81
submitted 10 months ago* (last edited 10 months ago) by HiddenLayer5@lemmy.ml to c/linux@lemmy.ml

I have a few Linux servers at home that I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system), but if I have an issue, I've just been absentmindedly searching stuff up and trying to find solutions using the preinstalled Firefox instance from within the remote desktop itself, which would also be running as root.

I never even thought to install uBlock Origin on it or anything, but the servers are all configured to use a PiHole instance which blocks the vast majority of ads. However, I do also remember using the browser in my main server to figure out how to set up the PiHole instance in the first place, and that server also happens to be the most important one and is my main NAS.

I never went on any particularly shady websites, but I also don't remember exactly which websites I've been on as root, though I do seem to remember seeing ads during the initial pihole setup, because it didn't go very smoothly and I was searching up error messages trying to get it to work.

This is definitely on me, but it never crossed my mind until recently that it might be a bad idea to use a browser as root, and searching online everyone just states the general cybersecurity doctrine to never do it (which I'm now realizing I shouldn't have) but no one seems to be discussing how risky it actually is. Shouldn't Firefox be sandboxing every website and not allowing anything to access the base system? Between "just stop doing it" and "you have to reinstall the OS right now there's probably already a virus on there," how much danger do you suppose I'm in? I'm mainly worried about the security/privacy of my personal data I have stored on the servers. All my servers run Fedora KDE Spin and have Intel processors if that makes a difference?

(page 2) 40 comments
sorted by: hot top controversial new old
[-] 0xtero@beehaw.org 2 points 10 months ago* (last edited 10 months ago)

I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system)

I'm not going to judge you (too much), it's your system, but that's unnecessarily risky setup. You should never need to logon to root desktop like that, even for convenience reasons.

I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don't tell me it's just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random 'oops'.

I do also remember using the browser in my main server to figure out how to set up the PiHole

To be honest, you're most probably OK - malicious ad campaigns are normally not running 24/7 globally. Chances of you randomly tumbling into a malicious drive-by exploit are quite small (normally they redirect you to install fake addons/updates etc), but of course its hard to tell because you don't remember what sites you visited. Since most of this has gone through PiHole filters, I'd say there's even smaller chance to get insta-pwned.

But have a look at browser history on the affected root accounts, the sites along with timestamps should be there. You can also examine your system logs and correlate events to your browser history, look for weird login events or anything that doesn't look like "normal usage". You can set up some network monitoring stuff (like SecurityOnion) on your routers SPAN, if you're really paranoid and try to see if there's any anomalous connections when you're not using the system. You could also consider setting up ClamAV and doing a scan.

You're probably OK and that's just paranoia.

But... having mentioned paranoia... now you'll always have that nagging lack of trust in your system that won't go away. I can't speak to how you deal with that, because it's all about your own risk appetite and threat model.

Since these are home systems the potential monetary damage from downtime and re-install isn't huge, so personally I'd just take the hit and wipe/reinstall. I'd learn from my mistakes and build it all up again with better routines and hygiene. But that's what I'd do. You might choose to do something else and that might be OK too.

[-] HiddenLayer5@lemmy.ml 0 points 10 months ago

I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don’t tell me it’s just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random ‘oops’.

I have never accessed any of my servers from the internet and haven't even adjusted my router firewall settings to allow this. I kept wanting to but never got around to it.

Since these are home systems the potential monetary damage from downtime and re-install isn’t huge, so personally I’d just take the hit and wipe/reinstall. I’d learn from my mistakes and build it all up again with better routines and hygiene. But that’s what I’d do.

Yeah this and other comments have convinced me to reinstall and start from scratch. Will be super annoying to set everything back up but I am indeed paranoid.

[-] amju_wolf@pawb.social 1 points 10 months ago

I have never accessed any of my servers from the internet and haven’t even adjusted my router firewall settings to allow this. I kept wanting to but never got around to it.

Does that mean you realistically don't even know your network (router) setup? Because it's entirely possible your machine is completely open to the internet - say, thanks to IPv6 autoconfiguration - and you wouldn't even know about it.

It's pretty unlikely but could potentially happen with some ISPs. Please always set up a firewall, especially for a server type machine. It's really simple to block incoming outside traffic.

[-] HiddenLayer5@lemmy.ml 1 points 10 months ago* (last edited 10 months ago)

Huh. I never even thought of that. I use my ISP's router in bridge mode and have my own router running on mostly default settings, IIRC the only thing I explicitly changed was to have it forward DNS requests to my Pihole. I should inspect the settings more closely or as you said just configure the server to block the relevant ports from outside the LAN. Thank you.

[-] amju_wolf@pawb.social 2 points 10 months ago

Oh if you even have your own router then have a firewall (primarily) there, and simply block every incoming forward connection except the ones you actually want (probably forwarded to your server). Similarly even for the router input rules you likely need only ICMP and not much else.

[-] rufus@discuss.tchncs.de 1 points 10 months ago* (last edited 10 months ago)

Yes. Running anything as root is potentially dangerous. And a browser is a complex and big piece of software with many security issues that can be (potentially) triggered remotely. So it's bad because of two reasons.

Btw a desktop environment also is a complex and big piece of software with potential issues. Running the whole desktop as root is another thing you wouldn't do for extra security.

The proper way is to just create a user account and run the desktop and browser as a user. Open a terminal and 'su' or 'sudo' to limit root rights to the operations that actually need those permissions.

Just running everything as root certainly works. But you do away with all the extra layers of security and end up with something as secure as MS-DOS or a Windows in the 90s or early 2000s.

[-] billwashere@lemmy.world -2 points 10 months ago

No if you leave it running and don’t use it.

[-] danielfgom@lemmy.world -3 points 10 months ago

It should be ok because nothing will run on your system without a permission prompt at least. So they that should ring some bells of system is asking for your password when you didn't try to install anything.

But best practice would be log in as a regular user and use sudo to do any admin tasks.

[-] tslnox@reddthat.com 1 points 10 months ago

Damn, you are so lucky that the downvotes are disabled or you would be downvoted to Oblivion.

[-] danielfgom@lemmy.world 2 points 10 months ago

Honestly friend I don't give a rats ass about up or down votes. I'm just here to read, learn and converse. Some things I'll get right, some I'll get wrong. That's life.

I could stop using this tomorrow and it would make zero difference to my life, know what I mean? It's just some site. My real life is something altogether different.

load more comments (3 replies)
load more comments
view more: ‹ prev next ›
this post was submitted on 03 Jan 2024
81 points (85.2% liked)

Linux

48349 readers
468 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS