Steps for enhancing security I can take in Puppy 5.2?

For discussions about security.
Message
Author
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

Steps for enhancing security I can take in Puppy 5.2?

#1 Post by Leaena »

So I've been using Puppy for a long time now, mostly for recovering data and running assorted computers from Live Discs. Now I've stumbled on a rather uncomfortable situation - my laptop has a cracked screen and it's time to send it in before my warranty expires, so now (after fighting with a rather nasty partition table issue for some time) my only functioning computer for the time being is, you guessed it, an older 2Ghz/256 MB desktop running Puppy 5.2 on a hard drive install.

And I have a few questions..

Since Puppy Linux runs as the root user, what steps can I take to secure my system on the other end of the spectrum, namely intrusion-protection?

Since there is no actual need for a potential intruder to install a root-kit in Puppy, how can I take further steps to ensure that nobody gets that far in the first place?

Is there anything I can do similar to AppArmor in other Distros, limiting what certain applications (namely browsers, for one) can and cannot do?

Am I basically limited to running an HIDS/NIDS, encrypting my filesystems and monitoring logs, and praying that a fresh install never becomes necessary?

I've done quite a bit of searching and haven't really found what I'm looking for anywhere else. Yes, you might call me paranoid - but an ounce of prevention is a pound of cure, especially in the CompSec world.

I would really, really appreciate any input you guys might have, maybe point me in the direction of further security measures I can take?

(I do miss the extra layer of security that sudo provides, even if it's but one well-crafted password - but Puppy has always been faithful to me, and 20 distros later, it's the only one that simply *worked*.)
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#2 Post by Lobster »

GROWL is available in Puppy 5.3
Running from CD is more secure
http://puppylinux.org/wikka/security
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

#3 Post by Leaena »

Thanks for the response. Is GROWL viable in 5.2? I'm rather fond of Debian, not so fond of Slackware, thus why I'd prefer to stick to 5.2 if I can. Unless I'm mistaken, each is based off the respective distros.

Also, I understand running from CD is more secure (and have also read the Wiki multiple times) due to the nature of encrypted save files and being able to load a pristine system into RAM, but that doesn't quite suit my needs at the moment.

There seems to be plenty of information on security running from CD, but virtually nothing on enhancing security on a full install to HDD.
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

#4 Post by Leaena »

*Sigh* Nobody? I know that on a most basic level Puppy is relatively secure, but what I'm looking for are steps that can be taken beyond the most basic level to take my system to a 99.9% Impenetrable status.

If running from LiveCD was a logical option for me, that's exactly what I'd be doing, and what I have been doing for at least the past six months.

Let me put it this way, maybe I can clarify what I'm looking for and what my particular concerns are.

In a successful Penetration Test, the basic steps are:

Information Gathering
Vulnerability Exploitation
Privilege Escalation

In a Puppy system, the third step is eliminated entirely. Once someone finds a vulnerability and exploits it, they have full root access to the system. Running a system 100% as root is therefore very reckless unless steps are taken to prevent an intrusion in the first place.

From what I can gather, Puppy doesn't include any server process by default (and I would very much appreciate that I be corrected on that if I'm wrong). For the average user, this is a true blessing.

But let's imagine for a moment someone who isn't an average user, and still needs/wants to run Puppy (5.2 in this case) from a Full HDD install. For this User, security is a major concern, and they are willing to take every conceivable step to ensure that their system is secure as possible while net-facing. However, they still have no intention of running server processes, so those attack vectors are thereby eliminated.

Let's assume they're already behind two firewalls at maximum security settings, and are looking for ways to further enhance their overall security. Instead of compiling their own system, they've chosen to run Puppy.

What steps could this user take to increase the improbability of a network-based intrusion on their system?

(Thank you in advance to anyone who takes the time to read my somewhat long posts and, hopefully, reply with some advice.)
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#5 Post by Lobster »

What part of GROWL is not working in 5.2?
What parts of the wiki recommendations are unclear?
What are the dangers of running as root or spot?
Have you considered a 3rd and 4th Firewall?

8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

#6 Post by Leaena »

*laughs*

I was looking for something a little bit beyond GROWL, and I'm actually in the process of implementing it in 5.2 right now, so we'll see what works and what doesn't. From the looks of it, everything should work fine. ;)

The Wiki is perfectly clear, but I'm already past everything it recommends.

