How To Secure Puppy in 5 easy steps.

How to do things, solutions, recipes, tutorials
Message
Author
John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

How To Secure Puppy in 5 easy steps.

#1 Post by John Doe »

After you boot up do the following:

1-open console type 'passwd root'. enter your new password twice.

2-run 'lock' on desktop and enter password from step 1

*you may want to select 'blank' from the config to save on processor usage

3-edit /etc/inittab to look like this:

Code: Select all

::sysinit:/etc/rc.d/rc.sysinit
tty1::respawn:/sbin/getty 38400 tty1
tty2::respawn:/sbin/getty 38400 tty2
::ctrlaltdel:/sbin/reboot
*this keeps someone from killing lock with ctrl+alt+backspace and logging back in automatically and also gives the option on bootup to enter 'root' and 'password'.

4-run the firewall wizard at Menu->Setup->Linux-Firewall Wizard. automagic works fine if you don't have to set up any local services.

5-shutdown and select 'heavy encryption'

Puppy's Secure.

rrolsbe
Posts: 185
Joined: Wed 15 Nov 2006, 21:53

I followed your steps and it worked as described.

#2 Post by rrolsbe »

Regards
Ron

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#3 Post by Lobster »

I have placed it here
http://puppylinux.org/wikka/Security

I never use anything more than the firewall in Puppy and a hardware firewall in the router

I believe the hardware firewall restricts use of VOIP, I could set it up differently but . . . [shrug]

A lot of people will appreciate what John Doe is suggesting.

For me encryption will slow Puppy, Login passwords as In the new Grafpup, having to mount CD's are hindrances - for some they are necessities. Unlike most Linux, Puppy is designed NOT for network use but for single desktop user.

However sometimes people share access, so these precautions become useful, so too with mobile use. We also do have networked users.

Puppy is flexible enough to be small, secure, network and thin client compatible and so on. In other words Puppy is small and simple enough to evolve in many directions . . . and he does . . .

Just remember a recent report (sorry no link) has found Windows Vista is no more secure than XP. Pah - wow? The worry more like. How slow is your Windows machine after adding essential security software?

No trojans, virii and other malware for Puppy. It kinda freaks out the Windows users who are used to living with essential computer slowing protection.

:oops: seem to have gone into rant mode

Be safe
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

mcewanw
Posts: 3169
Joined: Thu 16 Aug 2007, 10:48
Contact:

Puppy not set up as a multiuser system

#4 Post by mcewanw »

It's probably worth mentioning that Puppy isn't set up as a multiuser system.

You can add a new user login to Puppy by opening an rxvt console and entering the commands:

mkdir /home
[note: the above assumes you don't have that directory already]
adduser <new_user_name>

However, adduser fails to make a skeleton copy of all the configuration files, that new user would need, into their home directory.

Hence, if you tried booting up as that new user, you would find that all the required symlinks etc are not made for X windows desktop to operate. The system will boot into X as that user, but what you get is pretty much unusable and locked up - you don't even get a Menu bar so it's tricky to shut the system down again... If you do try such a thing, you can however always get out of X by pressing the key combination: Ctrl-[Backspace key]. That takes you to a bash commandline. Then you can login as root user and start X windows up again by entering the command: xwin

I also noticed that the command "deluser <username>" fails to remove any newly added user.

CaptCadwallader
Posts: 6
Joined: Wed 03 May 2006, 03:47
Location: Mound House Nevada

password in puppy

#5 Post by CaptCadwallader »

I did exactly what was described except I never got the heavy encryption question when I shut down. That may have been because when puppy shuts down on my SONY VIAO PCG Z505R the screen becomes unreadable. However the problem is that when it reboots it asks for a login. I don't see where in the instructions a login is set. I now can't access puppy. I tried root, ROOT and Root as the defalt logins. Does anyboady know what the default login is?

All the best.
William L Cadwallader
CaptCadwallader@gbis.com

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#6 Post by John Doe »

the password should be whatever you entered under step 1.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#7 Post by Flash »

Capt, it might help if you told us which version of Puppy you're using and if it's a full or frugal install.

CaptCadwallader
Posts: 6
Joined: Wed 03 May 2006, 03:47
Location: Mound House Nevada

password

#8 Post by CaptCadwallader »

If you will notice step one states;

"1-open console type 'passwd'. enter your new password twice."

However what the author meant to say was;

1-open console type 'passwd root'. enter your new password twice.

What I effectively did was to create a password with no possible login.

