Open source security setup
-
an open source security setup for a windows machine. any additions, recommendations, alternatives? [center][u][b][size=4]anti-malware/antivirus[/size][/b][/u][/center] -[size=4]Immunet[/size] - cloud based, community based. Real-time detection, very lite, cloud heuristic. can integrate clamav for offline protection. online has SPERO and ETHOS engines. [i]or[/i] -[size=4]Clam Sentinel[/size] (install with clamwin) - real time scanner. detects file system changes and automatically scans the files added or modified -[size=4]opendns[/size] - secures your browser (phishing protection, etc, etc). this will strengthen your above antimalware. -[size=4]clamav[/size] - demand scanner -[size=4]xpy[/size] - disable the default threats of Windows (advanced users). -[size=4]nixory[/size] - antispyware - malicious cookie removal. [center][u][b][size=4]passwords[/size][/b][/u][/center] -[size=4]keepass password safe[/size] - (password manager) -[size=4]PWGen[/size] -a password generator [center][u][b][size=4]browser[/size][/b][/u][/center] -[size=4]firefox[/size] - privacy protection, antiphishing + antimalware, site id, secure connection for addons, plugin check, tons of security addons, etc. (fireclam addon - scans downloads with clamav) [center][u][b][size=4]firewall[/size][/b][/u][/center] -[size=4]windows firewall notifier[/size] - add outbound control to windows firewall. (apparently now open source(?)- http://wfn.codeplex.com/). [center][u][b][size=4]mail[/size][/b][/u][/center] -[size=4]thunderbird[/size] -[size=4]spam assassin[/size] -[size=4]Enigmail[/size] - extension, automatic encryption/decryption (openpgp) (must install GnuPG separately) -[size=4]Gpg4win Light[/size] - encryption and digital signatures [center][u][b][size=4]encryption[/size][/b][/u][/center] -[size=4]TrueCrypt[/size] - Protect your sensitive data. [center][u][b][size=4]network[/size][/b][/u][/center] -[size=4]angry ip scanner[/size] - IP address and port scanner -[size=4]wireshark[/size] - -Monitors all network traffic on a network. [center][b][u][size=4]cleaner[/size][/u][/b][/center] -[size=4]bleachbit[/size] - clean privacy tracks and possible malware in cache.
-
Using free (libre/open source) apps on a closed OS might not be the most logical thing in the world, but it was a step I used years ago when I was thinking about changing to a free/open operating system. I finally took the plunge after the transition and went free/open all the way.
-
For an e-mail client I always used ClawsMail. It is not as pretty but all the GnuPGP items you need can be accessed from within the client.
Additional add-ons are available if you need them.
For more info see: http://www.claws-mail.org/
As a browser I preferred Opera (ver < 15). Not Open Source but much easier to control and clean up after.
-
This topic is theoretical and could prove implementation is possible. While `better' freeware/paidware exists, worse alternatives also exist. Immunet shows how far open source has progressed over clamav. It is an eloquent program that is light on resources and gives “fair” protection (pcmag 2014). Are there better alternatives in the freeware realm? Sure. But it is just piece of the security puzzle. How secure can we make an open source setup? Is it viable? Considering many users rely only on mse or no antivirus … open source projects could help them secure their system. Note that while Immunet (or Clam Sentinel) doesn't have superior detection ratings, in this setup it is backed up by opendns, malware domains, phishtank, javascript blockers, email alternative antivirus scanning, running process alternative antivirus scanning, etc. These extras compliment its detections and make it full featured and robust. And when/if malware penetrates, it will find itself in a limited account with neutered access rights. If it tries to access the net, it'll expose itself by needing permission.
- Harden Windows. Only run in a limited account. System is then fairly secured and password protected.
- Update, update, update ... everything: windows and programs.
- Make a windows backup and routinely make restore points. If you are infected, you have a fallback for cleaning.
- Immunet w/clamav – ok protection.
- windows firewall turned on, with outbound protection via windows 7 firewall control. You can now detect undetected trojans trying to access the internet and stop them.
- Opendns (using phishtank) will block most malicious sites, downloads, phishes, pharms, exploits, etc.
- Firefox is full featured browser with integrated modern protection. It has more security addons than anyone.
-Clamfire will scan downloads with clamav.
- Secure https for all connections.
-Noscript to guard javascript. Flashblock to block flash.
-bitdefender/bullguard addon to scan running processes.
-Numerous site reputation addons (webutation, wot, etc etc).
-browserprotect – browser protected against a set of hijacks including homepage, search provider, extension, add-on, BHO and other hijacks.
-adblockers. Some ads contain malware. Use one with malware domains list.
8 ) Thunderbird has integrated protection for spam and phishing. There are other addons to supplement this. Use e-mail service that scans for malware. ex. "Gmail automatically scans every attachment when it's delivered to you, and again each time you open a message. Attachments you send are also scanned." This is a different antivirus product then immunet that likely boasts better detection ratings.
-
JayL
I have several systems (windows 7 home, windows 7 starter, ubuntu, and xubuntu). I am aware and use open source operating systems. I enjoy their added security, but for many people, they are either unusable or unfathomable (whether its b/c they need particular software or need a more user-friendly experience). You can use windows more like linux (as you know) by password protecting it and running it in a limited account. And by avoiding dubious download sites. This is a given in this setup.
Linux is far more secure than Windows. However, it isn't bullet proof. One thing it does well is exercise better control of the inexperienced user: and that is its strength – that you can't do something stupidly that you want too … or at least, not as easily. I recently was trying to get a game running in xubuntu (from the repository). It installed but wouldn't run. Forums recommended the fix, to sudu everything and give it unhindered access to my system. Ouch. It's an online game. This could give an hacker access to my inner system, unhindered. Many fixes recommended trying to download the tar from the website, and not the repository; in that scenario, you bypass another important safeguard. When i was in university, i knew a guy who routinely hacked their unix system. It can be done. Ubunto has a right-click file feature to trust untrusted software and to allow it to run. Even in linux, if the user downloads carelessly and gives permission, they can be infected. Luckily, the obscurity of the os still protects them.
-
Claws Mail might not be a total beauty queen, but I'm impressed by the screenshots in the link you posted. There is some elegance there. It's nice to know about this one.
-
i didn't realize claws mail was on windows. i just looked it up on download.com and there it was:) i tried it a while back (and kmail) on linux. it was pretty fast and seemed to be a good program. i eventually yielded to thunderbird … though i can't remember why ... i think it was because it was a little easier to set up the accounts and i was lazy(?): i always hate setting those things up.
it has some good security plugins (pgp, spamassassin, bogofilter, bsfilter, clamav).
seamonkey is also noteworthy.
-
Nice idea for a thread.
The argument that Windows is inherently insecure, does not mean people should not seek to close the holes at every available opportunity.
More effort has to be put in to Windows, so threads of this nature are important.
For XP users, this thread will soon become even more useful.The GRC pasword generator is Opensource
https://www.grc.com/passwords.htmOpenDNS is great for most users, but as it blocks bad domains, it can also end up temporarily blocking sites based on false-negatives (same as the Comodo and Trend DNS).
I favour having my backup DNS from a different service, and personally never use any DNS that block or redirect.
This is because I actively seek out and test bad sites, so they can be reported with useful info.
Regularly dangling my private-parts in the lions mouth, means I have Windows clamped-down or sand-boxed, and use the Linux approach in my browsers.
Opera and Firefox, are totally OCD and ask for permission to do anything.
All Temp data, from Windows and browsers etc. is stored on a dedicated drive/partition (this is also a great way to avoid fragmentation).
I can disconnect or quick format this at a moments notice.Many DNS now block or redirect, but mostly this is being used to block download and streaming sites.
You can use the GRC DNS benchmark program, to see which DNS block or redirect, is fastest for you, and which use DNSSEC authentication.
https://www.grc.com/dns/benchmark.htmI would recommend slipstreaming your own Windows install, so you can avoid installing anything you don't want, include security tweaks, and have the system defaults set to your liking, so any new accounts will already be secure as you can make it.
nLite is very useful for reducing you Windows footprint.
http://www.nliteos.comOK. back to domain blocking.
If you want to block the malware sites, but require the ability to bypass individual blocks, then using a local "HOSTS" file may be better.
I use it to block adverts, but you can include a variety of criteria depending on where you get your HOSTS file.