Hmm. Honestly, I had forgotten about Spot. I suppose I could run certain things under that user, but I was under the impression that not everything worked properly as Spot?

The dangers of running as root are that anyone who *does* manage to gain access to your system has full control, obviously. While that may be a worst-case scenario, that's the sort of thing I plan for.

*Chuckles* And yes! I have considered running a 3rd and 4th firewall, maybe even a 5th, 6th and 7th! I have no short supply of computers I could dedicate as firewall/routers, so that's not entirely out of the question either. 8)

Basically, is there anything beyond GROWL and more firewalls that I could do? All I'm really looking for is a starting point, I'm sure I can figure the rest out on my own.
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#7 Post by Lobster »

I have no short supply of computers
Great.
Run two or more honey pots that are set off to bleep when attracting mal-bee bots. Then you can turn off your max secured computer for a while and analyse the intrusions.

http://www.linuxsecurity.com/resource_f ... h6.en.html
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

#8 Post by Leaena »

Lobster wrote:
I have no short supply of computers
Great.
Run two or more honey pots that are set off to bleep when attracting mal-bee bots. Then you can turn off your max secured computer for a while and analyse the intrusions.

http://www.linuxsecurity.com/resource_f ... h6.en.html
That's actually a really great suggestion. Thanks you muchly, Dear Sir. That be the sort of thing I'm looking for.

Although - I did ask in my initial post if I was limited to NIDS/HIDS and encryption. Link appreciated, nonetheless. :p
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#9 Post by Lobster »

:shock:
I seemed to have turned into some sort of low level security encrustation 8)

Just so you know. I run as root. I install any software that takes my fancy. I usually run the Puppy firewall out of habit. Never bother with GROWL.
What I know about security can be written on the back of a clam shell.

However as you like this sort of thing . . .
The triple dorje (a mysterious lightening device used in Yinyana Buddhism) method of security enhancement may be suitable:
Image

This is a hardware based solution for a firewall.
Basically you rotate between connection methodologies.
With systems booting intermittently into firewalls on multi-session CD preferably on different CPU architectures (again multiple machines).

I can not not tell you exactly how to implement this as it should be bespoke and unique. That should keep you safely occupied for a few years . . . 8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#10 Post by nooby »

I know nothing about how to set up things secure
but I read something I found interesting.

Some security person got interviewed and told about
his latest approach. He set up a kind of "HoneyPot"
in that what the intruder see does look very real.

What them meet and get feedback on is a virtual thing
that just pretends to be the real thing with secret documents
and so on. The purpuse was to make the intruder satisfied
that them have done the catch of the years and them fully
tied up trying to get those secret documents that are faked
while in the meantime, all the alarm bell should reveal there is
an intruder in the Honey Pot so owner could secure the real files
and feed the intruder with the faked ones.

I have no idea how one do that convincingly or if it works.
I use Google Search on Puppy Forum
not an ideal solution though
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

#11 Post by Leaena »

Just so you know. I run as root. I install any software that takes my fancy. I usually run the Puppy firewall out of habit. Never bother with GROWL. What I know about security can be written on the back of a clam shell.
Personally, the main thing I dislike about running as root is that you are essentially giving full permissions to any program that finds it's way onto one's system and tries to execute malicious code. Usually I prefer to run as an administrator or unprivileged user and elevate privileges with sudo for certain tasks. This may be force of habit more than anything, and I can certainly adapt to running as root (I have in the past), but I like to take some precautions along the way. And I also LOVE Bash scripts, so while I won't use most of the features of GROWL, it saves me the effort of writing my own, and I'm very appreciative of that fact. By running my browser as an unprivileged user, anything that might escape "into the wild" on my system doesn't have the permissions needed to do any real harm, effectively sandboxing the browser (though I do prefer adding something like AppArmor into the mix to selectively grant permissions).

Now that I've rambled on for a while, I must say that I do like this sort of thing. I like to know how things tick, down to every last 0 and 1 of binary when possible.
This is a hardware based solution for a firewall.
Basically you rotate between connection methodologies.
With systems booting intermittently into firewalls on multi-session CD preferably on different CPU architectures (again multiple machines).

I can not not tell you exactly how to implement this as it should be bespoke and unique. That should keep you safely occupied for a few years . . . Cool
I love it! I may have to give something like that a try. Though with any luck, it'll only keep me busy for a few months. Just enough time to build a hardened Linux supercluster to use it on (and then try and break into it, dodging lasers and retina scanners galore). 8)
Nooby wrote:Some security person got interviewed and told about
his latest approach. He set up a kind of "HoneyPot"
in that what the intruder see does look very real.
Basically, I think what you're describing is very close to what Lobster was describing earlier. Essentially you set up a "dummy" system that the bees can't resist but to swarm around, have an alarm in place to notify you when they do, and while the swarm is busy investigating what looks like a goldmine (I kinda picture Winneh the Pooh here :) ), you take care of more important matters - like securing the "real" system.

Very similar to what happens with Proxy servers from time to time. Someone sets up an inconspicuous server (in the case of a Proxy, you want it to seem fairly innocent) and then gathers data of all those who route traffic through that Proxy. Kinda reversed, but the same sorta idea.
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#12 Post by nooby »

Yes I trust that is what the "Faked Hot Spots for Wifi" do to.
Them being Man in the Middle while the innocent user of open wifi have no clue.

So it can be used both way. Like any tool. Tool do what the user make of them.
For good purpose or for bad purpose an ax can build cabins and
hit people to hard. :)

Back to your topic. Them the Devs of Puppy made an attempt
to give somewhat to the worried Linux users that are used to
be in a multi user environ where one only are root when one
need to do serious admin things.

So Barry came up with Fido as the user that is not Admin but
still being in a single user environ where one can boot into Root.

You have at least two or three? threads about Fido but nothing
came out of it.

I trust that Puppy lovers are so used to being root that then have
no inner motivation to give this too much effort. So maybe you
are that person then?


Look for threads on Fido and Barry and Micko here in forum?
And on Barry's Blog

oops forgot. One guy care about security? Him made a more secure
version of Lupu 528. Now already I ahve forgotten his user name.
Oh could be this one with DPUP5520

puppy rescue os http://www.murga-linux.com/puppy/viewtopic.php?t=69651

So maybe you two could share ideas?

Then there is such tricks like taking out the HDD and using an adapter
that allow the internal to be like a USB connected external HDD and
that way one boot from CD or USB and save to usb but only run in
RAM so the intruder need to mount the USB and that maybe can be set
up so one get alarm when them do it?

Some do away with the pupsave file and feel secure that way?
I use Google Search on Puppy Forum
not an ideal solution though
DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#13 Post by DPUP5520 »

Close nooby but ya got the wrong distro ;) link to Puppy Crypt is here Puppy Crypt 528
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#14 Post by Lobster »

Puppy Crypt is here
8) Sounds ideal. In future I will know where to send the security conscious.
I hope you can offer Leaena further support as I have the security acumen of a fish in treacle.

Something you might know . . . :)
The biggest threat for me is downloading large files from dodgy sites, using an outdated bit torrent.
These sites, such as pirate bay, seem to be using some sort of sending bot that probes and writes new directories in root.

The directories are always empty and may be bad code from an earlier Transmission used in Slacko. I suppose I could run as Spot for a while . . . or cut down on visiting dodge city . . .?
Fatdog had a great policy of only downloading to 'Downloads', that might have helped . . . ?
Anyway I mention it in passing as I should know better than visiting such sites . . . :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D
DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#15 Post by DPUP5520 »

There is a way to easily encrypt and hide torrent transmissions, unfortunately you cannot do it with Transmission as far as I know however I intentionally left the bit-torrent client in PuppyCrypt unsecured in order to divert illegal intentions.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]
Leaena
Posts: 7
Joined: Thu 10 Nov 2011, 08:26

#16 Post by Leaena »

