be the least secure ever. Look at the security feeds on the right side of my blog and note how many enterprise distro (SLED, RHEL, CentOS, etc.) packages get security updates and then look at all the security activity required for the bleeding edge distros. I haven't graphed it in a while, but I did a few years ago to illustrate why certain bleeding edge distros had no place in a production/enterprise environment. There's a price to pay for living on the bleeding edge, and that price is at the expense of security and stability.
Windows updates its OS every few years and most old binaries will still run on new releases. Most Linux distros change things around more drastically and more frequently. I once joked that that's the biggest reason fragmentation is less an issue in Linux than Windows: most Linux users install and reinstall so frequently that their file systems don't have time to frag.
-
This is a facinating and productive thread and lots of quite valuable information and opinions have surficed.
I would like to ask the following to levelset certain facts to compose a larger picture:
1. Since no servers are running unless installed, it should be secure? Specifically, if we run just browser, then firewall is not needed and does not add any value, is this correct?
2. Comparing to e.g. Puppy, which runs all as root (which is unacceptable except as rescue disk), how much security TC gains by running as user tc, although with no password and sudo not requiring password either?
No question it is much more secure, just would like your opinion please...
3. Can security attack alter the core system (Kernel and tcz's installed) or just the user persistent files, such as configs, when running from e.g. usb or frugal?
4. If TC is installed in a VM under host OS (e.g. Windows), can keyloggers type trojans infecting Windows intercept key strokes in the TCL VM? This possibility is not TC specific, of course...
4. What security features and configs are necessary to make TC an enterprise ready? Not speaking of support process, of course...
Your opinions would be greatly appreciated...
-
This is a facinating and productive thread and lots of quite valuable information and opinions have surficed.
I would like to ask the following to levelset certain facts to compose a larger picture:
1. Since no servers are running unless installed, it should be secure? Specifically, if we run just browser, then firewall is not needed and does not add any value, is this correct?
Secure only if you are running off a live cd, have absolutely no attached storage devices, and avoid web pages that require passwords or personal information. Otherwise, no.
IOW, doing your personal banking at a wifi hotspot is not a good idea.
Running without a firewall exposes all open ports to the web. A properly configured firewall, blocks out unfiltered traffic and exposes only the ports you want open. However, web browsers, by their very design, provide a portal into your machine. Typing a URL into your address bar and hitting enter sends a request to download data onto your pc. What that data contains is anybody's guess, It could be benign text, pretty pictures, a virus, or a trojan that opens up additional ports on your machine.
A text-only browser, or one running without java, javascript, etc., enabled is probably immune to attack. But there's still the risk of passing it on to other devices on your network.
2. Comparing to e.g. Puppy, which runs all as root (which is unacceptable except as rescue disk), how much security TC gains by running as user tc, although with no password and sudo not requiring password either?
No question it is much more secure, just would like your opinion please...
Without additional hardening, TC is just as vulnerable.
3. Can security attack alter the core system (Kernel and tcz's installed) or just the user persistent files, such as configs, when running from e.g. usb or frugal?
Altering the core system directly would present an extreme challenge, especially if you're running from a cd. But once someone gains unrestricted access to your machine they can alter data on any device mounted with r/w privileges.
4. What security features and configs are necessary to make TC an enterprise ready? Not speaking of support process, of course...
I honestly wouldn't recommend TC for enterprise use.
-
Ever tried installing FreeRadius from a Ubuntu or RHEL repo? You'll get version 1.x - So outdated it's a security risk in itself, and technically no longer supported. So it goes two ways - Too up to date, and not up to date enough.
Better educate oneself in Linux Security and deploy all the possible tools at hand to strengthen the network !
I disagree with your dismissive attitude about "user space" (workstations/desktops?), especially since you agreed with my position that the user is the weakest link in security. That's the whole problem with "converting" the least savvy and most susceptible of Windows users to Linux: if they can't manage one learning curve, how do you expect them to manage a second (steeper) one?
lucky13, I think you are very practical in your approach to the real Q of OS security - from the very POView of the general user , who are the real user of any system in real life. What is the use of the security gadgets from the best manufacturer in the world - if the on-ground user/guards are NOT equiped with the RealTime use/maintanance know-how ?
<People who can't safely run Windows shouldn't even be allowed near computers, period.>
Impractical - isnt it ? :)
<I'm not surprised your argument is also founded on a specious point that basically boils down to comparing apples to oranges -- "a properly configured" Linux box versus an improperly configured Windows box.>
Sorry to dis-aggree - but real Q is -practical- approach to the possible secure environment handed-over to the real user, what devlpment policy can be designed for secuirty is the job of product developer - not user !
So whether -apples or oranges- both are equally imp from the consumer (user) angle. Off-cource the current topic is abt TCLs Cloud Mode !
<What do you mean by "far out of date"? Software has no expiration date, it doesn't go bad just because developers have newer versions. Enterprise distros' packages *are* patched for known and potential vulnerabilities, >
I think , you are contradicting your own view - it has expired in the current time - thats why devloper issues new patches (read - contents) to be accetable in product life cycle.
<I haven't graphed it in a while, but I did a few years ago to illustrate why certain bleeding edge distros had no place in a production/enterprise environment. >
Why ? Only because -the distro- has the potentiality for more bugs/vulnarability to collapse in BEdge enviro ? That is possible with even the NASA BEdge brand new capsule !
<Most Linux distros change things around more drastically and more frequently.>
Thats the real problem with Linux from the users POView ! It is very dificult for a normal user to keep pace with the UNIX fundas - even the directory structure changes with some distros. ;)
<2. Comparing to e.g. Puppy, which runs all as root (which is unacceptable except as rescue disk), how much security TC gains by running as user tc, although with no password and sudo not requiring password either?
>
These distros are just - Try and Use - if satisfied develop it further by adding your own requirements and modules - something exciting - but as said above with a sharp learning curve - cause the whole concept changes for a old user of Linux.
<4. If TC is installed in a VM under host OS (e.g. Windows), can keyloggers type trojans infecting Windows intercept key strokes in the TCL VM? This possibility is not TC specific, of course>
I think - every type attack is possible in Windoze system - it is a very old and widely used distros - so majority know how to exploit the weal links there. How many Linux users know - how to grant users rights or make a file executable or even install a new software in Linux ?
How many actually know the - tar or bzip usage - etc ?
<Secure only if you are running off a live cd, have absolutely no attached storage devices, and avoid web pages that require passwords or personal information. Otherwise, no.
>
In short - offline use ! But is of any significance , specially in the age of Google and Tweeter and always-On-line generation ?
<Typing a URL into your address bar and hitting enter sends a request to download data onto your pc. What that data contains is anybody's guess, It could be benign text, pretty pictures, a virus, or a trojan that opens up additional ports on your machine.
...
Without additional hardening, TC is just as vulnerable.
...
I honestly wouldn't recommend TC for enterprise use.>
Interesting and important points ! What TCL Team thinks abt your last point ? :)
By the way - has TCL any future plan of "Enterprising" TCL on the lines of RHL or DEBIAN ?
~ Pats
-
Thank you combo3 for detailed reply. Pardon my digging deeper into this, but I would like to better understand the scope of exposure and particularly in relation to the above points from technical perspective, not user browsing habits:
1. If there are no servers running as it is in basic TC, there should be no open ports, therefore what is the added value of the firewall?
If new ports are open in the course of internet browser activity such as trojans, then firewall would not play any role here and would not reduce the security exposure. Is this correct?
2. TC appears to be significantly more hardened comparing to e.g. Puppy, which runs all as root, since it runs as user. Why is TC just as vulnerable?
3. You cannot modify a CD, but the question is running from usb or frugal. If it is possible for someone to break in remotely to a running TC, overcoming the above points 1 and 2, is it feasible to modify the frugal or usb installation of the system in addition to user data?
