Questions About Security

For discussions about security.
Post Reply
Message
Author
User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

Questions About Security

#1 Post by Eathray »

Hi all,

I want to include some basic security tools in my coming custom Puppy, based on 4.2smp. I don't consider Puppy insecure, but there is a long list of growing concerns out there regarding security and privacy. It's now very well established that governments and groups are actively farming people's data in mass without their knowledge, probable cause, a warrant, or with a secret FISA warrant from a secret court that rubber-stamps nearly all requests. Apparently my own government is among the worst offenders here in the land of the free. And of course, there is the growing threat of randesomeware which can infect Linux systems. Yes, I realize that Puppy (so far as I'm aware) has never actually been targeted by hackers, but with the growing popularity of Linux via smart devices, it seems likely that at some point, vulnerabilities will emerge. I also hate Google selling my info.

It seems reasonable to include basic stuff in my Puppy for those who want to use it, but I've actually been a little complacent over the years because Puppy is so very secure, so a little guidance would be helpful. Here are some of the things I've thought about.

1
Should I consider setting the browser and/or other internet apps to user Spot? It should limit access to whatever comes through to the Spot sub-directory, should it not? Do you think this will be a good defense against exploits like ransomeware? Unreasonable searches? Do any of the 'run-as-Spot' tools work effectively for Puppy 4xx? I know that Scottman had it working in Akita but all his stuff seems to be gone now.

2 [SOLVED]
On antivirus, my Puppy has XF-Prot. Is this still considered an effective tool? Would it be better to upgrade, like ClamAV? Something for Puppy 4xx? (Keeping XF-Prot)

3 [SOLVED]
I have been reading that the consensus seems to be frequent back-ups is the best defense against ransomeware. Everyone agree? Snap2 is available on the Puppy 412 Collection site. Is that an adequate tool for the randsomeware problem? (Snap2 installed)

4 [SOLVED]
Is there a good firewall .pet for Puppy 4xx? (Basic firewall plus monitor)

5 [SOLVED]
I don't know that I need to include a VPN tool since one can easily use the Startpage proxy, which is my default search engine... agree? (Leaving the basic gpptp tool included. No upgrade)

If there's anything I haven't thought of, please feel free to mention it. I am reading up on these subjects, but a lot of the documentation is for post-4xx Puppies, so it makes me feel a little uncertain.

Thanks for your input.
Last edited by Eathray on Tue 13 Jun 2017, 18:56, edited 4 times in total.

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#2 Post by Eathray »

[SOLVED]

I ran the firewall wizard included in Puppy 4.2. Seems to work fine, but It does not make an indicator in the bottom tray that the firewall is on, which I would like to add. If someone could guide me that way, I'd appreciate it.

thx
Last edited by Eathray on Mon 05 Jun 2017, 16:10, edited 1 time in total.

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#3 Post by DPUP5520 »

Eathray I'd be very interested in checking out your Puppy once it's complete, sounds like you have some good ideas going.
For the browser I'm not very familiar with 4.2 and whether it can inherently run as spot however personally I run Firefox with Caffeine security Guard and HTTPS-Everywhere which works rather well.
XF-Prot is decent ; I use Clam-AV that you mentioned but know they it tends to give some false positives on certain versions of Puppy. Avast is also nice but requires a free license for each individual user which can be a pain.
Have you tried using Firewall State? I believe that's what is used in the buntu pups to see the firewall status in the tray?
Lastly for a VPN check out the pet I just posted in the Security section of the software section it's a VPN GUI with the Certs already built in, jus requires the installation of OpenVPN.
Also feel free to check out PuppyCrypt_528 or PuppyCrypt_Precise which are two security distos I made a few years back, most of the tools are old/outdated now but could give you a few ideas.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#4 Post by rcrsn51 »

Peasy Firewall Monitor

But I have only tested it as far back as Puppy 4.3.1.

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#5 Post by Eathray »

DPUP5520 wrote:Eathray I'd be very interested in checking out your Puppy once it's complete, sounds like you have some good ideas going.
For the browser I'm not very familiar with 4.2 and whether it can inherently run as spot however personally I run Firefox with Caffeine security Guard and HTTPS-Everywhere which works rather well.
XF-Prot is decent ; I use Clam-AV that you mentioned but know they it tends to give some false positives on certain versions of Puppy. Avast is also nice but requires a free license for each individual user which can be a pain.
Have you tried using Firewall State? I believe that's what is used in the buntu pups to see the firewall status in the tray?
Lastly for a VPN check out the pet I just posted in the Security section of the software section it's a VPN GUI with the Certs already built in, jus requires the installation of OpenVPN.
Also feel free to check out PuppyCrypt_528 or PuppyCrypt_Precise which are two security distos I made a few years back, most of the tools are old/outdated now but could give you a few ideas.
DPUP5520,

Thanks for the encouragement. It's been a long road to get it right. I have learned how much I don't know LOL! If XF-Prot is decent, I'll just keep it since it's already there.