DPUP5520 wrote:There is a way to easily encrypt and hide torrent transmissions, unfortunately you cannot do it with Transmission as far as I know however I intentionally left the bit-torrent client in PuppyCrypt unsecured in order to divert illegal intentions.
What do you mean by "unsecured"? I'm getting ready to test Crypt in a VM, so I'm sure I'll find out - but I assume you mean the transmission isn't encrypted? And I assume securing it wouldn't be all that difficult (although I understand why you wouldn't do so be default)? I don't have any illegal intentions, but I *do* prefer to have as much encryption as is reasonable. If 2048-bit was reasonable for everything, you can bet I'd be using it.
nooby wrote:I trust that Puppy lovers are so used to being root that then have no inner motivation to give this too much effort. So maybe you
are that person then?
Heh. I might be - I'll see how securing my own distro goes, and if all is well, I wouldn't have any qualms about contributing back to the community in one way or another. Computer Security (I'm a full-blown geek in every possible way, and I've been lucky enough to be paid to break into a system or two legally) also happens to be a passion of mine, so the possibility is definitely there.
nooby wrote:Back to your topic. Them the Devs of Puppy made an attempt to give somewhat to the worried Linux users that are used to
be in a multi user environ where one only are root when one
need to do serious admin things.
That seems to be the more traditional way of doing things. Did they ever succeed? I have no problem running as root, myself, but there are just some things I'd rather do in a virtual sandbox. Running as Spot seems a decent enough solution for most things, though (so long as I'm not missing a leak of some sort).
Lobster wrote:Fatdog had a great policy of only downloading to 'Downloads', that might have helped . . . ?
I wonder how that'd be accomplished in Puppy 5.2. Unless I'm mistaken, running an application as Spot limits it's activity to that user's folder only, correct? Should achieve relatively the same end, but still - I'm interested in how I could incorporate something like that on my box.
User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#17 Post by rcrsn51 »

Leaena wrote:
Lobster wrote:Fatdog had a great policy of only downloading to 'Downloads', that might have helped . . . ?
I wonder how that'd be accomplished in Puppy 5.2. Unless I'm mistaken, running an application as Spot limits it's activity to that user's folder only, correct? Should achieve relatively the same end, but still - I'm interested in how I could incorporate something like that on my box.

Code: Select all

su -c "path to firefox" spot
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#18 Post by Lobster »

Just enough time to build a hardened Linux supercluster to use it on (and then try and break into it, dodging lasers and retina scanners galore).
Keep us informed with pics (sent by carrier pigeon if need be) . . .
If you have any old obsolete computers, maybe an Archimedes, Amiga or Atari, maybe you could include them in the random rotating loop, just for the chaos option. :wink:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#19 Post by nooby »

oops I trust I really stressed them trusted more in Fido than in Spot.

So now you guys seems to have get stuck in Spot while Fido is
the official solution :)

Which one is best then? What features is unique for each of them?
I know nothing. But it is obvious that the inner motivation to get
either of them popular simply is lacking. No activity in the Fido
thread and none in the spot thread either.
I use Google Search on Puppy Forum
not an ideal solution though
CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#20 Post by CLAM01 »

All This Talk About Running Puppy As root... *growl*

In puppy linux your user account is called root, but is not root. In puppy root is user.

Root in puppy root is the underlying ramdisk. the main "PUPversion.sfs" is, or contains (actually, installs again each startup), the root file system. When you start your puppy the real root filesystem gets copied to ram, or swap. You use the copies of the root files in ram or swap. When you shut down your ram/swap copy of your main sfs root is deleted. Next time you start the main sfs installs another copy of itself to ram/swap. Real roots don't get any more secure than that, especially if the real root is on non-writable CD.

Running puppy frugal from a CD there is no way your main sfs root files can be altered. Running frugal with the main sfs copied to HD, the main sfs is copied from HD to ram/swap, then is not touched again. It can be altered by someone mounting it and opening it with another puppy, since HDs allow writing and erasing. But if anyone roots you during a session they root your user-root account for the session only. If they install a rootkit it installs to your pup-save and can install from there again next session. You can prevent that by erasing the contents of your pup-save, so your ramdisk root writes fresh files to it when you start your next session. You need to move files you want to save out to a back-up save file before you wipe your pup-save contents (don't wipe the whole pup-save, only all files in it).

To modify your real root system in puppy you have to run the "remaster puppy live-CD" program from the setup menu. That's how you " su " in puppy. You have to make your modifications in your user-root puppy first, adding and subtracting what you want. You make your new root account when you do the remaster of what you have set up..

I check the integrity of my main sfs files when I copy them to HD for frugal installs (I don' t full install, so I don' t know if files are secure in those) by making hashes of my main SFS files when I first copy, then re-hashing hem and checking against the first hash from time to time. So far I have not found a main puppy sfs file to change.

Renaming puppy root isn't a good option because lots of files look for "/root" and don't find it if it's named something else. Those who have set up multi-user puuppies have found that finding and changing every pathname instance is tedious and frustrating.

Puppy Linux is single-user per session and pup-save. It's the way it works. Each user launches his own ramdisk-root from the same main sfs root and modifies his or her own session from his or her pup-save store of preferences. For personal files each using the same computer has to make his or her own password protected encrypted save-file, or have his or her own flash-drive.
Post Reply