4. What would be the most critical features missing that would bring TC closer to enterprise?
Thanks for your and others' patience, but this topic is quite important...
-
1. If there are no servers running as it is in basic TC, there should be no open ports, therefore what is the added value of the firewall?
If new ports are open in the course of internet browser activity such as trojans, then firewall would not play any role here and would not reduce the security exposure. Is this correct?
A properly configured firewall will stop anything outside from accessing the ports opened by those trojans.
A properly configured firewall will stop most of those trojans sending any information OUT of your network, as well.
2. TC appears to be significantly more hardened comparing to e.g. Puppy, which runs all as root, since it runs as user. Why is TC just as vulnerable?
By default, the tc user has no password, and can use sudo without a password. It's not quite root access, but it's close enough. Simple enough, just fix the sudoers file, add a password to TC, and add /etc/sudoers and /etc/shadow to your backups.Or you could even remaster TC with your modified sudoers and shadow files.
3. You cannot modify a CD, but the question is running from usb or frugal. If it is possible for someone to break in remotely to a running TC, overcoming the above points 1 and 2, is it feasible to modify the frugal or usb installation of the system in addition to user data?
Techninally yes, if a hacker manages to get disk access to your machine, they could alter system files. But if you think about the concepts TC is built around, cleaning up such an attack would be simple - Reboot without backing up., or after ensuring that all files listed in /opt/.filetool.list are clean. After the reboot, anything the attacker injected into your system is gone. Obviously one would still do a full system audit to make SURE that the only things there are what should be there.
4. What would be the most critical features missing that would bring TC closer to enterprise?
Thanks for your and others' patience, but this topic is quite important...
As far as I'm concerned, TC already has everything it needs to make a rock solid, dependable server. I'm testing it for use as a virtual OS for serving small to medium sized websites at the moment. For a virtual server with lower amounts of RAM, TC+cherokee far outperforms ubuntu+apache OR ubuntu+lighttpd. In the repo, TC already has firewall tools, TC already has openssh, TC already has common web servers and an NFS server. DNS in the form of DNSMasq OR Bind.
Security-wise, SELinux might be the only enterprise tool it's missing. There are other tools that might be necessary which either are not currently part of TC, or use different varieties to what I have:
* Monitoring (like Nagios and Munin)
* Management (like Webmin or something more centralised)
* Apps specific to your site, which depending on licensing, you could even package and contribute yourself, easing the path for the next business considering using TC.
-
... I would like to better understand the scope of exposure and particularly in relation to the above points from technical perspective, not user browsing habits:
Just one quick point:
I know it's tempting to gloss over user habits, but as lucky13 mentioned in a previous post, they offer the greatest avenue of attack.
Kevin Mitnick's "The Art of Deception" provides an enlightening read on how social engineering can be used to circumvent even the most technologically secure systems.
1. If there are no servers running as it is in basic TC, there should be no open ports, therefore what is the added value of the firewall?
You might not be running Apache, MySQL, or PHP, but what about X11? or Xorg? or CUPS? or Samba? or NFS?
TC_Terminal_Server (netboot) runs TFTP and DHCP services.
Edna media server runs on Python.
All of them are servers with known vulnerabilities.
Even font librairies (http://www.google.com/linux?hl=en&q=font+vulnerabilities&btnG=Search) can be expoited.
If new ports are open in the course of internet browser activity such as trojans, then firewall would not play any role here and would not reduce the security exposure. Is this correct?
Firewalls are there to mitigate exposure. Nothing is foolproof, but why take unnecessary risks?
2. TC appears to be significantly more hardened comparing to e.g. Puppy, which runs all as root, since it runs as user. Why is TC just as vulnerable?
The only real difference is that TC requires you to issue an additional command before becoming root user.
From a security standpoint, it's the equivalent of arguing that a house with locked doors and a key under the mat presents a greater break-in challenge than one where the doors are left wide open.
3. You cannot modify a CD, but the question is running from usb or frugal. If it is possible for someone to break in remotely to a running TC, overcoming the above points 1 and 2, is it feasible to modify the frugal or usb installation of the system in addition to user data?
Theoretically, anything is possible. In practice, however, most compromised systems are either raided for personal info or turned into spam relays and/or warez/crackz/. servers.
4. What would be the most critical features missing that would bring TC closer to enterprise?
Technical issues aside, the main reasons I would cite against using TC in a corporate setting is that it is still relatively new, has a small development team, no tech support, depends on voluntary contributions (i.e. small repo), low uptake, and an unproven track record. For home use I think it's great... but I wouldn't use it for my company's web store.
-
4. What would be the most critical features missing that would bring TC closer to enterprise?
Centralised management. Just one of the many others.
-
Anthalus, Combo3, Bmarkus - Thanks very much for the elaborate insight. This thread is the best assessment on security I have read in a while! It looks to me that many pieces needed to harden TC security are available. It is just a matter of putting them together. Ones I get some time I will try to integrate these pieces. I know there are bits and pieces of info on configuring these scattered around...
-
I found these readings very interesting and in detail. Interested newbees can have a look at it:
http://www.linuxsecurity.com/
Security Features: What Does Windows 7 Have That Linux Doesn't have...
http://www.linuxsecurity.com/content/view/150685/86/&ei=6z4XS9CvLoGg6gPI_83JDw&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CA0QzgQoAA&usg=AFQjCNHKRZs0SkTuM2uLh8KqSaMqTgh7ZQ
http://tldp.org/HOWTO/html_single/Security-HOWTO/
Hope this helps someone !
~ Pats
-
And ShieldsUP!
I always forget the address...
Edit: Link removed! I didn't realize it was a commercial site.
-
Quickly perusing this thread, I did not see mention of the secure boot code.
With that you can set both root and default user passwords.
Tiny Core does not auto mount drives, therefore Tiny Core does not auto run foreign applications, i.e., pendrive insertion attack.
The use of sudo is quite common with Linux distributions and is not as careless or reckless as running as user root. It is common sense that most Linux distrbutiuons go through the work required to offer user access and not just root.
-
What wasn't yet mentioned about running as root are the accidents. If a browser runs as root, it can crash the system completely. Of course, without a sudo password, it can do it intentionally, but when running as root, accidents can be much more severe.
I wouldn't give Flash root privileges; would you?
-
Quickly perusing this thread, I did not see mention of the secure boot code.
With that you can set both root and default user passwords.
Tiny Core does not auto mount drives, therefore Tiny Core does not auto run foreign applications, i.e., pendrive insertion attack.
Good idea of secure boot code - why not to implement it ?
I wouldn't give Flash root privileges; would you?
Frankly , I also dont know the reason - why ?
Is there any latest known virus attacks or trojans noticed by anybody in Linux in general any TCL in perticular ?
By the way - why anyone will try to browse web as a root ?
Why TCL not disable brwosing web while logged in as root ? Is it possible ?
~ Pats
-
Tiny Core's "secure" boot code has been implemented since day one.
-
Hi !
Suppose I want to connect to : http://xyzxyz.com
1) What should be the ipchains rules - if nobody except the connected site should be able to access my pc.
2) If the connected site is https: ( Pl note the secured protocol ) - does ipchain rules needed if the above point 1) is to be implemented ?
Kindly elaborate !
Thanks !
~ Pats
-
Do you mean that your comp should only be able to access that site, not the other way around?
If so, the following as root should work. Note that I haven't tested this :P
The protocol (http/https/ftp/XXX) doesn't matter with the below rules.
# Remove old rules
iptables -F
iptables -X
iptables -Z
# Don't let anything pass by default
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Exceptions to above policy
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d ip.of.the.site -j ACCEPT
iptables -A OUTPUT -d ip.of.your.DNS -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
-
Hi
The rules should work for the situation, where all connections will be initiated from your pc - aka normal browsing. The site cannot connect to you without a request from your browser or another app.