It was a full install of the latest 3.01.

I also did not use rxvt the puppy console. Instead I used leafpad. at the time I didn't understand the difference. Not sure I do now.

All the best.
William L Cadwallader
CaptCadwallader@gbis.com

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

Re: password

#9 Post by John Doe »

CaptCadwallader wrote:It was a full install of the latest 3.01.
does the following at the console,

Code: Select all

passwd --help
not include;

"If no name is specified, changes the pawword for the current user." (I'm using 4alpha6 now).
CaptCadwallader wrote:All the best.
all the same.

mcewanw
Posts: 3169
Joined: Thu 16 Aug 2007, 10:48
Contact:

Re: password

#10 Post by mcewanw »

CaptCadwallader wrote: I also did not use rxvt the puppy console. Instead I used leafpad. at the time I didn't understand the difference. Not sure I do now.
Leafpad is a text editor, for typing notes. You can type whatever you like in there, it won't change your password!

If you type passwd (without a following name) in a console it will change the passwd of whoever you are currently logged in as (username root is the default login on puppy; there is no passwd set by default, so just pressing "enter" if asked for a password would normally log root user in).

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#11 Post by Flash »

Is it possible to boot Puppy from a live CD (with the "puppy pfix=ram" boot option), find the place where the password is stored and change the password to whatever you want?

(By the way, I corrected the mistake CaptCadwallader found in the first post of this thread, to avoid further confusion.)

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#12 Post by Pizzasgood »

Leafpad is a text editor, for typing notes. You can type whatever you like in there, it won't change your password!
I wonder if this is a result of Puppy's RXVT using black on white rather than the more normal white on black? That's usually one of the very first things I change when I start working on a Pizzapup.
Is it possible to boot Puppy from a live CD (with the "puppy pfix=ram" boot option), find the place where the password is stored and change the password to whatever you want?
As long as the save-file (if it exists) and partition aren't encrypted. /etc/shadow is the file you'd modify.

Basically, the biggest point for having a root password is to block network attacks. Encryption is the only thing approaching a solution for stopping people who can physically access the machine.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

vitruvius
Posts: 4
Joined: Sun 19 Oct 2008, 22:42

small data collection unit on internet

#13 Post by vitruvius »

Hello. First, please note that I am fairly new to both linux and puppy (so be patient with me). I have many years of experience with apache, php, and mysql on windows. Currently I'm working on developing small linux boxes that will collect data from sensors, some simple processing of that data, and then sending the data to a central server. I'm experimenting with using puppy for these small "collection" computers. Really I have a couple of simple questions.

(1) Security. I think a single user machine will work for me following the security steps in the prior posts since this is primarily an automated process. But "should" I be concerned about external attacks from the web. Do I need a hardware firewall in addition to a software firewall? (I know that it would probably be better, but trying to keep costs down).

(2) Processing. I'm thinking that the processing will be php and interface with the central server via Hiawatha. I will probably post some questions in a more appropriate location about the php processing. Is Hiawatha the best choice for a small, secure web server?

(3) What am I forgetting?

Thanks for the help.

So info about the current, experimental install:
Linux 4.1 installed on the hard drive
(puppy-4.1-k2.6.25.16-seamonkey)

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#14 Post by PaulBx1 »

John, I have a possible addition to your recipe for slightly more paranoid types. Edit /etc/rc.d/rc.firewall, changing the state of these two parameters, to the following:

RFC_1122_COMPLIANT="no"
DROP_NEW_WITHOUT_SYN="yes"

The first drops any pings that come your way, and the second does not allow packets of the state "NEW" to pass without being SYN packets.

I also turned on "LOGGING" in mine, just to see if any naughty stuff comes in.

BTW I found an excellent resource for understanding what our firewall is doing:
http://web.archive.org/web/200504210155 ... forge.net/

He is actually disdainful of throwing away pings, but that's OK, not everybody has to agree with everybody else. I figure if your connection stops working because of it, then you can always change back. Both the above changes have some risk; you can read about it yourself and decide if it is worth it:
http://web.archive.org/web/200504210417 ... onfig.html

Oh, here's a tutorial on iptables itself:
http://iptables-tutorial.frozentux.net/ ... orial.html

kpfuser
Posts: 207
Joined: Sun 19 Mar 2006, 15:02
Location: Mt Pelion, Greece

#15 Post by kpfuser »

