How To Secure Puppy in 5 easy steps.

[PaulBx1]

Yet another suggested addition to make Puppy more secure: install noscript

https://addons.mozilla.org/en-US/seamonkey/addon/722

I suppose adding adblock also makes sense although I don't know if ads are a problem in linux.

[JavaNut13]

I stupidly forgot to do the passwd root command and cannot get into puppy javascript:emoticon(':(')

any help would be greatly appreciated.

[John Doe]

woofwoof should be the pass.

[kpfuser]

Back after a few days without internet access.

Regarding the suggestion of PaulBx1 (3rd previous post), the NOP Puppy I am using has Opera (with which I had no previous experience) as the default browser. Can noscript work with Opera? If yes, I would be willing to give it a try.

Meanwhile, I am still struggling to complete all of the five steps outlined in the first post of this thread and my scorecard so far has me at 2.9. To be more specific, after editing /etc/inittab and rebooting, I tried to see what would the sequence Ctrl+Alt+Backspace do now as compared to what it was doing prior to editing /etc/inittab, i.e., just restart the laptop. Well, matters improved (as advertised) by having to go through a command-line login but upon entering user name and password, I ended up with a "#" command prompt. From there I was instructed (by on-screen options) to restart X windows via the command

xwin [...............|jwm]

with ..... standing for a part of the command I do not remember. Anyway, I ran the command and got an error message essentially complaining that "jwm" was not a command. I take this to signify that jwm is not the windows manager used in NOP. This begs the questions (a) which is the windows manager used in NOP, (b) how can one find out, and (c) what is the command to restart X from a non-graphical environment?

Step 4 recommends to set the Linux firewall up by using automagic. In my case, this is what I did when I first ran NOP and subsequently this configuration was saved and is said to be applied every time the laptop boots up. But how does one find out at any given moment whether the Linux firewall is up and running and if so how it is configured?

Finally, at step 5 I am supposed to opt for heavy encryption. How can I do so when no such option appears on screen?

[John Doe]

... I ran the command and got an error message essentially complaining that "jwm" was not a command.

just type 'xwin' nothing else and the default will launch.

...firewall up by using automagic. In my case, this is what I did when I first ran NOP and subsequently this configuration was saved and is said to be applied every time the laptop boots up. But how does one find out at any given moment whether the Linux firewall is up and running and if so how it is configured?

there are some sites out there to scan yourself with.

Also, I think there is a linux firewall config file somewhere, but not sure what it is off the top of my head. a bit of google would probably pay off here.

Finally, at step 5 I am supposed to opt for heavy encryption. How can I do so when no such option appears on screen?

That's for a frugal install for the pup_save file. if you did a full install you won't get that option.

[kpfuser]

... I ran the command and got an error message essentially complaining that "jwm" was not a command.

just type 'xwin' nothing else and the default will launch.

It surely did! So with the count of implementing the 5-step security plan at a solid 3 now, let us try for more.

...firewall up by using automagic. In my case, this is what I did when I first ran NOP and subsequently this configuration was saved and is said to be applied every time the laptop boots up. But how does one find out at any given moment whether the Linux firewall is up and running and if so how it is configured?

there are some sites out there to scan yourself with.

Also, I think there is a linux firewall config file somewhere, but not sure what it is off the top of my head. a bit of google would probably pay off here.

Well, something is amiss here. The question is whether the Linux firewall is on or off in my system, not whether it is an effective firewall, which is what a scan from a site such as grc.com might tell me. Moreover, besides knowing whether the Linux firewall is on or off at any given time, the capability should exist to deactivate or reactivate it as needed. As for the location of the config file, I do think that this forum should be a better source than a Google search.

Finally, at step 5 I am supposed to opt for heavy encryption. How can I do so when no such option appears on screen?

That's for a frugal install for the pup_save file. if you did a full install you won't get that option.

My installation is on a USB drive (see below). As such, the installation should be frugal. After all, everything is saved in the pup_save file. Why then am I not given the encryption option at any time? Is this a NOP peculiarity and if so, can I get around it?

[John Doe]

The question is whether the Linux firewall is on or off in my system...

Understood. Run the wizard again if you are unsure.

...step 5...

I know just enough about NOP to say that encryption is most likely an option in the later version(s), as i don't know when they started nor can i remember when the encryption was implemented. Other than that, I can't comment much on it.

Best of luck to you.

[Pizzasgood]

A way to see the current firewall rules is this:

Code: Select all

iptables -L

You can clear out most of that with this:

Code: Select all

iptables -F

You should be able to restart the firewall with one of these (I forget which):

Code: Select all

/etc/rc.d/rc.firewall
#or
/etc/rc.d/rc.firewall start

As for encryption, the choice only appears when you create the pup_save.2fs file. If you already have one, it is too late and you have to make a new one. You can preserve your settings by renaming or moving the original file so Puppy doesn't see it, having Puppy create a new encrypted one, rebooting with pfix=ram, and then mounting both save-files and copying the contents of the old one into the new one. Mounting an encrypted savefile is annoying. I don't remember the commands exactly, but you could probably dig them up by searching the forum a little. From memory, they're something like this (but I probably have made errors):

Code: Select all

losetup-FULL -e aes /dev/loop2 /mnt/sda1/pup_save-crypta.2fs
mount /dev/loop2 /mnt/data

You may need to modprobe aes and some other stuff first, and you will need to replace the -e aes with something different if you used light encryption. You also may need to use something other than /dev/loop2 if loop2 is already in use (run losetup-FULL -f to find an unused one). Of course, the path to the save file should be modified to whatever yours is, and you can mount it on any directory you want (very preferable an EMPTY one!), not just /mnt/data.

