Switch to HTTPS

Switch to HTTPS: https://t7j7l.blogspot.com/

Sunday, 23 August 2015

Linux security time!

Blazej X - FreeImages

Linux security, is it just obscurity or not? Well, yes and no. Of course security by obscurity is a factor to the lack of malware on Linux, but that is not all. For one thing, Linux is open-source. That means there are a lot of people looking over the code to patch any holes. Heck you can do that yourself and compile a hardened distro with only the features you want.

Another big factor is that most software comes from trusted repositories managed and digitally signed by distro authors and their communities. That means it's so much harder getting infected by downloading something from some random site (which should be scanned/uploaded to VirusTotal beforehand). It's pretty much all provided in the software center.

So how do we make it even more secure? Well, I'll list the following methods:
- Grsecurity/SELinux/AppArmor: That is how you harden applications and the kernel. Think EMET, Malwarebytes' Anti-Exploit, or HitmanPro.Alert for Linux.
- FireJail/Docker: Isolates applications from the system via virtualization and access policies. Think Sandboxie for Linux.
- custom firewall rules: Same as making Windows Firewall whitelist every inbound/outbound connection, except without possible backdoors.
- OSSEC: Real-time monitoring of the integrity/logs/policies of your OS. Sort of like Comodo Defense+ or another HIPS for Linux.
- Possible detection tool or AV like RKHunter or Comodo: Not necessary, but could be a failsafe.
- uBlock Origin, WOT, and other browser extensions: Blocks those malicious ads, javascript, websites, and whatnot. Which is how you usually get infected.
- DNS, HOSTS, and other system config: Mostly like the above, except you can do more than just blacklist/whitelist domains or IP addresses. Usually for privacy.

Feel free to add onto the list or provide feedback. An (hopefully) active Wilders Security thread about this subject: http://www.wilderssecurity.com/threads/the-hardened-linux-thread.379114/ 

No comments:

Post a Comment