"HostsMan" is one of the easiest/best I've used http://www.abelhadigital.com/hostsman
NOTE: All good AV software should block the editing of the HOSTS file, so you should temporarily disable, while updating it.
Mac and Linux also use HOSTS files, and I posted more links and info here;
https://vivaldi.net/blogs/entry/how-to-block-sitesThere are a few odd tools that will allow you to conveniently edit various registry settings that effect your security.
X-setup was once a commercial product, but is now totally free.
http://www.x-setup.net
This really is the mother of all tweakers, as it is just a framework for user editable scripts.
e.g. if you know of another tweak you want in it, you can make your own script."jvPowertools" The only registry cleaner/tweakeer worth using, is going open source even though the crowd-funding did not reach it's total.
http://www.macecraft.com
This program can be very useful for tracking registry changes, and removing unwanted items. It also has easy access to various security related Windows options, and can install the Hosts file from http://winhelp2002.mvps.org/hosts.htmNOTE: Nothing suggested here needs to stay installed after being used, so can be part of your portable USB tool-kit.
-
How 'bout that source code, jimc. You can evaluate it with your very own eyes, or if you don't have the expertise, you can depend on the expertise of many others.
-
Yes, jim, it's exactly like that. I didn't think you were looking for an answer.
-
Open Source does not mean loads of people coded it, and 1 expert said it is OK.
As Dave pointed out "many experts" look at the final code, even if only 1 programmer wrote all the code.Getting many experts to examine the code means that there is a much bigger chance of an error being seen.
The point is not to rely on the so-called expertise of 1 person.Having open access to the code-base of anything security or encryption related is more than useful or important. It is now a necessity.
Any security product using closed source can not be trusted.
eg. If Apple had been using a closed source SSL system, nobody could have found the error that has left all Apple users unable to fail corrupt, old or compromised SSL certificates.
I would love to see the statistics on how many Apple users gave away their login details over the last few years (FireFox users on Mac were safe), and any iPhone stuck with iOS 6 still has the error.
This SSL code change was not passed for inspection to any experts, and does not exist in the original repository.
It has also been pointed out by several programmers, that the error would have been flagged by the compiler, so you would have to specifically make it not see the error for it to compile.Open inspection of code, is how flaws and back-doors are found before the public get to use it.
-
jimc
i'm not exactly sure what you mean, i think you are reading too much into this thread. open source has a lot of excellent software. this thread is focusing on security related open source software. perhaps myself, or someone else, will learn about some that they are unfamiliar with and would wish to try? feed back from those with experience is also helpful, as some might be buggy or useless or have conflicts. many others are using open source software and don't even realize it - threads like this may help elucidate.
the topic's thrust hoped to evaluate if open source security products had reached a level of adequate competence to safeguard your system (or to be used on it). i would point out that their antivirus products have not necessarily preformed to the standards of many proprietory products. testing is difficult however, when you are incapable of paying for it. because of this, it is rarely evaluated. recognizing this, products such as immunet are designed to be used complimentary to your preferred antivirus. notwithstanding, you can pay for a propietory engine in immunet (bitdefender). this product is far more capable and can be used by itself: but the paid upgrade muddles the purpose of the thread.
clamav's demand scanner has a lot of false positives and doesn't quarantine by default (you can turn it on but its not recommended). yet it does add some value to many setups as it might identify malware missed (and its easy to check the suspected file on virus total to see if it's a false positive). in my experience, clamav does a better job at identifying old malware (ex. xp malware on my win 7 machine). because of this, it might be better than malwarebytes on an xp machine (seeing as how malwarebytes focus is on newly emerging malware).
many people will continue using xp, despite the fact that its not supported anymore. like an old laptop that is reborn by a linux os, open source software might be the only means of protecting that old os (microsoft is not supporting mse on xp anymore, either).
lastly, stopping the infection is paramount. so, the software doesn't have to be specifically `security software': hence the inclusion of things like email and browsers (no ones mentioned the chromium open source browser yet, it does have a built in sandbox. their site says its good up to vista. does the sandbox work on win 7 or 8? anyone?). infections can come through attachments for office programs. which open source office program is the most secure? which has more security features? which ones use java addons? these are relevant questions. and not everyone wishes to pay for office programs, and a security conscious word processor might save your system from a nasty infection.
-
thanks for the input Dr.Flay.
is hostsman open source? i've used it in the past and can verify it is an excellent product. i searched for open source host management and found: Host File Editor. it says:
"Check and correct host name syntax, add, change or delete entries, open an external file and backup". its good for 32 and 64 bit
http://download.cnet.com/Hosts-File-Manager/3000-18506_4-75788611.htmli've never tried it so i can't comment on it.
-
yes,i love free quality software also. though, most freeware is only intended to be freeware for a limited time. a multitude of factors keeps the game afloat and freeware around (and God bless those factors). but those companies no doubt have long term goals to make money off it. i've noticed how the antivirus market is narrowing (ex. many products use the bitdefender engine). and i've noticed how the big boys of av are including chrome or searchbars or something in their installers, or pushing ads (more aggressively then they used to), have fewer features in their free products (remember when avast's sandbox was still in the freeware version?). but that's ok, i understand it and the reasons why.
"What I want is all software. I can't afford much and don't spend anything on software anymore, but I don't care about is whether it is open source or closed source. I don't even consider that."
-yes, i'm sure myself or others will topic the freeware world. this is a sampling of it.
-perhaps you should consider an element of it. there are many newer emerging antivirus products that come from potentially untrustworthy sources. some companies have been implicated in criminal activity, but lay outside of the western judicial system, and so are untouchable. and their software isn't relegated to merely antimalware products, but span the range of software from office to utilities. products such as these maybe productive shells for trojans. should nasa, or the military use a cloud based antivirus that sends the information to another country for analysis? heaven forbid. some of these companies have been implicated in reverse engineering some of our beloved and respectable freeware. they then use this counterfeit software, which they did not develop, to compete with the true developers. eventually, the true developer will succumb to the added competition and fold. leaving only the counterfeits. oil company employees, government employees, business' with proprietary inventions or secrets, business strategies, etc, can be spied giving an advantage to competing unscrupulous companies outside of western law. so even in the freeware world, only use software (no matter how awesome it is) from reputable and trustworthy companies. this is one reason why some like open source. i like it for good software. -
Hi guys (and girls?).
I tried Ubunu 10 years ago on a dual boot, but needed M$ at work. These days I have started to look at LibreOffice under windows 7, and I like it better than the newest MS Office. Am I right if I assume that it is easier to work with files back and forth between Windows and Linux now than it was 10 years ago?
I’m reading your post with greater and greater interest, but cannot make any contribution (yet). Could the thread’s title be Open Source instead of Open Source Security Setup?
Should I take the leap from Windows to Ubuntu? Note that I already am a purist when I chose LibreOffice over OpenOffice. -
Am I right if I assume that it is easier to work with files back and forth between Windows and Linux now than it was 10 years ago?
I think very much so. My employer is totally MS Office. With LibreOffice, I can stay completely in the game from home with my Linux box.
-
jimc>repositories have stringent criteria for inclusion. they have checked the implications of the software they carry.
open source code can be requested and viewed. we don't read c++, but many do.
-
leirom
since your computer can be infected with an office attachment, i think a functional and secure office suite is relevant to this topic.
libreoffice and openoffice are both proficient at reading/writing doc files. i don't think they can handle docx, but most still use doc, i think that's the standard. although, i've never done much in terms of advanced formatting - i'm unsure if everything would render perfectly. personally, i've never noticed anything bad (i use libreoffice).
abiword is also very popular.
-
leirom
since your computer can be infected with an office attachment, i think a functional and secure office suite is relevant to this topic.
ex. http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/.Thank you for the link biggerabalone.
-
adding a couple more:
-process hacker - see whats running and investigate. (i've used this and like it. it has a portable)
-Moon Secure Antivirus - not sure what's going on with these guys, anyone try them? i thought it was long dead, but i appear to be wrong. download.com says they're good for win 7 and it's last update wasn't too long ago. here's their spiel:
"Moon Secure Antivirus aims to be the best Free Antivirus for Windows under GPL license. It offers multiple scan engines, Net shield, Firewall, On access, on Exec scanner and rootkits preventions plus features from Commercial Antivirus applications".