Linux Workstation

Dell offers new Ubuntu Linux workstation laptop | ZDNet

So far in this series, we’ve walked through security considerations for your SysAdmin workstation from choosing the right hardware and Linux distribution, to setting up a secure pre-boot environment and distro installation. Now it’s time to cover post-installation hardening.

What you do depends greatly on your distribution of choice, so it is futile to provide detailed instructions in a blog series such as this one. However, here are some essential steps you should take:

  • Globally disable firewire and thunderbolt modules
  • Check your firewalls to ensure all incoming ports are filtered
  • Make sure root mail is forwarded to an account you check
  • Set up an automatic OS update schedule, or update reminders

In addition, you may also consider some of these nice-to-have steps to further harden your system:

  • Check to ensure sshd service is disabled by default
  • Configure the screensaver to auto-lock after a period of inactivity
  • Set up logwatch
  • Install and use rkhunter
  • Install an Intrusion Detection System

As I’ve said before, security is like driving on the highway — anyone going slower than you is an idiot, while anyone driving faster than you is a crazy person. The guidelines in this series are merely a basic set of core safety rules that is neither exhaustive, nor a replacement for experience, vigilance, and common sense. You should adapt these recommendations to suit your environment.

Blacklisting modules

To blacklist a firewire and thunderbolt modules, add the following lines to a file in /etc/modprobe.d/blacklist-dma.conf:

blacklist firewire-core blacklist thunderbolt

The modules will be blacklisted upon reboot. It doesn’t hurt doing this even if you don’t have these ports (but it doesn’t do anything either).

Root mail

By default, root mail is just saved on the system and tends to never be read. Make sure you set your /etc/aliases to forward root mail to a mailbox that you actually read, otherwise you may miss important system notifications and reports:

# Person who should get root’s mail

Firewalls, sshd, and listening daemons

The default firewall settings will depend on your distribution, but many of them will allow incoming sshd ports. Unless you have a compelling legitimate reason to allow incoming ssh, you should filter that out and disable the daemon.

systemctl disable sshd.service systemctl stop sshd.service

You can always start it temporarily if you need to use it.

In general, your system shouldn’t have any listening ports apart from responding to ping. This will help safeguard you against network-level 0-day exploits.

Automatic updates or notifications

It is recommended to turn on automatic updates, unless you have a very good reason not to do so, such as fear that an automatic update would render your system unusable (it’s happened in the past, so this

fear is not unfounded). At the very least, you should enable automatic notifications of available updates. Most distributions already have this service automatically running for you, so chances are you don’t have to do anything. Consult your distribution documentation to find out more.

You should apply all outstanding errata as soon as possible, even if something isn’t specifically labeled as “security update” or has an associated CVE code. All bugs have the potential of being security bugs and erring on the side of newer, unknown bugs is generally a safer strategy than sticking with old, known ones.

Watching logs

You should have a keen interest in what happens on your system. For this reason, you should install logwatch and configure it to send nightly activity reports of everything that happens on your system. This won’t prevent a dedicated attacker, but is a good safety-net feature to have in place.

Note, that many systemd distros will no longer automatically install a syslog server that logwatch needs (due to systemd relying on its own journal), so you will need to install and enable rsyslog to make sure your /var/log is not empty before logwatch will be of any use.

Rkhunter and IDS

Installing rkhunter and an intrusion detection system (IDS) like aide or tripwire will not be that useful unless you actually understand how they work and take the necessary steps to set them up properly (such as, keeping the databases on external media, running checks from a trusted environment, remembering to refresh the hash databases after performing system updates and configuration changes, etc). If you are not willing to take these steps and adjust how you do things on your own workstation, these tools will introduce hassle without any tangible security benefit.

We do recommend that you install rkhunter and run it nightly. It’s fairly easy to learn and use, and though it will not deter a sophisticated attacker, it may help you catch your own mistakes.

The first part of this series has walked through distro installation, and some pre- and post-installation security guidelines. In the next article, cover some of the best storage options to back up your workstation and then we’ll dive into some more general best practices around web browser security, SSH and private keys, and more.

Sabrent Sabrent USB External Stereo Sound Adapter for Windows and Mac. Plug and play No drivers Needed. (AU-MMSA)
Personal Computer (Sabrent)
  • Connectors: USB Type-A, Stereo output jack, Mono microphone-input jack.
  • Driverless for Windows 98SE/ME/2/XP/Server 2003/Vista/7/8/Linux/Mac OSX.
  • USB bus-powered, no external power required.
  • Reverse Compliant with USB Audio Device Class Specification 1.0
TP-Link TP-LINK TL-WPS510U 150Mbps Wireless Print Server, USB 2.0, Detachable Antenna
CE (TP-Link)
  • High compatibility with most majorities of printers on the market
  • Share the printing wirelessly, the speed up to 54Mbps, USB 2.0 High-Speed Printer Connection
  • Compatible with I 802.11n/g/b, System Requirements: Windows 9x/ME, Windows 10/7/ Vista / XP/2, Mac OS X 10 or Later, UNIX/Linux, Netware 3.12 or Later
  • Support 64/128 bits WEP Encryption and WPA/WPA2-PSK security
  • Package Contents: Wireless Print Server Detachable Omni-Directional Antenna Resource CD Quick Installation Guide Power supply unit
LinuxFreak CentOS 6.3 Enterprise Linux on DVD [32-bit Edition] - Enterprise Grade Operating System
Software (LinuxFreak)
  • Award-winning CentOS Linux operating system with complete set of applications for desktops, laptops and servers
  • CentOS is based off of Red Had Linux, and is fully Enterprise-ready, designed to be stable and powerful
  • Productivity office suite, Web browser, instant messaging, image editing, games, multimedia and email for your everyday needs
  • Comprehensive DVD installation includes lifetime free updates
UGREEN USB Audio Adapter External Stereo Sound Card With 3.5mm Headphone And Microphone Jack For Windows, Mac, Linux, PC, Laptops, Desktops, PS4 (White)
CE (Ugreen Group Limited)
  • Ideal Sound Card Option : UGREEN usb audio adapter is ideal to replace your faulty sound card or audio port, it adds a microphone-in and an audio-out port to your...
  • Practical Stereo Sound Adapter: It protects against electromagnetic interference and enjoy the stable and best sound quality. Quite great for Skype/ ICQ/ Google...
  • Superior Features: No driver required, just plug and play! USB bus-powered, no external power required for this convenient sound card.
  • Wide Compatibility: Windows 10/98SE/ME/2/XP/Server 2003/Vista/7/8/Linux/Mac OSX/ PS4/ Google Chromebook/ Windows Surface Pro 3/ Raspberry Pi are ok with the usb...
  • Compact and Portable: Durable ABS material made the USB to headphone adapter compact and lightweight. Lifetime Warranty: One year warranty for this usb audio converter...
Solu USB to 3d External Sound Card Audio Adapter Virtual 7.1 Channel Ch Sound Mic Speaker Double Adaprter for Windows 98se / Me / 2000 / Xp / WIN 7 /Server 2003 / Vista . Linux . Mac05 10 or Higher
PC Accessory (solu)
  • the brand is solu.
  • Driverless - No driver required for Windows 98SE / ME / 2 / XP / WIN 7 /Server 2003 / Vista . Linux . Mac05 10 or higher
  • Connectors : USB Type - A, Stereo output jack, Mono microphone- input jack
  • Complaint with USB 2.0 Full -speed ( 12 Mbps ) specification
  • Compliant with USB Audio Device Class Specification1.0;Compliant with USB HID Class Specification1.1

Related posts: