Child proofing Linux

[theniteowl]

Hi All,
I am looking for any info related to securing Linux in a home environment.
I have kids that use the computer frequently and they like to do things like instant message, browse about on MySpace, email, etc.
I would like to take steps to secure the computer as much as possible not only against the kids causing problems but against external threats like attacks through IM clients, the recent issues with MySpace and video files, virus, trojan, malware attacks of all sorts, etc.

I know the question is very broad but I am not aware of any single source of info on protecting the computer or our kids from the ravages of the internet and thought it might be useful to begin building a resource list.

For instance, are there IM clients for Linux that either lack the features often used as a medium of attack or allow customization so that they can be locked down?
What are recommendations for good anti-virus, anti-spyware, applications?
Any good monitoring software that can log activities for parents to view later or software to view the device remotely to check on activities?
Parental filtering software for the web?

The question is broad but you get the idea.

I have had to do extensive repairs on the Windows devices the kids use. Even with limited access to the computer and restrictions on where they can/should go the computers are constantly infected with malware.
I have installed a copy of Xandros on one of the devices to see how it fares but would like to take it further and secure it as much as possible.

Thoughts?
It would be nice to have a list of resources based on various types of protections that can be applied.


At my age I still learn something new every day, but I forget two others.

 

[LawnBoy]

Linux is largely unaffected by the malware you're concerned about. Linux does not have the vulnerabilities that Windows does. 99% of the malware today targets Windows and leaves Linux alone.

There are still application vulnerabilities like your concern over IM clients. But, most IM infections involve downloading the malware through IM and then executing it, causing an infection. Even if the linux IM client allows the download, the file won't execute on linux, rendering it harmless.

As time goes on there may be more malware directed at linux, but for now I don't know of any antivirus or antispyware programs available for linux.

 

[thedaver]

You can consider using Squid as an http proxy between your machine and the internet. The name escapes me, but there's a content filtering module that performs rather adquate Big Brother anti-porn filters that bolts into Squid.



D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[stevexff]

If you are going to write malware or viruses, you need the largest possible pool of prospective targets to get the critical mass needed to spread them. The way the world is, that means Windows. It doesn't help that there are so many notorious exploits for the OS, or that the average broadband home user without virus protection usually runs with administrator privileges so they can install and run stealthy background services. So there are loads of potential zombies sitting around the world, permanently booted up and connected to the Net, being used to collect personal details, relay spam, and mount DoS attacks.

The combination of not running as root, the fact that the downloaded .exe files won't run on Linux, and the lack of potential payback for the malware writers means you are fairly safe on Linux. Mine's behind a router for good measure, which blocks a lot of the speculative attacks. It's also a good idea to close down any services like SSH, telnet, web servers, etc. that you aren't actually using...

Steve

[small]"Every program can be reduced by one instruction, and every program has at least one bug. Therefore, any program can be reduced to one instruction which doesn't work." (Object:erlDesignPatterns)[/small]

 

[Kozusnik]

Stay away from logging in as root and your computer will be fine. There is no real need for anti-virus/anti-spyware software. A normal user can't hurt the operating system, in turn any program run as a normal user also can't hurt the OS. If you're really paranoid, try Knoppix. It's a live distro which runs completely from cd. Not in any way possible to become permanently infected with anything. Reboot and it's gone.

As far as a content filter, DansGuardian or Astaro are popular apps. Astaro usually runs as a separate appliance, but it can be run as a local app. However, it's not free. Although I'm guessing that's not a problem since you payed for Xandros rather than downloading a free linux distro.

I'm switching several users at my work to Linux. They're tired of viruses, spyware, reboots, updates after updates, etc.

Mark

 

[pansophic]

If you are really concerned about what they might do to your perfectly configured machine, you may want to consider a kiosk implementation.

http://www.linuxjournal.com/article/7718

http://www.linux.com/howtos/Kiosk-HOWTO-1.shtml

http://kiosk.mozdev.org/

pansophic

 

[theniteowl]

I know there are far fewer attackes directed at Linux devices but there are still some out so I would like to address the avenues these attacks may take wherever possible.
The users in question are between 10 and 15 years old and that increases the risk based not only on inexperience at avoiding dangerous situations but also because they tend to participate in activities making them more vulnerable.

But my question is broader than just preventing malware infections. I want to help ensure the safety of the network they are connected to, be able to limit what activities they can participate in, track activities where possible, etc.

