Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 18 Dec 2017, 07:16
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Questions About Security
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [14 Posts]  
Author Message
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Mon 05 Jun 2017, 10:50    Post subject:  Questions About Security  

Hi all,

I want to include some basic security tools in my coming custom Puppy, based on 4.2smp. I don't consider Puppy insecure, but there is a long list of growing concerns out there regarding security and privacy. It's now very well established that governments and groups are actively farming people's data in mass without their knowledge, probable cause, a warrant, or with a secret FISA warrant from a secret court that rubber-stamps nearly all requests. Apparently my own government is among the worst offenders here in the land of the free. And of course, there is the growing threat of randesomeware which can infect Linux systems. Yes, I realize that Puppy (so far as I'm aware) has never actually been targeted by hackers, but with the growing popularity of Linux via smart devices, it seems likely that at some point, vulnerabilities will emerge. I also hate Google selling my info.

It seems reasonable to include basic stuff in my Puppy for those who want to use it, but I've actually been a little complacent over the years because Puppy is so very secure, so a little guidance would be helpful. Here are some of the things I've thought about.

1
Should I consider setting the browser and/or other internet apps to user Spot? It should limit access to whatever comes through to the Spot sub-directory, should it not? Do you think this will be a good defense against exploits like ransomeware? Unreasonable searches? Do any of the 'run-as-Spot' tools work effectively for Puppy 4xx? I know that Scottman had it working in Akita but all his stuff seems to be gone now.

2 [SOLVED]
On antivirus, my Puppy has XF-Prot. Is this still considered an effective tool? Would it be better to upgrade, like ClamAV? Something for Puppy 4xx? (Keeping XF-Prot)

3 [SOLVED]
I have been reading that the consensus seems to be frequent back-ups is the best defense against ransomeware. Everyone agree? Snap2 is available on the Puppy 412 Collection site. Is that an adequate tool for the randsomeware problem? (Snap2 installed)

4 [SOLVED]
Is there a good firewall .pet for Puppy 4xx? (Basic firewall plus monitor)

5 [SOLVED]
I don't know that I need to include a VPN tool since one can easily use the Startpage proxy, which is my default search engine... agree? (Leaving the basic gpptp tool included. No upgrade)

If there's anything I haven't thought of, please feel free to mention it. I am reading up on these subjects, but a lot of the documentation is for post-4xx Puppies, so it makes me feel a little uncertain.

Thanks for your input.

Last edited by Eathray on Tue 13 Jun 2017, 14:56; edited 4 times in total
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Mon 05 Jun 2017, 11:17    Post subject:  

[SOLVED]

I ran the firewall wizard included in Puppy 4.2. Seems to work fine, but It does not make an indicator in the bottom tray that the firewall is on, which I would like to add. If someone could guide me that way, I'd appreciate it.

thx

Last edited by Eathray on Mon 05 Jun 2017, 12:10; edited 1 time in total
Back to top
View user's profile Send private message 
DPUP5520

Joined: 16 Feb 2011
Posts: 813

PostPosted: Mon 05 Jun 2017, 11:34    Post subject:  

Eathray I'd be very interested in checking out your Puppy once it's complete, sounds like you have some good ideas going.
For the browser I'm not very familiar with 4.2 and whether it can inherently run as spot however personally I run Firefox with Caffeine security Guard and HTTPS-Everywhere which works rather well.
XF-Prot is decent ; I use Clam-AV that you mentioned but know they it tends to give some false positives on certain versions of Puppy. Avast is also nice but requires a free license for each individual user which can be a pain.
Have you tried using Firewall State? I believe that's what is used in the buntu pups to see the firewall status in the tray?
Lastly for a VPN check out the pet I just posted in the Security section of the software section it's a VPN GUI with the Certs already built in, jus requires the installation of OpenVPN.
Also feel free to check out PuppyCrypt_528 or PuppyCrypt_Precise which are two security distos I made a few years back, most of the tools are old/outdated now but could give you a few ideas.

_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 11741
Location: Stratford, Ontario

PostPosted: Mon 05 Jun 2017, 11:35    Post subject:  

Peasy Firewall Monitor

But I have only tested it as far back as Puppy 4.3.1.
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Mon 05 Jun 2017, 12:01    Post subject:  

DPUP5520 wrote:
Eathray I'd be very interested in checking out your Puppy once it's complete, sounds like you have some good ideas going.
For the browser I'm not very familiar with 4.2 and whether it can inherently run as spot however personally I run Firefox with Caffeine security Guard and HTTPS-Everywhere which works rather well.
XF-Prot is decent ; I use Clam-AV that you mentioned but know they it tends to give some false positives on certain versions of Puppy. Avast is also nice but requires a free license for each individual user which can be a pain.
Have you tried using Firewall State? I believe that's what is used in the buntu pups to see the firewall status in the tray?
Lastly for a VPN check out the pet I just posted in the Security section of the software section it's a VPN GUI with the Certs already built in, jus requires the installation of OpenVPN.
Also feel free to check out PuppyCrypt_528 or PuppyCrypt_Precise which are two security distos I made a few years back, most of the tools are old/outdated now but could give you a few ideas.


DPUP5520,

Thanks for the encouragement. It's been a long road to get it right. I have learned how much I don't know LOL! If XF-Prot is decent, I'll just keep it since it's already there.

The browser stuff could be tricky. I had a heck of a challenge getting a recent Seamonkey and a new Palemoon working on an old Puppy over an extended period of time. Kinda exhausted me.

I'll check the other stuff out. Thanks
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Mon 05 Jun 2017, 12:06    Post subject:  

rcrsn51 wrote:
Peasy Firewall Monitor

But I have only tested it as far back as Puppy 4.3.1.


rcrsn51,

That worked like a charm, thank you. Now you can confirm on your thread that it works in 4.2smp, (originally compiled by Aragon). The kernel is 2.6.29.1 if that matters.

Thanks again
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1499
Location: Italy

PostPosted: Mon 05 Jun 2017, 12:49    Post subject:  

I think you should fix the security bugs about bash, wget and openssl before remastering. Among the pets i install in puppy 4.31:

Code:
bash-3.0.22-i486|bash|3.0.22-i486||BuildingBlock|1604K||bash-3.0.22-i486.pet||bash 3.0.22|puppy|wary5||
gtk+-2.18.3-p4|gtk+|2.18.3-p4||BuildingBlock|6556K|pet_packages-4|gtk+-2.18.3-p4.pet|+pcre,+atk,+glib,+pixman,+pango,+cairo|gui widget library|puppy|4|official|
gtk+_DEV-2.18.3-p4|gtk+_DEV|2.18.3-p4||BuildingBlock|2344K|pet_packages-4|gtk+_DEV-2.18.3-p4.pet|+gtk+|gui widget library|puppy|4|official|
gtkdialog4-0.8.3-i486|gtkdialog4|0.8.3-i486||BuildingBlock|276K||gtkdialog4-0.8.3-i486.pet|+gtk+|gui for shell scripts|puppy|wary5||
libdbus-1-3_1.2.1|libdbus-1-3|1.2.1|5+lenny1||||libdbus-1-3_1.2.1-5+lenny1_i386.deb|||
libdbus-glib|libdbus-glib-1-2|libdbus-glib|1||||libdbus-glib-1-2_0.76-1_i386.deb|||
psip-0.26|psip|0.26||Internet|1416K||psip-0.26.pet||Psip Puppy Phone|ubuntu|lucid||
retrovol-0.13.1|retrovol|0.13.1|||||retrovol-0.13.1.pet|||
sfs_load-1.9.6|sfs_load|1.9.6||Setup|196K||sfs_load-1.9.6.pet||Load Squash files||||
wget-1.16-i486|wget|1.16-i486||BuildingBlock|2256K|pet_packages-4|wget-1.16-i486.pet||wget|puppy|4|official|
geany-0.18-p4|geany|0.18-p4||Document|2048K|pet_packages-4|geany-0.18-p4.pet|+gtk+|Geany superb text editor|puppy|4|official|
glib-2.22.2-p4|glib|2.22.2-p4||BuildingBlock|1756K|pet_packages-4|glib-2.22.2-p4.pet|+pcre|system library|puppy|4|official|
openssl_DEV-1.0.2j-p4-i486|openssl_DEV|1.0.2j-p4-i486||BuildingBlock|5080K|pet_packages-4|openssl_DEV-1.0.2j-p4-i486.pet||openssl|puppy|4|official|
openssl-1.0.2j-p4-i486|openssl|1.0.2j-p4-i486||BuildingBlock|3092K|pet_packages-4|openssl-1.0.2j-p4-i486.pet||openssl|puppy|4|official|
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Mon 05 Jun 2017, 13:09    Post subject:  

Watchdog,

Thanks for mentioning those items. I believe I have already done all those fixes, but everyone using a 4xx Pup should be reminded.

Some those are available for 4xx Pups on the 412 collection site:

https://412collection.neocities.org/system.html

thanks again
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1303
Location: N.E. USA

PostPosted: Tue 06 Jun 2017, 19:21    Post subject:  

On older-based distros the newest browser can be an epic fail.

I would suggest using the way-back machine to find an older browser.
Personaally, I use a preconfigured FireFox27 that I place in all of my spins for netbooks (2008-10). As far as https is concerned its as modern as today's browsers, with half the bloat. Of course, its age means that theres some INHERENT flaws. Nonetheless, As Far As I Can Tell, it works just fine for the usual surfing and buying on-line (not for WIFI !). No need for a personal firewall IF you are already hooked up to a modem/router. No need for SPOT either if all the above are OK (ethernet using a router).

JMH2c
8Geee

_________________
Linux user #498913

Good God!, by the stars in the sky we are lost!
And into the breach we got tossed!
And the world is comin' on fast! --Florence Welch
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Wed 07 Jun 2017, 09:18    Post subject:  

8Geee wrote:
On older-based distros the newest browser can be an epic fail.

I would suggest using the way-back machine to find an older browser.
Personaally, I use a preconfigured FireFox27 that I place in all of my spins for netbooks (2008-10). As far as https is concerned its as modern as today's browsers, with half the bloat. Of course, its age means that theres some INHERENT flaws. Nonetheless, As Far As I Can Tell, it works just fine for the usual surfing and buying on-line (not for WIFI !). No need for a personal firewall IF you are already hooked up to a modem/router. No need for SPOT either if all the above are OK (ethernet using a router).

JMH2c
8Geee


8Geee,

I've pretty much concluded my work on browser upgrading for the time being. I was able to upgrade Seamonkey substantially with community help and I have watchdog's brand new Palemoon working in addition. I may include a faster lightweight browser just for quick surfing when one does not need a full capability browser, but beyond that... I'd like to take a year or two off from browser issues LOL.

Firewall is done. Folks can use it or not.

As far as ethernet vs. wifi goes... well... I use wifi daily throughout the day seven days a week, and almost never use ethernet, so even if I were going to keep my Puppy to myself I would still need it wifi secure, and since I'm planning to share it with the community, I have no way of knowing if every user will stay on ethernet at home behind a modern modem and their ISP's security.

So knowing how my thinking heavily favors wifi... does that at all change your thoughts about SPOT? Or would you still consider it unnecessary?

Thanks
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1499
Location: Italy

PostPosted: Wed 07 Jun 2017, 09:54    Post subject:  

Jamesbond recommends spot user when browsing the web. Jamesbond is the developer of fatdog64. And yes, I think it's more secure but I think that escalation of privilegies is not a matter when you are attacked by malwares. I keep using root user: and backups.
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Wed 07 Jun 2017, 10:26    Post subject:  

watchdog wrote:
Jamesbond recommends spot user when browsing the web. Jamesbond is the developer of fatdog64. And yes, I think it's more secure but I think that escalation of privilegies is not a matter when you are attacked by malwares. I keep using root user: and backups.


Watchdog,

Thanks. I'm leaning toward Spot by default, and I suppose folks could just change it if they don't like it.

Yes, back-ups. That seems to be the consensus out there. Do you like Snap2 as a solution? It's readily available from the 412 Collections site, so it would be easy to stick into my Pup. Do you have a preferred tool that you use?

Thx
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1499
Location: Italy

PostPosted: Wed 07 Jun 2017, 11:06    Post subject:  

I simply copy the savefile with another name and I have multiple backups. New puppies have the adrv.sfs feature which helps keeping slim the savefile. I have a second pc which does not connect for sensible data. I do not keep sensible data and passwords on the main internet laptop.
Back to top
View user's profile Send private message 
Eathray


Joined: 06 Sep 2009
Posts: 724

PostPosted: Tue 13 Jun 2017, 15:36    Post subject:  

So the only thing left is deciding about SPOT. I'm leaning toward having everything internet run as SPOT. I should explain what my thinking is.

Explanation:
As I have been reading up on security related topics here at the forums, I have taken notice of a disagreement within the community with one camp suggesting that every tool available should be in use and the other side essentially saying, Puppy is secure; don't be paranoid (not my word, others used it).

My own view is that Puppy is highly secure. It easily facilitates live-booting from a cd, and the frugal install loads a fresh copy of the OS on each boot. Further, it's unique enough in it's structure that I believe very few viruses would function unless they were specifically targeting Puppy, and even then, because Puppy is so customizable and remastering is so common, it seems that even if Puppy were targeted, a virus that worked on one Puppy might very well fail on countless others. Because what a Puppy is has grown so decentralized, I don't think it would be feasable to create 'a Puppy Virus' that could widely effect the Puppy Linux community. Even a virus inserted at the build level would not work on all Puppies since there are multiple ways to make a Puppy, such as Woof vs. T2. All in all, I consider Puppy structually speaking to be one of the most secure Distributions there is.

Having said all that, Linux is growing in part because of it's wide-spread use as servers, it's open source nature, and the rise of smart devices. I do think that vulnerabilities will arise in the future to Linux in general, because as it grows as an alternative to proprietary systems, it will naturally receive the greater attention of hackers, corporations, private parties and governments.

None of that means that I think there should be panic in the streets. I only think that it makes sense to make it a practice to include security tools and promote reasonable safety measures.

Limiting access to higher levels of the file system by apps that connect to the internet seems like a reasonable step to me. It's not a cure-all, but I think it will add to what is already a very secure system.

Thoughts? Feedback? If I'm wrong, tell me. Thanks
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [14 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0768s ][ Queries: 14 (0.0113s) ][ GZIP on ]