How to make a Puppy Linux security distribution?

For discussions about security.
Message
Author
Dennis Mitnick
Posts: 2
Joined: Tue 27 Aug 2019, 00:46

How to make a Puppy Linux security distribution?

#1 Post by Dennis Mitnick »

Hello!

How to make Puppy Linux security distribution?

Thank you in advance !

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#2 Post by musher0 »

Hi Dennis.

You mean something like the TAILS distro? I think some PuppyLinux member has come
up with a simili-clone of TAILS, but I can't remember who exactly, ATM. Sorry.

But for general daily use, any Puppy is already quite secure as is. To ascertain that, you
may wish to install and use Lobster's GROWL utilities.

Still not convinced? Install the lsof utility and run it as lsof -i. This will list all the insects on
your line!!! (Prepare for a surprise: on a Puppy, you won't find any!) ;)

Finally, the subject of security on Puppy Linux has numerous threads, so many in fact
that in the end you'll understand what the expression "ad nauseam" really means...

So I won't go into it further here. But feel free to do a bit of a search on this board on the
subject if you need more info.

IHTH.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

Re: Security Puppy Linux

#3 Post by s243a »

Dennis Mitnick wrote:Hello!

How to make Puppy Linux security distribution?

Thank you in advance !
Hello Dennis,

I recommend the version of puppylinux known as Puli. There are two variants:
(although I haven't personally tried puli)
- Puli 6.0.5 - based on tahrpup (pearltrees)
- Puli 3.8.3 bark 6, released Nov 2014 - based on precise (pearltrees)

Tails was mentioned above. You can do something like that with iptables to set up tor's transparent proxy.

https://trac.torproject.org/projects/to ... arentProxy

Regarding tor, some members have some security concerns related tor using to with puppy. For instance the user known as nosystemd/learn2code/figosdev claims puppy uses the ping utility in a way that may not be good for a tor user. I haven't looked into this yet but if ping was used in this way it should be easy enough to disable this behaviour with iptables.

Other security measures you can look into is the use of containers. EasyOS has something called easy containers and the user rufwoof has implemented similar containers on fatdog64 and dpup stretch.

As a final note, if you are looking to run puppy as a non-root user, you might want to give tazpup a try.
Find me on [url=https://www.minds.com/ns_tidder]minds[/url] and on [url=https://www.pearltrees.com/s243a/puppy-linux/id12399810]pearltrees[/url].

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#4 Post by Sylvander »

Also take a look at Banksy 3.
[Loads from a CD, user is then prompted to remove the CD]
Storage locations are normally not available, but can be, IF the user knows how.
I've been told how [in PM] by greengeek.

I use the "b3impgeneric_RC5.iso" linked HERE. Don't think I've tried RC8, also linked there.
Made for me, so as to be able the personalize the OS [install extras? I installed WINE and Xfe.]

I tried Puli.
It was good, but rather too complicated for me.
Settled on Banksy 3.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#5 Post by 8Geee »

I will add that most any pup or dog can be run from a CD or DVD. When done shutdown NO SAVE. The only other problem with security is the browser... unfortunately the default settings (thousand or more) are not secure enough. Personally, I have gone through two browsers FF27 and FF6605. Each needed over 400 changes to the default setttings. :shock: That required quite a bit of time, and is probably not for everyone (but doing the FF6605 was 'easier' due to previous experience with FF27). The reward is that FF6605 has the latest certs using TLS 1.2 and 1.3... the old FF27 still has two good certs out of 20 or so original.

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

purple379
Posts: 157
Joined: Sat 04 Oct 2014, 22:23

Security version of Puppy

#6 Post by purple379 »

Barry's project of "Easy OS," Then perhaps run for multi-session optical disk. Thank you Barry Kauler.

Perhaps better needed is a book of how to do things in a private, secure way. Check lists of what not to do, how to proceed. I might call it a recipe book.

At least a list of when to re boot after we do which.

Keep in mind that encryption is usually broken not in the theory of the encryption but in practice. People make mistakes in using encryption that usually gives away the value of encryption.

I see, on the internet several distros talking about security. I also notice that some seem to only have only three (or less) developers, who I assume work part time. Hmm.

At least Puppy Linux is not Windows, part of whose goal now is to broadcast what we do on the internet.

