Let me mention, I don’t really like this approach. This would prevent me to install those server daemons, in case I’d need any f them…
Having those uninstalled by default seems to be OK, however.
Well, if there’s a security hole in Linux generally, which allows attackers to do nasty things, I doubt not having the ability to install server-side daemons would help… What would help is to patch the hole. I don’t say Solus is any worse than other distro. But I doubt (I may be wrong here!) that intentionally not having server-side daemons would make it more secure, than any other distro, which don’t have those dameons installed by default.
Of course.
It only helps to prevent people from making more holes
That is just what Solus is. I did not really like it either. It has some other peculiarities too. It is just a specialist distro aimed at the home-user niche.
Late to this party, but: If you wish to run an SSH server and want it to be accessible from the outside world (for remote access to your home network), a favorite trick of mine is to remove password authentication completely.
The /etc/ssh/sshd_config.d/remote.conf file for my externally-accessible server customizes/affirms all of the following, on top of the default Fedora sshd_config:
LoginGraceTime 30s
MaxAuthTries 4
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
AllowGroups wheel
The net result is that no login attempt, NOT EVEN MY OWN, will be allowed to succeed unless it uses a pre-established key for authentication, and the public half of that key is listed in the [wheel-group member] user’s $HOME/.ssh/authorized_keys.
I carry a USB key on my (physical) keyring containing the private half of a key I generated specifically for that and no other purpose, saved in both OpenSSH and PuTTY .ppk form, so that I can load it into any other machine I need to use for remote access to my home network.
If I ever have reason to believe the USB key key (confusing!) is compromised, I can simply delete its pubkey entry from my authorized_keys file and generate a new one. The external-facing system remains secure. I could stand in Times Square for an hour, handing out my IP address, username, and account password to every passerby, and my server would still be every bit as secure as it is right now. (I’d get bombarded with atomic-wedgie-level DDoS attacks, almost certainly, but it wouldn’t make it any easier for anyone who’s not me to log in and get a shell prompt on that machine.)
Passwords can always be compromised, given enough time and processor cycles. But a 4096-bit RSA key isn’t getting brute-forced in the foreseeable future (Read: Not likely to happen any time before my currently-48-year-old self croaks.) Doubly so when constrained by the low retry count and auth timeout I’ve configured. And if that ever changes, I just burn my current key and crank up the cipher quality / bit length for the next one.
I just use a non standard port, and fail2ban. Additionally, I have a line in
.bashrc, like echo 'Shell access on:' $(date) $(who) | mail -s "Alert: Access from $(who | cut -d"(" -f2 | cut -d")" -f1)" my-e@mail.address
So when I login, I get an email notification. I could suspect a succesful attack, if I get a notification without actually logging in
But that did not happen so far.
(I should confess, also, that the USB key key is much less critical these days than it was in the past. Rather than plugging that into some random public/available computer, these days I’ll usually just pull out my phone and log in from there. My Android pocket slab has ConnectBot installed, and I’ve generated a (separate!) SSH key for it that’s also listed in my $HOME/.ssh/authorized_keys.)
Same here this seems to work for me… sometimes I can go weeks without a single log entry in my fail2ban logs - sometimes there’s a flood of them… I think I’ve mentioned before, 9/10 when I do a whois on their IP address, it’s hosted in the “PRC”…
I like your email alerting thingie…
I also run OpenVPN on the same machine “exposed” to the wild web… if something ever goes wrong - I can always VPN in and disable SSHD facing the intertubes…
(new member) I live Spring Valley California 91977- am retired - thinking of getting XPS 13 plus Developer Edition from Dell - which has Ubuntu-is this a good choice?
Presently have MAC air OS Catalina version 10.15.7…(40 GB used/storage) for many yrs. Looking for a more secure OS- use runbox for email, Golden Frog VPR VPN. Yandex for searches ( Russian based) and Firefox but think Brave would be better…Wondering if there is anyone in San Diego who might help me setting this up?.. Thank you JS
Welcome JS, There is what is called SE - Security Edition Linux which will keep your computer secure, but only some distros offer it and the only one that pops into my mind is the distro OpenSuSE Leap and Tumbleweed, BUT I’m sure there are more. For OpenSuSE, you will probably need the whole 40GB just for the OS, The XPS 13 might have more space. If you tinker with computers, you might be able to add a ssd drive or a regular hdd disk drive to your MAC air. I too use ProtonVPN from Protonmail.com. Just so you know an SE will take more space, maybe more than 40 GB.
I’ve heard nothing but good reviews of the XPS 13 over the years. This newest one should be even better. Since it’s delivered from Dell with Ubuntu pre-installed I would think that would be ideal.
The only things that wouldn’t be ideal for me would be the screen size and possibly the keyboard. It looks kind of funky. Maybe it’ll be great for typing, but I’d have to try it.
If you plan to use a docking station with a couple monitors and an external keyboard and mouse then the other concerns I raised can be ignored.
Ubuntu doesn’t have SELinux to my knowledge but they do have AppArmor. It’s intended to serve a similar purpose I believe.
Thank you for your reply-- I do not “tinker” with computers - just a novice looking for a more secure system-- The 40 GB is the amount I use on my MAC Air a new computer would have space although have not purchased yet JS
We have a lot of foreign visitors in our holiday complex so most owners here use VPN to connect to different servers to allow watching of restricted access TV through the internet link they offer. Services such as the BBC are blocked in France.
Other than that I feel quite free using internet on my Linux machines. On holiday I tend to just use the phone and android but avoid banking or money transactions outside of my Linux box.
Ubuntu default is to leave sshd not even installed… i.e. you can still use openssh client, but NOBODY’S gonna ssh to your machine if you don’t have sshd installed and/or running…
This is over 6 months old - did you end up getting the Dell XPS 13"? I’d like one, but they were a bit pricey (and Developer Edition with Linux not available in Australia anyway) last time I was shopping, got an M1 MacBook Pro and a 2nd hand Lenovo Thinkpad E495, for probably $1000 less than a new Dell XPS…
from Dan Tripp: [quote=“daniel.m.tripp, post:33, topic:9748”]
Ubuntu default is to leave sshd not even installed… i.e. you can still use openssh client, but NOBODY’S gonna ssh to your machine if you don’t have sshd installed and/or running…[/quote]I like that.It is also possible to run sshd but tell it to listen only on local interfaces, ie not on any internet interface.
It is the daemon process that supports ssh server activities.
It is required to have sshd running in the machine you want to ssh into (called a server), but not reqiured in the machine you want to ssh out of (called a client)
You can see if it is running with ps ax | grep ssh
Assuming the iMAC Air you use has a 64bit Intel CPU ,it would be suitable for conversion to a Linux distribution . So even if you buy a new laptop with Ubuntu , keep the iMAC Air for later conversion .
This can be readily done by wiping the Apple software with the app Gparted (on a memory stick) followed by installation of a Linux distro be it Ubuntu ,Linux Mint , Zorin OS ,MX Linux ,etc .
But isn’t that exactly what most of us are looking for? Most of us are single-computer, non-server, one-distro-at-a-time, home users. Dan, of course, is quite different, but that’s been true for a long time.
