Ask Your Question

Few questions about harding fedora 27 workstation security.

asked 2018-02-21 17:48:33 -0500

jaco1 gravatar image

Hi, I have a number of questions in regards to securing the Fedora 27 workstation.

  1. Is it best to use the default Firewall that comes with Fedora or switch to iptables? Also, which one is more user-friendly out of these two?
  2. What would you recommend as a good av that compliments selinux, and does not produce too many false positives? Or, is there really no need to install any av on a workstation? I think that it would probably be a good idea since I have some TCP ports open being used by services search as TeamViewer, Spotify etc. I was thinking about closing the ports but then I am not sure I would be able to use any of those services.

What I am basically looking for is if there is any need for all them is an AV product with real-time protection that also checks for rootkits and more, A good firewall, and SELinux which is installed already anyway or something that can be placed instead of SELinux which is equally good or better.

  • What in addition or whatever security measures should I be taking with a workstation? This is what I have done and continue to do daily so far:
  • Check for software updates.
  • Made sure firewall is enabled.
  • Using the latest version of Firefox with the add-ons such as ublock, https everywhere, and NoScript.
  • Avoiding install flash.
  • Making sure that I only install packages from the software center, terminal, or that the path of the application leads back to fedora project.
  • Making sure I have no open ports on my system whatsoever.

That's about it.

edit retag flag offensive close merge delete


Thanks for your comments. I thought I was probably on the right track but wanted to clarify a few things as I saw some conflicting answers upon searching. And wanted a second opinion. Thanks.

jaco1 gravatar imagejaco1 ( 2018-02-21 18:46:45 -0500 )edit

2 Answers

Sort by » oldest newest most voted

answered 2018-02-21 18:21:03 -0500

aeperezt gravatar image

On my experience, Firewalld which come with Workstation do the job and is easy to learn. SeLinux does a great job blocking and alerting undesired behavior. Seem like you are on the right path on your security policies.

edit flag offensive delete link more



I'd like to add that unless you're downloading files to be transferred to Windows machines or acting as a mail/file server for them you probably don't need any AV. Viruses, malware and trojans (oh my!) that work under Linux are rare, not just because they're more difficult to write but because there are far fewer machines to infect.

sideburns gravatar imagesideburns ( 2018-02-21 18:37:30 -0500 )edit

answered 2018-02-28 15:18:50 -0500

Aeyoun gravatar image

updated 2018-02-28 17:25:54 -0500

1) FirewallD is a front-end to iptables. If you don’t like having a front-end and prefer writing your own iptable rules, then you’re of course free to do so. I do suspect that you’ll find that FirewallD covers most common user cases and simplifies management. It’s considerably easier to learn than iptables.

2A) Your best defence is an up-to-date system. You can automate updates with dnf-automatic.

2B) Antivirus doesn’t provide impenetrable protection against anything, and nothing can completely protect you from malicious software. Don’t install anything weird from untrusted sources, keep your system up to date, and be sure to leave your web browser’s malware and phishing protection enabled. If you only install from Fedora software repositories you’re likely to be fine, but do keep backing up everything and often.

2C) You can setup and use ClamAV for too-late-detection. Meaning, it can detect things that have already penetrated your system — letting you know you should delete everything and start restoring from an earlier backup. You want to backup your computer often and to multiple locations.

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2018-02-21 17:48:33 -0500

Seen: 301 times

Last updated: Feb 28 '18