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

Re: Security version of Puppy

#7 Post by nosystemdthanks »

purple379 wrote:People make mistakes in using encryption that usually gives away the value of encryption.
indeed, puppy makes a few of those that reduce its worth in terms of security or privacy.

the problem with secure puppy isnt that its called puppy, its that most users dont want to take security seriously. if you its not important to you enough to change your habits or alter designs, then all you can do is come up with some bandages and slap the word "secure" onto the thing.

lets try this:

what are the three biggest security problems for regular puppy? answer that, and start by fixing at least one of those. but that wont make it secure, it will make it less insecure. security is about tradeoffs, and puppy makes a few in the other direction.

minimalism is good though.

one gradual route to security is to figure out what you dont need, then remove it so that it isnt a vector. easier to secure a simple distro than a complicated one, though adding security will complicate certain things.
At least Puppy Linux is not Windows, part of whose goal now is to broadcast what we do on the internet.
that is a plus.
[color=green]The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.[/color]

purple379
Posts: 157
Joined: Sat 04 Oct 2014, 22:23

A lot of malware gets up to no good with browsers.

#8 Post by purple379 »

That is browsers let stuff in that cause problems.

There are all the options of security for Firefox, meaning we should download and install those. I am not knowledgeable about Seamonkey, or some other browsers. Tor anyone? Brave?

Don't let things which snuck in the door of the browser stay.

Frankly, browsers have gotten a lot better in stopping things.

Clear the browser cache, and reboot. Puppy can do that.

Start with a clean version of the OS (reboot) before and after doing something important.

Whether the version of Puppy you use does a lot of root become irrelevant, if one reboots, and places a fresh copy of the OS in use.

I liked an app that works in Apple Mac OS, 'Little Snitch," which allows one to approve/disallow individual outgoing connections. It can be annoying and a huge use of time.

Use a search engine like "duckduckgo." Part of protecting browser.


Get a better definitions on goals; The general public keeps getting confused on the use of the term "computer security" that means different things.

Whether we are stopping malware (malevolent stealing, Messing up our computers)

Seeking Privacy (keeping others- individuals or corporations out of your, my business.)

versus Security.

Security being where people could be hurt, lives could be lost.

Those definitions being for individuals, corporations being somewhat different.

Added later: A new version of Barry Kauler's Easy OS is out in early 9-2019.
Any of you ever tried: Yubico Key
https://www.yubico.com/

I am always suspicious of Google being a partner.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Re: A lot of malware gets up to no good with browsers.

#9 Post by rufwoof »

purple379 wrote: Clear the browser cache, and reboot. Puppy can do that.

Start with a clean version of the OS (reboot) before and after doing something important.

Whether the version of Puppy you use does a lot of root become irrelevant, if one reboots, and places a fresh copy of the OS in use.
... providing the likes of your MBR/bootloader/kernel are physically isolated. In other words boot from usb, where the usb is removed once booted. With the OS running fully in ram then only that session can be cracked. Any data is also at risk so good disconnected backup practice is required.

For online security just use a clean boot to do secure stuff (banking) and close/reboot again afterwards. For the rest you just have to accept the risks (such as your Puppy Forum userid/password). They might equally be cracked via penetration of the web site itself.

For obscuring local state/government monitoring you can route everything through ssh to a remote server, or use something like Tor. But that can introduce other risks (circle of trust).

I boot the same known clean system every time, store data separately outside of the OS space. Booting from usb loading everything into ram and they the usb is disconnected once booted. If I do want to make a change then I just boot, make the change, save, unplug usb. Recently I've been using wiaks scripts to build the system/setup completely afresh quite regularly - following voidlinux --current. 20 minute or so task that I just kick off and leave running in the background whilst I do other things.

For larger tasks, video editing etc. that can blow ram limit, I have a encrypted swap file that I can activate. Encrypted using a random session key so if my laptop were stolen/confiscated then pretty much impossible to get to the clear text (decrypted) content that might have been stored in ram ... and nobody, not even I, know the 'passwords' (keys) that were used for the encryption.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

Re: A lot of malware gets up to no good with browsers.

#10 Post by nosystemdthanks »

purple379 wrote:A new version of Barry Kauler's Easy OS is out in early 9-2019.
Any of you ever tried: Yubico Key
https://www.yubico.com/

I am always suspicious of Google being a partner.
imo talking about security while using an os hosted on microsoft github... well, you know what im going to say and i know what people are going to respond, but im going to say it because lots of people do, and their concerns are being ignored or (after deliberation that some would deem fair or sufficient) put aside and unmitigated.
[color=green]The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.[/color]

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: A lot of malware gets up to no good with browsers.

#11 Post by belham2 »

purple379 wrote:
Added later: A new version of Barry Kauler's Easy OS is out in early 9-2019.
Any of you ever tried: Yubico Key
https://www.yubico.com/

I am always suspicious of Google being a partner.

Hey Purple,

Been using Yubikeys for over 3 years now. And using them with Google's Advanced Protection Program (means if I lose the Yubi keys, I am screwed as neither google nor myself will be able to recover those gmail accounts). . Yes, I do realize it is Mother Spy Google, but in this regard, yubico-locked email has brought me great peace of mind over the years. For anything sensitive done on one's life, well I think you know what I mean. I've discussed Yubikeys for nearly three years in this "Security" forum, in many different threads.