The unencrypted file should be mountable simply by clicking on it, as long as you aren't running a Puppy that already has a pup_save.2fs file. If you are, you need to do it by hand like this:

Code: Select all

mount -o loop /mnt/sda1/pup_save.2fs /mnt/zip

Be sure that when copying you also copy all hidden files. The easiest way to do this is to check if there are any hidden files at the root of the file, and if not, just run this:

Code: Select all

cp -af /mnt/zip/* /mnt/data/

If there are any, just copy them too (the command skips those, but will get any that are within the directories).

[PaulBx1]

If you already have one, it is too late and you have to make a new one. You can preserve your settings by renaming or moving the original file so Puppy doesn't see it, having Puppy create a new encrypted one, rebooting with pfix=ram, and then mounting both save-files and copying the contents of the old one into the new one.

Or just use my handy-dandy utility, see below. (BTW Pizzasgood, that method you mention does not work because losetup gives an error if you have booted into ram for some odd reason - I have reported this elsewhere. This is so even though my utility runs through the same set of steps, and it DOES work. Well, I guess it should, because it is run without booting into ram... )

If you want to try a grc scan, you might want to try my small change to the firewall mentioned in an above post, that drops pings.

[kpfuser]

I must confess that the last two posts befundled me a bit especially with respect to encryption options because when I put Puppy on a USB stick and booted from it for the first time, I was NEVER given the option to encrypt anything. In fact the word "encryption" did not appear on screen at all! Then a little earlier and while I was making a second bootable Puppy on a Usb stick (for my wife this time) unexpected happenings pointed to the fact that the USB stick I used for my first Puppy installation was at least unsuitable if not outright defective. To elaborate, the first USB stick could be read by my laptop only if I plugged it after powering the laptop up and just before its BIOS would go looking for it. The second USB stick is readable even when plugged prior to powering up. During booting from it (the second USB stick) for the first time, the option to encrypt did come up as it has been mentioned in earlier posts. What I intend to do now is to buy a second USB stick of the second type (A4 Flash) re-install Puppy on it and try to carry out all of what I have done to this point plus encryption.

However, I would like to draw attention to the fact that during bootup I observe different behavior from my two Puppy installations. The first, according to messages appearing on screen, forces everything to be copied to RAM. The second does not. The first boots faster with only one additional line of text appearing on screen after the info that copying to RAM is forced. The second prints quite a few lines of text (some refering to a layered file system) before the GUI appears. Perhaps the way the two sticks were formated has something to do with the apparent differences as the first was formated as a single ext3 partition while the second using the combo option that generates a vfat and an ext2 partition. In any event, given the usefulness of forcing all of the Puppy files to be copied to RAM, I would like to know how I can go about doing so in my second Puppy installation.

[RJARRRPCGP]

After you boot up do the following:

1-open console type 'passwd root'. enter your new password twice.

2-run 'lock' on desktop and enter password from step 1

*you may want to select 'blank' from the config to save on processor usage

3-edit /etc/inittab to look like this:

Code: Select all

::sysinit:/etc/rc.d/rc.sysinit
tty1::respawn:/sbin/getty 38400 tty1
tty2::respawn:/sbin/getty 38400 tty2
::ctrlaltdel:/sbin/reboot

*this keeps someone from killing lock with ctrl+alt+backspace and logging back in automatically and also gives the option on bootup to enter 'root' and 'password'.

4-run the firewall wizard at Menu->Setup->Linux-Firewall Wizard. automagic works fine if you don't have to set up any local services.

5-shutdown and select 'heavy encryption'

Puppy's Secure.

Works like a charm! I was wondering how to set up a login. Thanks.

[Libretto100ct]

I also turned on "LOGGING" in mine, just to see if any naughty stuff comes in.

Where is the logging file generated?

[Pizzasgood]

I don't know. Probably /var/log/messages

That's the generic system log, and I know things like SSH errors get logged there, so I figure that's the most likely place.

[Uden]

Hi, I have installed Puppy (the latest version of Boxpup) on a USB stick and tried to secure it using the steps mentioned in the first message in this topic.

Result is that:

• - startup continues without requesting a password --> not ok
  - the password for LockScreen has changed to the new root password --> ok,

So anyone that gets hold of my USB stick can still start puppy.

Can anyone tell me how to secure my USB stick with a startup password?

thanks in advance.

[PaulBx1]

Sorry, don't know about Boxpup. The 5 steps work fine with standard Puppy...

It came up in another thread that attacks might come in via the browser, so a way to get around that is running the browser as user spot. "su spot seamonkey". The discussion starts here:
http://www.murga-linux.com/puppy/viewto ... 0&start=23

[Ed Howdershelt]

Can you use a Puppy CD to boot past this password lock?

[Flash]

If the BIOS is not password protected and hasn't been configured so it won't boot from CD or USB, then you could boot a Puppy CD and read or modify anything on a hard disk drive.