I would like to give EndeavourOS a try but I’m worried about shooting myself in the foot.
Basically I don’t know enough about security and how computer networks work to be able to judge if a set up is good, so with any computer I use I have to trust that there are sane defaults set up. (Yes, learning would be great but due to the great number of unknowns and unknown unknowns and the risk it is a a topic I would always defer to experts on.)
That’s why in the past I chose not to use arch. At some point in the install you get to the part where you have to configure things like IPtables and that wiki page just branches off into so many things that all seem important that I didn’t think I should be judging if my configuration is good.
Since Endeavour does do a little bit more hand holding than arch I’m hoping this won’t be an issue here more than on any other OS, i.e. there is a safe and sane default set up.
Is that a fair assumption?
Yes, that sounds reasonable. Getting into more detail here, as e.g. firewalld comes pre-configured and ready-to-use with an install of EnOS. A few more details could be gathered from the EnOS-Wiki: https://discovery.endeavouros.com/?s=security
“Security” and “privacy”, both are very complex issues, which cannot be explained, nor handled on a most general level. If you like to know more about them, I suggest you install a system to your liking first, and then get deeper into these topics by querying the web, and asking around here on the forum.
EndeavourOS ships with a firewall(firewalld) that blocks all incoming connections by default.
There are also minimal network services started by default.
The problem is what is considered “safe and sane” is entirely subjective. One person’s “safe” is another person’s too locked down to be usable and vice-versa.
If you like to know more about them, I suggest you install a
system to your liking first, and then get deeper into these topics by
querying the web, and asking around here on the forum.
That’s always the plan with any computer related topic.
The problem is what is considered “safe and sane” is entirely
subjective
Sure “sane” is hyperbolic anyway, but it just means something reasonable. Like the firewall you mentioned, anyone who needs to allow incoming connections probably knows it and if not will figure it out soon because something doesn’t connect. On the other hand many people who don’t need that might either now know if they need it or even that it’s a thing, and on top of that they won’t run into it in their normal usage. So blocking incoming connections by default is safe and sane.
Out of the box EOS and arch are really safe, no unnecessary services(ssh, samba, rdp) are running which could give access over the network. Also, usually you don’t really need to think about firewalls if you are behind a router. Do you plan running anything that will listen to incoming network requests? If yes, only then you should start thinking about a firewall, especcially if you expose that listening port to the internet.
Otherwise you’re safe just don’t run any unknown commands under root and keep your system updated.
This is not really true in the modern world. If you only have a single device in your network, then a network router/firewall will provide sufficient protection. However, that is rarely the case in the modern world.
Because most environments have lots of devices inside the network, you need local firewalls enabled to protect against attacks from inside the network which is how a significant percentage of network compromises actually happen these days.
There is no single answer about how to implement security but for the vast majority of typical home use cases, a local firewall is absolutely essential to good security.
Do you plan running anything that will listen to incoming network. requests? If yes, only then you should start thinking about a
firewall, especcially if you expose that listening port to the
internet.
I plan to use ssh on my home LAN as well as syncthing and qbitorrent. Not sure about the latter 2, but I think they listen for
incoming requests.
Also at least of the machines will be used on public wifis, so if a firewall is the only thing stopping incoming connections I’d definitely want one.
Look into setting up a zero-trust tunnel. Traditional VPNs are antiquated, and unless you’re bothering to use encryption keys for authentication, you can’t beat the security control of a zero-trust tunnel setup. Check this out: the END of VPNs?! - YouTube
An up-to-date network gateway firewall is essential, but every device behind your firewall should have security measures in place. I love the affordability of my AIO printer. I HATE the fact it runs some generic, swiss-cheese web server that could be recruited to a botnet or something because THOSE type of vendors ARE NOT the “security first” type lol
Implementing firewall measures on your desktop is definitely prudent. If you can do it, a VPN service (whether commercial product or roll your own with a Linode VPS) is definitely beneficial at the very least to scramble the data collection algorithms we don’t get paid for at least a little lol. Be careful with VPN’s if gaming though, many companies have been cracking down on known VPN IP blocks and banning players for… well, security concerns, ironically enough lol!