Following a timely suggestion by a fellow forum member, the discovery of this thread seems to hold the key to resolving several security concerns of mine. Nevertheless, answering questions may bring new ones to the fore. Thus in implementing the teachings of the very first post, one sees immediately after item #2,
*you may want to select 'blank' from the config to save on processor usage
I take this to mean that in his/her resolution to be green to the core, a user may enter a config file and opt to forgo the artistic shower of brocken green twiggies (or is it Japanese calligraphy of some sort?) in favor of a more austere, albeit slightly depressing, blank (and probably black) screen. Oh well, if the road to greeness must pass through black alleys, so be it. But where is this config file and how can one make it there?
NOP 4.1-r-1 on USB Flash Drive

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#16 Post by Pizzasgood »

I take this to mean that in his/her resolution to be green to the core, a user may enter a config file and opt to forgo the artistic shower of brocken green twiggies (or is it Japanese calligraphy of some sort?)
Referring to the 'matrix' version? It's a combination of numbers and katakana. In Japanese there are three types of symbols. The kanji are symbols that are associated with words or ideas. The other two types, hiragana and katakana, are more like letters - each one corresponds to a sound, and you put them together to spell out words. Hiragana is more round and is mainly used for Japanese words. Katakana is a more straight set of symbols, and is used for non-Japanese words, and also for words that represent a sound (bang, kaboom, ping, stuff like that).

But where is this config file and how can one make it there?
Right-click the lock icon.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

kpfuser
Posts: 207
Joined: Sun 19 Mar 2006, 15:02
Location: Mt Pelion, Greece

#17 Post by kpfuser »

Question: Why didn't I think of it in the first place?
Answer: Because I would have missed out on the briliant (I mean it!) expose of Japanese writing modes, the respective character sets, and their intended usage!

Quite unexpected, I must admit, that Puppy would lead me into such areas of things Japanese but quite welcome nonetheless.

Pizzasgood, a big thanks for the above!
NOP 4.1-r-1 on USB Flash Drive

kpfuser
Posts: 207
Joined: Sun 19 Mar 2006, 15:02
Location: Mt Pelion, Greece

#18 Post by kpfuser »

Ooooops!!! :oops: I'm afraid I got a bit ahead of myself with my previous post!

Right-clicking on the "lock" icon brings up a menu where only the option "properties" holds some promise of success. Unfortunately, going for it brings up a menu of one working option, "select action type," and a greyed out one, "orientation." Going for the first produces two new options, i.e., "lock screen" and "quit + lock screen," none of which seems to lead to the desired end.

On the other hand, if the screen is locked and one tries to unlock it, it reverts to showing an animated icon displaying the matrix theme. Above it is the theme's name, i.e., Matrix..... The user name is displayed below along with "password:" with the field next to it blank. Next comes the line of text "Enter password to unlock. Select icon to lock." This probably implies that this the place from where to chose the theme to be displayed when the screen is locked, provided that there are more than one theme icons to choose from.

This brings to mind that mine is a slimmed-down version of Puppy (see below). Is it possible that in an attempt to make frugality more frugal such features were trimmed out making in the process NOP not just "no office puppy" but "no office + no additional undisclosed features/options that we will not tell you where they were taken out off?" The latter is a chilling thought for an otherwise enthusiastic newcomer who already has to struggle with the scarcity of documentation for this distro.

In any event, I must acertain first whether my fears (about excising more than just office in NOP) are indeed true before continuing. Any contributions on this?
NOP 4.1-r-1 on USB Flash Drive

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#19 Post by Pizzasgood »

I do mean the desktop-icon. It sounds like either NOP is using a program besides ROX-Filer to handle the desktop icons, the lock rox-app was fiddled with, or Rox's settings were messed up. My guess is the first one.

You can run the command directly like this:

Code: Select all

/usr/local/apps/Xlock/AppRun -configure
Assuming that hasn't been altered too, of course.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

kpfuser
Posts: 207
Joined: Sun 19 Mar 2006, 15:02
Location: Mt Pelion, Greece

#20 Post by kpfuser »

Thanks!

Your command did it! Btw, from Menu --> File System I see that the Thunar File Manager has replaced ROX. Perhaps this might explain something to you. As for me, I'm happy to have gleaned out the hard way a few lines of the missing NOP manual I must construct by hook or crook. So with this happy thought and noticing that the time is much too late here, I'm off to bed with at least today's scuffle with NOP ending satisfactorily. For this, I must thank you again and bid you goodnight.
NOP 4.1-r-1 on USB Flash Drive

Post Reply