And regarding Barry's Easy, been using it since he first started it (and was using almost everything else before that he was creating and fooling around with). I like the direction Barry has taken with Easy. He's actively trying to address security-concerns, among several other things. Easy may be nowhere near rufwoof's level of lockdown, but Barry is doing things that I agree wholeheartedly with. Things that are promising, imho.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#12 Post by rufwoof »

Re:yubico

Suppose I'm a cracker and seeing someone visit or linking to my web site I note that they're running a OS/browser combination with a known flaw that can be exploited to provide remote command execution and I (system) deploys that attack. Perhaps dropping straight into root cli (or if not, using other known methods to elevate to root).

With root access my next port of call is to noting that the target system is using a frugal boot, I update the MBR to first load my own installed bootloader that sets up my own unseen micro OS running beneath the main OS. Looks to the target like a perfectly normal boot session, but where they don't see that they're actually running a chroot instead of switch_root. Neither do they see any of the processes that the micro OS is running, to the casual eye nothing is wrong.

With that I can monitor sites visited and mostly just remain hidden, but upon seeing the target requesting to go to a banks web site it redirects instead to my own pre-prepared web site address that replicates the banks web site. When they enter their username, password and YubiKey I use that to actually connect to their bank and empty the bank account, whilst returning a 'sorry the site is down at present and our engineers are working as quickly as possible to resolve the issue' type message. With the account cleared I reset the MBR back to as before and leave it for the target to argue with their bank that it wasn't them that actually made the money transfer to buy bitcoins or whatever. By then of course the money has been transferred multiple times to the extent of being untraceable and the fake bank web site is a dead link.

A simplistic example of what could occur i.e. viable man-in-middle attack despite using Yubikey. The saving grace however is that that's a relatively low reward attack for crackers, as in practice most banks will do other checks when more than $5000 or so is being transferred. But if simple enough and given potentially high volumes of multiple $4000 hits/day across a wide range of targets then the appeal to crackers rises.

Simple mitigation is to use a usb boot that is removed immediately after booting, so it's physically isolated and remains clean. When a clean boot of that is used to go directly to a banks web site, nowhere else before, then there's a very high probability that that session will be clean.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#13 Post by 8Geee »

Have to say that example of MITM has had a recent, nasty showing with Bluetooth. And, the concept directly applies to your example.

nosystemd relates a great idea... if you don't use it, lose it. One less vector of attack. Thats how AtomicPup-XIX was spun... toss out ALL the servers and shares. Even FreeOffice had a server binary to "Check for updates". Trash-binned.

YMMV/YRMV
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#14 Post by rufwoof »

8Geee wrote:nosystemd relates a great idea... if you don't use it, lose it. One less vector of attack.
systemD has over a million lines of code. Voidlinux's runit has around 1000 lines of code. If so inclined, I've a far better prospect of being able to look over runit code and understand what it is doing compared to systemD's code.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

#15 Post by nosystemdthanks »

rufwoof wrote:
8Geee wrote:nosystemd relates a great idea... if you don't use it, lose it. One less vector of attack.
systemD has over a million lines of code. Voidlinux's runit has around 1000 lines of code.
so void vs devuan is an interesting comparison. ive got void running right now-- they do a FAR better job of cleaning out systemd than devuan does.

(devuans job is harder, as theyre starting with debian and it has more of a mess to clean up. and its a moving target.)

ive been very critical of devuan since ascii, but beowulf is at least a step forward again. they did the best with jessie:

(8) jessie (9) ascii (10) beowulf

but theyre making progress again.

worth mentioning is that although void is much cleaner of systemd, systemd is developed on microsoft code servers-- and so is all of void as well. so thats a point for devuan, they dont use github.

its sad that so many things (5 years in!) are still catching up.

i got someone from the board of the fsf to talk about this today, i feel we are getting closer (a bit) to some progress there. too soon to be sure, of course. we need a name for these setbacks, collectively.

oh and 8geee: thanks!
[color=green]The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.[/color]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#16 Post by Lobster »

> I am not knowledgeable about Seamonkey, or some other browsers. Tor anyone? Brave?

I am using Brave at the moment. Using it instead of Safari on an Ipad. Very simple. Many unwanted browser facilities can be turned off. Safari much like IE on Windows used to be, is integrated into the OS. Safari still comes on line as the default browser. I can not disable it unless I jailbreak the Ipad. Not interested in adding that complication ... :roll:

Brave is available for Linux, so might check it out ... :D
Tor? Unworkable. Too slow. I have no military grade secrets. I am not a criminal, spy or hacktavist. So it is just overkill for me.