The browser stuff could be tricky. I had a heck of a challenge getting a recent Seamonkey and a new Palemoon working on an old Puppy over an extended period of time. Kinda exhausted me.

I'll check the other stuff out. Thanks

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#6 Post by Eathray »

rcrsn51 wrote:Peasy Firewall Monitor

But I have only tested it as far back as Puppy 4.3.1.
rcrsn51,

That worked like a charm, thank you. Now you can confirm on your thread that it works in 4.2smp, (originally compiled by Aragon). The kernel is 2.6.29.1 if that matters.

Thanks again

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#7 Post by watchdog »

I think you should fix the security bugs about bash, wget and openssl before remastering. Among the pets i install in puppy 4.31:

Code: Select all

bash-3.0.22-i486|bash|3.0.22-i486||BuildingBlock|1604K||bash-3.0.22-i486.pet||bash 3.0.22|puppy|wary5||
gtk+-2.18.3-p4|gtk+|2.18.3-p4||BuildingBlock|6556K|pet_packages-4|gtk+-2.18.3-p4.pet|+pcre,+atk,+glib,+pixman,+pango,+cairo|gui widget library|puppy|4|official|
gtk+_DEV-2.18.3-p4|gtk+_DEV|2.18.3-p4||BuildingBlock|2344K|pet_packages-4|gtk+_DEV-2.18.3-p4.pet|+gtk+|gui widget library|puppy|4|official|
gtkdialog4-0.8.3-i486|gtkdialog4|0.8.3-i486||BuildingBlock|276K||gtkdialog4-0.8.3-i486.pet|+gtk+|gui for shell scripts|puppy|wary5||
libdbus-1-3_1.2.1|libdbus-1-3|1.2.1|5+lenny1||||libdbus-1-3_1.2.1-5+lenny1_i386.deb|||
libdbus-glib|libdbus-glib-1-2|libdbus-glib|1||||libdbus-glib-1-2_0.76-1_i386.deb|||
psip-0.26|psip|0.26||Internet|1416K||psip-0.26.pet||Psip Puppy Phone|ubuntu|lucid||
retrovol-0.13.1|retrovol|0.13.1|||||retrovol-0.13.1.pet|||
sfs_load-1.9.6|sfs_load|1.9.6||Setup|196K||sfs_load-1.9.6.pet||Load Squash files||||
wget-1.16-i486|wget|1.16-i486||BuildingBlock|2256K|pet_packages-4|wget-1.16-i486.pet||wget|puppy|4|official|
geany-0.18-p4|geany|0.18-p4||Document|2048K|pet_packages-4|geany-0.18-p4.pet|+gtk+|Geany superb text editor|puppy|4|official|
glib-2.22.2-p4|glib|2.22.2-p4||BuildingBlock|1756K|pet_packages-4|glib-2.22.2-p4.pet|+pcre|system library|puppy|4|official|
openssl_DEV-1.0.2j-p4-i486|openssl_DEV|1.0.2j-p4-i486||BuildingBlock|5080K|pet_packages-4|openssl_DEV-1.0.2j-p4-i486.pet||openssl|puppy|4|official|
openssl-1.0.2j-p4-i486|openssl|1.0.2j-p4-i486||BuildingBlock|3092K|pet_packages-4|openssl-1.0.2j-p4-i486.pet||openssl|puppy|4|official|

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#8 Post by Eathray »

Watchdog,

Thanks for mentioning those items. I believe I have already done all those fixes, but everyone using a 4xx Pup should be reminded.

Some those are available for 4xx Pups on the 412 collection site:

https://412collection.neocities.org/system.html

thanks again

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#9 Post by 8Geee »

On older-based distros the newest browser can be an epic fail.

I would suggest using the way-back machine to find an older browser.
Personaally, I use a preconfigured FireFox27 that I place in all of my spins for netbooks (2008-10). As far as https is concerned its as modern as today's browsers, with half the bloat. Of course, its age means that theres some INHERENT flaws. Nonetheless, As Far As I Can Tell, it works just fine for the usual surfing and buying on-line (not for WIFI !). No need for a personal firewall IF you are already hooked up to a modem/router. No need for SPOT either if all the above are OK (ethernet using a router).