I do not want to totally lock down the machines so they are not capable of doing anything on their own but I do want to be able periodically check to make certain they are not done something to compromise themselves or the computer while giving them a bit more freedom.

My thought was to find information regarding each of these individual areas to make it easier for people to look into their options and decide what fits their situation.
Such as:
Info on safeguarding the computer from virus or trojans.
Info on parental control software for web browsing.
Info on remote access software for monitoring.
Info on software to do detailed logging of activity either at the PC level or logging of Internet access.
Info on preventing or remove spyware/malware.
Info on securing the device/network from external intrusion.
Etc...

I am already running behind a firewall/router and set to ignore ping requests. This is a start. But what other security problems need to be addressed? I can block all ports not specifically needed but what happens when an attack uses one of the open ports? Sometimes the security hole is through an internet application and the problems/solutions for that application need to be discussed or alternatives offered.

It can all be boiled down to a handful of subjects such as securing the device or network from outside intrusion, remote connectivity options, parental monitoring/filtering, virus protection, application security, os security, etc.

If someone just wants to lock down the device so the users cannot install software then links to articles doing just that would suffice for that option on that subject. If they want to leave the device at least partially open but try and cover any major security risks then a list of options would be useful.

The point is that it would be extremely useful to have one location that addresses the major questions with general recommendations and/or starting off points for the person to go to for learning more or getting software to address that subject. It would not only show people where they needed to go for specific help but also give them an idea of the other issues they may have to address or at least consider that they may not already be aware of.

I am not looking for a solution to all my own issues but considering what would be useful for large numbers of people as a good place to begin when considering these types of issues.
Something may even already exist and if so I would like to find it, otherwise I am really suggesting that this could be a good place to begin at creating one.

BTW, though I am running Xandros it was not a purchased installation, it is their free download version with limited trial versions of some of the provided applications.
I am not married to Xandros, it was just a nicely integrated version for me to install and test with and get the kids to warm up to as an alternative to Windows.
Xandros installed very cleanly on my devices and seems to work pretty well but I am not closed to alternatives.


At my age I still learn something new every day, but I forget two others.

 

[jstreich]

TWO NOTES TO START OFF:
First, as a 26 year old who doesn't have kids and grew up with computers and family that doesn't "get" computers, my first instinct to let them explore freely... Then again, there is a lot more out there now to be afraid of, then when I was 12.

Second, Linux is free (as in beer and freedom), and when you "buy a distro" your buying the support manual ect. that come with the distro...

BASICS OF NETWORK SECURITY ON LINUX
Alright, first, ipfilters will allow you to block any port incomming and outgoing. Don't have any port open that you need for normal activities, and don't run any services that you don't need. This will stop any IM software or P2P applications that you think your children are abusing. ipfiliters can also be setup to log activity in both or either direction. ipfilters are part of the OS, and any firewall sofware you find for linux will most likely be pretty interfaces to this system.

Sites you don't want your children going to can be blocked by editing the hosts file (/etc/host and assigning that page to 127.0.0.1 ... host file edits are also a good way to avoid seeing banner ads or avoiding goatse (now taken down, thank goodness).

KEEPING AN EYE ON THINGS
If your really curious about where you children are surfing to, you can write a root cronjob to copy over their browser history every few minutes if they are the active user.

The users shouldn't have root or sudo, and should have their own home and bin direcories to save and install to. If you allow save, you have to allow download, but you can make nothing writeable. All other directories should not be writeable by them. This should be the default for most distro adduser.

If there are programs you don't want them to use, you can add a cronjob to kill the application if it shows up in a ps under thier user name(s).

MALWARE
Malware still exsists, and even linux has AV software, but it's free (some as in freedom, others as in beer):
clamav, f-prot, tripwire and the like can be helpful on the outside chance the machine catches anything. They can be run on cronjob or as a backgroud deamon invisable to the users.

LIVE CDs
Running from a LiveCD distro and without a hard drive may also be option... If the children (or you) need to save anything, it can be save it to a thumbdrive, but the system will run most/all of the time without writing anything to disk. Then, every reboot will be like starting the system over with a fresh install. O'Riely even has a chaper in Knoppix Hacks about making a locked down Live distro (and hwere to find a couple_, but if it's live, there is little reason to lock it down.

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

 

[rzs0502]

I use Guarddog to simplify the creation of firewall rules

http://www.simonzone.com/software/guarddog/

And SquidGuard to filter sites etc.

http://squidguard.shalla.de/

Off course, if your default route is your internet router, they could take off the browsers proxy setting and get straight through.