Do you instead want a server, where only that site is able to access it?
- Curaga
Not a server !
As a simple user I always connect ( login as a registered user like so many other users of that site) to a perticular site for some monetary trasactions !
And during such transactions I want that my computer should NOT be accessible by anybody else except that perticular site ( as that site checks for presence of a cookie on my PC intermitently).
I hope I am clear this time . :)
Waiting for the answer!
Thanks !
~ Pats
-
One more Q !
Is the - ip.of.the.site - must ?
Can I use the xyz.com insted of ip.of.the.site ? (Although I have the ip of the site also !)
Thanks !
~ Pats
-
No, I think iptables only takes ip addresses.
-
Thanks again for prompt reply !
( As I said I hate to disturb sending private messages, but some topics - including this gets locked sometime - saying only Adnib/Moderator can reply ).
Now trying to figure out how to close some un-necessary ports on my PC using man pages of nmap, will disturb You - if need be arised . :)
Thanks !
~ Pats
-
If this thread is unavailable, and you think the info would be useful to others as well, please create a thread in one of the other sections.
-
Well I am un-able to post here thru Dillo , but now I can post thru mozilla and other browsers !
I am posting here , cause I just hope to keep all security related my Q/A in one thread for further archieving - thats all !
-
Well depending on how sensitive data is I might add/summarize that in additional to all previous posts you should definitely consider these:
!. If you're using a router make sure that's the main focus of you efforts. But not to the point of neglect for others.
2.don't even for a second consider keeping admin available on the router. Use it for maintanence only and go offline if you ever do use it. And make sure the password is ENCRYPTED most routers won't do this by default so make sure you check.
3. Take note that the more sensitive the data is or the more someone is likely to care and the more extreme you need to get. And the more extreme you get the hotter a target you paint. But a general first thing to note is that the more info they have about the system (MAC address and so on) the easier it will be to get it no matter what levels of encryption, etc. you have (examples of beating encryption include denial of service attacks). Encryption in the end is really only good for keeping data secret. Not protection.
4. A good first step is keeping your ip and MAC secure. Your MAC can't really be hidden except by putting a buffer between you and the computer in question(this buffer is your router usually). IPs are more critical in that they're stored everywhere and not usually in you control. A solution is to have a changing IP address so that the router has no info about it until connection. This will slow down the router as it will prevent IP caching in the IP table but will prevent the most sure source of info from having much info at all. Depending on the number of computers behind the router this could become infeasible quickly (for example the securest way would be to write a random number generater that rewrote your IP every send but that would quickly create IP conflicts as computers would have the same IP).
As far as I know TC would be the most secure if only for its non-persistency of apps. However I would also advise putting some sort of lock on permissions to access the boot files as well as others. I'm not sure if you can actually do this in TC as I haven't got it running yet but a basic way should be just to unmount and force it to stay unmounted.
Note: I'm not an expert in security. But people do hire blitz teams for that purpose and I have hacked several servers with nothing but some CISCO knowledge , ping, trace, telnet, and a directory of the networks's host computer names built with global directory.
-
Well depending on how sensitive data is I might add/summarize that in additional to all previous posts you should definitely consider these:
My God ! You are quite deep in yr security know-how ! I have some more Qs abt security settings which I will be posting here latter, presently I am RFFMing some linux articles and man pages !
So let us meet again here with some more Qs from me. Thanks really ! :)
~ Pats
-
Are all of the TCs Repo mirrors safe & secure for dnloading exts ?
Or are any of them black-listed bt TC or others ?
How to find trojans / Finder tools while one i online ?
Pl clarify !
Thnks!
~ Pats
-
Thanks again for prompt reply !
( As I said I hate to disturb sending private messages, but some topics - including this gets locked sometime - saying only Adnib/Moderator can reply ).
Just try to disregard, seeing this message on top of reply box I am typing in right now :P
(While using links in graphics mode on console)