JMH2c
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#10 Post by Eathray »

8Geee wrote:On older-based distros the newest browser can be an epic fail.

I would suggest using the way-back machine to find an older browser.
Personaally, I use a preconfigured FireFox27 that I place in all of my spins for netbooks (2008-10). As far as https is concerned its as modern as today's browsers, with half the bloat. Of course, its age means that theres some INHERENT flaws. Nonetheless, As Far As I Can Tell, it works just fine for the usual surfing and buying on-line (not for WIFI !). No need for a personal firewall IF you are already hooked up to a modem/router. No need for SPOT either if all the above are OK (ethernet using a router).

JMH2c
8Geee
8Geee,

I've pretty much concluded my work on browser upgrading for the time being. I was able to upgrade Seamonkey substantially with community help and I have watchdog's brand new Palemoon working in addition. I may include a faster lightweight browser just for quick surfing when one does not need a full capability browser, but beyond that... I'd like to take a year or two off from browser issues LOL.

Firewall is done. Folks can use it or not.

As far as ethernet vs. wifi goes... well... I use wifi daily throughout the day seven days a week, and almost never use ethernet, so even if I were going to keep my Puppy to myself I would still need it wifi secure, and since I'm planning to share it with the community, I have no way of knowing if every user will stay on ethernet at home behind a modern modem and their ISP's security.

So knowing how my thinking heavily favors wifi... does that at all change your thoughts about SPOT? Or would you still consider it unnecessary?

Thanks

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#11 Post by watchdog »

Jamesbond recommends spot user when browsing the web. Jamesbond is the developer of fatdog64. And yes, I think it's more secure but I think that escalation of privilegies is not a matter when you are attacked by malwares. I keep using root user: and backups.

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#12 Post by Eathray »

watchdog wrote:Jamesbond recommends spot user when browsing the web. Jamesbond is the developer of fatdog64. And yes, I think it's more secure but I think that escalation of privilegies is not a matter when you are attacked by malwares. I keep using root user: and backups.
Watchdog,

Thanks. I'm leaning toward Spot by default, and I suppose folks could just change it if they don't like it.

Yes, back-ups. That seems to be the consensus out there. Do you like Snap2 as a solution? It's readily available from the 412 Collections site, so it would be easy to stick into my Pup. Do you have a preferred tool that you use?

Thx

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#13 Post by watchdog »

I simply copy the savefile with another name and I have multiple backups. New puppies have the adrv.sfs feature which helps keeping slim the savefile. I have a second pc which does not connect for sensible data. I do not keep sensible data and passwords on the main internet laptop.

User avatar
Eathray
Posts: 723
Joined: Sun 06 Sep 2009, 19:42

#14 Post by Eathray »

So the only thing left is deciding about SPOT. I'm leaning toward having everything internet run as SPOT. I should explain what my thinking is.

Explanation:
As I have been reading up on security related topics here at the forums, I have taken notice of a disagreement within the community with one camp suggesting that every tool available should be in use and the other side essentially saying, Puppy is secure; don't be paranoid (not my word, others used it).

My own view is that Puppy is highly secure. It easily facilitates live-booting from a cd, and the frugal install loads a fresh copy of the OS on each boot. Further, it's unique enough in it's structure that I believe very few viruses would function unless they were specifically targeting Puppy, and even then, because Puppy is so customizable and remastering is so common, it seems that even if Puppy were targeted, a virus that worked on one Puppy might very well fail on countless others. Because what a Puppy is has grown so decentralized, I don't think it would be feasable to create 'a Puppy Virus' that could widely effect the Puppy Linux community. Even a virus inserted at the build level would not work on all Puppies since there are multiple ways to make a Puppy, such as Woof vs. T2. All in all, I consider Puppy structually speaking to be one of the most secure Distributions there is.

Having said all that, Linux is growing in part because of it's wide-spread use as servers, it's open source nature, and the rise of smart devices. I do think that vulnerabilities will arise in the future to Linux in general, because as it grows as an alternative to proprietary systems, it will naturally receive the greater attention of hackers, corporations, private parties and governments.

None of that means that I think there should be panic in the streets. I only think that it makes sense to make it a practice to include security tools and promote reasonable safety measures.

Limiting access to higher levels of the file system by apps that connect to the internet seems like a reasonable step to me. It's not a cure-all, but I think it will add to what is already a very secure system.

Thoughts? Feedback? If I'm wrong, tell me. Thanks

Post Reply