"If you always do what you've always done, you will always be where you've always been."

 

[jstreich]

Guardog is just a GUI to iptables as is RedHats FireWall app.

And iptables and/or the host file could do filtering. Opera has built in filters, and it's easy to not allow access to the other browsers -- change the permission on them. Opera has a bunch of lockdown features including turning off downloading and saving. Just remember to change permissions on the Opera config files after setting it up for each user.

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

 

[aozora]

I did this successfully, with some digging around on Google. I use Mandriva 2007 for both home PCs, one is for the kids, and I use transparent redirection in iptables so there is no browser preference modification needed (and it works on all browsers, including text-only). I installed everything from source tarballs - it was simpler to tie it all together this way. The end result - per-user proxy restrictions, so I am exempt but the kids are not, and they are time-limited to between 7am and 9pm for web access. I also get emails of blocked attempts. They do not use IM, so this only applies to web access. Several false-positives, so a little tweaking of the blacklist files might be needed...

I documented this at

http://symbolik.wordpress.com/2006/11/29/recent-victory-making-my-sons-pc-kid-safe/

but will also list out the steps I took here:

1. Download the following (there may be newer versions, but definitely need db-2.7.7):
db-2.7.7.tar.gz (

http://download.oracle.com/berkeley-db/db-2.7.7.tar.gz)

squid-2.6.STABLE5-20061110.tar.bz2 (

http://www.squid-cache.org/)

dansguardian-2.9.8.0.tar.gz (

http://dansguardian.org/)

squidGuard-1.2.0.tar.gz (

http://www.squidguard.org/)

A mail server - I use postfix.

2. Unpack the downloaded files:
tar xvfz db-2.7.7.tar.gz
tar xvfj squid-2.6.STABLE5-20061110.tar.bz2
tar xvfz dansguardian-2.9.8.0.tar.gz
tar xvfz squidGuard-1.2.0.tar.gz

3. Make user, group, and firewall rules (iptables commands may appear wrapped in two lines):
groupadd -r squid
useradd -g squid -d /var/spool/squid -s /bin/false -r squid
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner exemptuser -j ACCEPT #change exemptuser
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

4. Make BerkelyDB - must be 2.x version, not newer, not older:
cd db-2.7.7/dist && ./configure && make && make install

5. Make squid v.2-6:
cd squid-2.6.STABLE5-20061110
./configure --enable-icmp --enable-delay-pools --enable-useragent-log --enable-referer-log --enable-kill-parent-hack --enable-cachemgr-hostname=hostname --enable-arp-acl --enable-htcp --enable-ssl --enable-forw-via-db --enable-cache-digests --enable-default-err-language=English --enable-err-languages=English --enable-linux-netfilter --disable-ident-lookups --disable-internal-dns && make && make install
#this is one long command from ./configure to make install

6. Make squidGuard v.1.2:
cd squidGuard-1.2.0 && ./configure && make && make install

7. Make dansguardian v.2.9.8:
cd dansguardian-2.9.8.0
mkdir /usr/local/dansguardian
./configure --prefix=/usr/local/dansguardian --with-proxyuser=squid --with-proxygroup=squid --enable-email=yes && make && make install
#./configure command is wrapped

8. Make and configure squid directories:
mkdir /usr/local/squid/var/cache
chown -R squid:squid /usr/local/squid/var
chmod 0770 /usr/local/squid/var/cache
chmod 0770 /usr/local/squid/var/logs

9. Make and configure squidGuard directories:
mkdir /usr/local/squidGuard
mkdir /usr/local/squidGuard/log
chown -R squid:squid /usr/local/squidGuard/log
chmod 0770 /usr/local/squidGuard/log
mkdir /var/log/squidguard
touch /var/log/squidguard/squidGuard.log
touch /var/log/squidguard/ads.log
touch /var/log/squidguard/stopped.log
chown -R squid.squid /var/log/squidguard
mkdir /var/lib/squidguard
mkdir /var/lib/squidguard/db
mkdir /var/lib/squidguard/db/blacklists
mkdir /var/lib/squidguard/db/blacklists/ok
chown -R squid:squid /var/lib/squidguard

10. Make and configure dansguardian directories:
chown -R squid:squid /usr/local/dansguardian/var/log

11. Edit and copy configs from respective source directories:
cp squid.conf /usr/local/squid/etc/squid.conf
cp squidGuard.conf /usr/local/squidGuard/squidGuard.conf
#change ip gateway address in squidGuard.conf
cp dansguardia*.conf /usr/local/dansguardian/etc/dansguardian
cp getlists.sh /usr/local/bin
cp etc-shorewall-start /etc/shorewall/start #change user name
cp etc-shorewall-stop /etc/shorewall/stop #change user name
cp etc-rc.local /etc/rc.local

12. Start or restart services as needed:
chkconfig iptables on
chkconfig shorewall on
service iptables restart
service shorewall restart
/usr/local/squid/sbin/squid -z # first-time config
/usr/local/squid/sbin/squid -N -d 1 -D #test squid, kill when working fine
/usr/local/squid/sbin/squid #this also runs squidGuard from "/usr/local/bin/squidGuard"
/usr/local/dansguardian/sbin/dansguardian
/usr/local/bin/getlists.sh #takes a very long time, and may need to be killed and run a couple of times
/usr/local/squid/sbin/squid -k reconfigure
/usr/local/dansguardian/sbin/dansguardian -Q

13. Post-install testing and tweaking:
# test with browser - should be transparent proxy surfing now, works with lynx as well
# set up a mailer for notifications:
# used postfix, pointed it to your mailserver.isp.domain
# postfix needs /etc/postfix/transport and /etc/postfix/generic
# dansguardian.conf calls it with 'sendmail -t' command
# for non-authenticated use, do not set 'by user = on' in dansgaurdianf1.conf

14. Edit squid.conf and set up time based access, to prevent late night surfing (add the following lines):
acl ACLTIME time SMTWHFA 7:00-21:00 #add to the ACL section
http_access allow localhost ACLTIME #add to the http_access

Final notes:
This probably will not work exactly as posted, especially if you use newer versions than I posted, so be prepared to tweak. Read through the squid.conf, squidGuard.conf, dansguardian.conf, and dansguardianf1.conf files for other options and file locations, and refer to the University of Google for further help with options and error messages. I had to play around with configure options for a while before I could get squid to compile, so be ready to to the same, depending on your setup. This all runs on a local box, which is not used to proxy any other computers - instead, I just do not allow them to use the main computer.

I sincerely hope this helps someone secure their kids' computers. I have set this up on a friend's home PC as well, and they are very happy with the results.

Good luck!

 

[redphone]

I also have kids that I also would like to protect from the harsh reality of the Internet. I try to use Linux when ever possible, but they are at the age where they still like to play games on the computer tailored for Windows.

I have been using Smoothwall as a firewall for the past year now and it has been very helpful. It can do just about everything you described and there are some modded versions of it that has all of the add-ons already preconfigured. It is easy to install and it doesn't take much to run it. I have mine running on a VIA MIA6000 fanless motherboard and a 2gig compact flash card so there are no moving parts and it was cheap to build. An old PC with two NIC cards would work too.


Here is a link to one of the Modders ISO as an example.

 

[aozora]

cool, redphone. ClarkConnect also appears to be a good all-in-one security gateway solution, although I have not tried it.

 

[tyrannus]

To redphone,

Some linux distro's come with wine preinstalled or you can install it later. Wine emulates a windows environment allowing most of your windows games, apps and other things to run just as well if not better than on windows.

 

[wweigel]

If anyone that is looking for antivirus for Linux might take a look at:

http://free.grisoft.com

- the makers of AVG andivirus for windows is now available for the Linux plattform. Just thought I'd share this with everyone!

 

[stefanwagner]

@wweigel: is this a tool to protect windows users, who use files from a samba-server or get mails from a linux-mail-server?

There are so few linux-viruses in the wild.

And anti-virus-tools only protect you against known viruses.
I'm using linux for nearly 10 years wihtout AV-tool, and without virus.


don't visit my homepage:

http://home.arcor.de/hirnstrom/bewerbung

 

[jstreich]

AV software can prevent or remove viruses on Linux boxes, and while mal-ware is rare there are some out there for Linux. I have never caught any either, but I also am the paranoid type. I have clamAV (and played with F-Prot), and both can be used on the mail server, but both also have the known Linux exploits in their databases.

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

 

[stefanwagner]

I read far more often of vulnerabilities in AV-software, than of linux-viruses in the wild.

Just for the paranoid types.

don't visit my homepage:

http://home.arcor.de/hirnstrom/bewerbung

 

[bigoldbulldog]

In regards to the host computer, you can alway fine tune user accounts, but if very worried, chroot or, better yet, VM an instance for them.

Cheers,
ND