Seamonkey is an excellent real world browser, still being used by Barry. It has many security preferences ...

As has been mentioned Browsers are the ONLY WAY that Puppy has ever been known to be compromised. Root usage is a red herring. The main culprit is enabling javascript. Sadly it is almost essential for real everyday use. Flash was another malware but it is not really required. I don't install it, which you can do from many Puppy menus.

8)

Puppy Linux
The Route to Linux Root
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Packetteer
Posts: 73
Joined: Sat 12 May 2012, 19:33
Location: Long Island Ny

#17 Post by Packetteer »

Rufwoof
You mention booting then removing the flash drive. How does one do that? I am running a fugal install on a flash drive that every time I boot I get a message that flashes on my screen not to remove the drive.

I have automatic save off.

Best Regards
John

User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

Puppy on a USB-Stick you can unplug

#18 Post by mikeslr »

Packetteer wrote:Rufwoof
You mention booting then removing the flash drive. How does one do that? I am running a fugal install on a flash drive that every time I boot I get a message that flashes on my screen not to remove the drive.

I have automatic save off.

Best Regards
John
rufwoof has a system which I'd have to do a couple of times in order to remember. It works with BSD (which is different from Linux where he developed it, FatDog and, IIRC, WeeDog) . Not sure it will work with other Puppies. My methods are less complete but simpler.

Ignore the warning. With the Automatic Save turned off, you can literally unplug the USB-Key at any time. No harm will be done to your operating system. However, obviously with the USB-Key removed you will not be able to read-from or write-to the USB-Key without again plugging it in. Use the same USB-port as that's where Puppy still expects it to be. Using the boot argument pfix=copy if you have sufficient RAM (optimum 3 times the size of Puppy_version.sfs) may help. That will reduce the need to re-plug the USB-Key.

More complicated, but probably less need to re-plug the USB-Key:

Contrary to my usual advice [use SFSes, External and Portables from /mnt/home, etc] place all portables in /opt and install pets rather than use SFSes. Remaster. If you're only going to use the USB-Stick on one computer, configure wifi and other computer-centric settings before remastering. If it's to be used on various computers, locking in settings before remastering may be a waste of time or even prevent booting. In such instance I recommend Shinobar's remasterx, http://www.murga-linux.com/puppy/viewto ... 345#780345 since it preserves the 'First Run dialog'. If for just one computer, use nicOs-remaster-suite, http://murga-linux.com/puppy/viewtopic. ... 89#1001289 One of it's modules merely merges your SaveFile with the Puppy_version.sfs, taking very little time to do so..

With all your programs now 'builtin' to your Remaster, with Automatic Save turned off, and using the boot argument pfix=copy Puppy will have no reason to read-from, write-to a SaveFile. Of course, you won't be able to save anything (including datafiles you create or want to change) to the USB-Key with it unplugged. But, if it's plug into your own computer, you can keep data files on any hard-drive. (Or carry a 2nd USB-Key just for creating/storing/changing datafiles).

Further thoughts: If your computer doesn't have sufficient RAM to fully copy any Puppy into RAM with the pfix=copy argument, start with an already 'light' Puppy, such as precise-light (80 Mbs, 240 +/- fully expanded). Use Remove-builtins to remove any application you're unlikely to need just for working with the internet. Add anything you need for a functional Palemoon. Remaster. Hopefully, that will have reduced your Puppy's foot-print to the point it can be fully loaded into RAM and used for 'web-related work' with the USB-Key removed.

Perhaps easiest, but a Dog rather than a Puppy: See http://murga-linux.com/puppy/viewtopic. ... 16#1037516

User avatar
Packetteer
Posts: 73
Joined: Sat 12 May 2012, 19:33
Location: Long Island Ny

#19 Post by Packetteer »

Hi Mikesir
Thank you for your reply. I simply removed the flash drive and
nothing bad happened. unfortunately I could not start Fire Fox. Duh.

So then I tried to start Fire Fox first then remove the drive. That did not work either.
Then I finally read your full reply and now will try the Copy method.

This is going to be a work in progress.

Again thank you.

Best Regards
John

User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

#20 Post by mikeslr »

Reading your post above, I've had one further thought. Firefox is a large program, and a RAM hog. Frankly, I usually use Palemoon which is a little less; the least almost completely functional web-browser with today's Web being Seamonkey 2.46 'though some websites may object.

But getting back to firefox, rather than put it in /opt, put it in /root/my-applications/bin. I think when the copy command is used as a boot argument the entire contents of /root will be copied, even if other parts of the system in the SaveFile aren't.

You could also try that using palemoon or seamonkey.

Post Reply