10 Things to do after installing MX

[thomasl]

One thing that needs to be done as of early- to mid-2020 is to run MX Repo Manager from the main menu and change your MX mirror to one of these:

• Italy, Milan - http://it.mxrepo.com
• Netherlands, Alblasserdam - http://nl.mxrepo.com
• United States, Los Angeles CA - http://la.mxrepo.com
• United States, Salt Lake City UT - http://mxrepo.com

These are MX's own mirrors. The others are voluntarily run by various third parties and many of them appear to have been neglected since early 2020 and are no longer working properly. Then click Apply and run

Code: Select all

sudo apt update

in a terminal to load the new mirror's package list.

(Lots of people still have broken package mirrors so this is why I'm posting this.)

Perhaps this hint should be a sticky somewhere.

Additionally, there is a button in MX Repo Manager, tab MX Repos>>Select fastest MX repo for me. This will indeed select a very fast mirror... but unfortunately often one that is severely out of date. I have run into problems with that a few times and have finally settled on http://mxrepo.com, ignoring faster but possibly not fully updated mirrors. Perhaps this button should either carry a health warning or perhaps even be removed altogether?

[Eadwine Rose]

Why didn't you just make a new thread. Then this one would have dropped away.

[thomasl]

Why didn't you just make a new thread. Then this one would have dropped away.

Because JayM posted his warning here as well (ie he posted before I did). I can of course create a new thread but as JayM had already written what he wrote I saw no reason for that.

[hkjz]

MX has no firewall protection by default (??), so it is necessary to use not really working well default ufw-firewall, or use executable iptables script such as

Code: Select all

#!/bin/bash
#
# iptables firewall script, 
# sources so far
# https://www.rosehosting.com
# https://restoreprivacy.com/anonymity-networks/
# https://help.ubuntu.com/community/IptablesHowTo

IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips

echo " "
echo " == START == "
echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies: D/D/A"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo " "
echo " == INPUT =="
echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT

echo " * filter rules to match based on connection state: "
echo "    Accept already established AND new, but related to another connection already permitted."
${IPTABLES} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

echo " # DROP everything else and Log it"
echo "      log is at : /var/log/kern.log"
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

echo " "
echo " == FORWARD =="
#${IPTABLES} -A FORWARD -j DROP
echo " # DROP all"

echo " "
echo " == OUTPUT =="
echo " * allowing loopback devices"
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
# iptables -A OUTPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT

echo " * filter rules to match based on connection state: "
echo "   Accept already established only"
${IPTABLES} -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

echo " # ACCEPT everything else (till you figgure out proper DROP rule)"
${IPTABLES} -A OUTPUT -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

#
# Block abusing IPs 
# from ${BLACKLIST}
# For blacklisting addresses use 'ipset', it's much easier to add/remove addresses from a set rather than manipulating iptables. It's also more efficient and you'll only need 1 rule which simplifies management

if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}")
fi

iptables-save > /etc/iptables/rules.v4

#
# Save settings
#
echo ""
echo " * SAVING RULES"

if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
fi

echo ""
echo " * Saving using iptables-persistent "
echo "   if this is new install and error occures do : "
echo "   sudo apt-get update && sudo apt install iptables-persistent -y"

iptables-save > /etc/iptables/rules.v4
iptables-restore -c < /etc/iptables/rules.v4


echo ""
echo " == HINT =="
echo " to watch in real time use:"
echo " sudo watch -d -n 2 --interval 0 'iptables -nvL | grep -v "0 0"' "
echo ""
echo " End of Script"

Considering IPv6, if you have nothing to do with it, copy

Code: Select all

# nano /etc/iptables/rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

and paste to
`sudo nano /etc/iptables/rules.v6`
afterwards run in terminal

Code: Select all

sudo ip6tables-restore < /etc/iptables/rules.v6

[oops]

... For me , I also install timeshift (for a backup of the system in an other disk or partition, if needed)
(and rsync and grsync for some users data)

@hkjz "... Considering IPv6, if you have nothing to do with it, copy ..."

Or simply, via mx-boot-options, add the parameter: " ipv6.disable=1 " so usually "ipv6.disable=1 quiet"

[oops]

see here for more kernel parameters:
ex: For kernel 5.10:
https://www.kernel.org/doc/html/v5.10/a ... eters.html
or ex 4.19:
https://www.kernel.org/doc/html/v4.19/a ... eters.html

[SwampRabbit]

MX has no firewall protection by default (??), so it is necessary to use not really working well default ufw-firewall, or use executable iptables script such as

Ask yourself:

Does Debian, Ubuntu, Mint, etc, etc have a fired wall enabled?

Why is it “really” necessary?
Sure if you are connecting to public wifi, but in that case you should be using a VPN too.

What services are actually talking out outbound to the internet on a default MX install?
DNS, NTP, HTTP/S?

Users shouldn’t mess around with iptables unless they fully know what they are doing. They could easily make very very weak iptables chains or have to be non-stop trying to figure out why they can’t print or something by copying and pasting from internet sources.

If someone wants the firewall enabled, open GUFW up leave it on Home profile if they are at home behind their router and hit “Enable”... DONE.
If they are on public internet then choose the Public profile.
It’s really that simple and GUFW is installed by default exactly for this.

[radonrose]

One thing that needs to be done as of early- to mid-2020 is to run MX Repo Manager from the main menu and change your MX mirror to one of these:

• Italy, Milan - http://it.mxrepo.com
• Netherlands, Alblasserdam - http://nl.mxrepo.com
• United States, Los Angeles CA - http://la.mxrepo.com
• United States, Salt Lake City UT - http://mxrepo.com

These are MX's own mirrors. The others are voluntarily run by various third parties and many of them appear to have been neglected since early 2020 and are no longer working properly. Then click Apply and run

Code: Select all

sudo apt update

in a terminal to load the new mirror's package list.

(Lots of people still have broken package mirrors so this is why I'm posting this.)

I've changed from Utah to Athens a few days ago. Thanks for posting this. I've now switched to Milan based on ping, and thankfully nothing is marked for update.

As for the "10 things to do", I've stopped doing this in 2018. I prefer setting up stuff as soon as I need them, unless I know I'm going to be somewhere without a good internet connection. Less chances of bloating my system. It just so happens that for the past nine years the first things are always the same: GIMP, a C++ IDE, and some way to play Real Bout Fatal Fury.

[hkjz]

MX has no firewall protection by default (??), so it is necessary to use not really working well default ufw-firewall, or use executable iptables script such as

Ask yourself:

Does Debian, Ubuntu, Mint, etc, etc have a fired wall enabled?

Why is it “really” necessary?
Sure if you are connecting to public wifi, but in that case you should be using a VPN too.

What services are actually talking out outbound to the internet on a default MX install?
DNS, NTP, HTTP/S?

Users shouldn’t mess around with iptables unless they fully know what they are doing. They could easily make very very weak iptables chains or have to be non-stop trying to figure out why they can’t print or something by copying and pasting from internet sources.

If someone wants the firewall enabled, open GUFW up leave it on Home profile if they are at home behind their router and hit “Enable”... DONE.
If they are on public internet then choose the Public profile.
It’s really that simple and GUFW is installed by default exactly for this.

I am addressing you here as a professional. What are you saying - that it makes no difference whether I have the firewall turned on or not?
That there is no difference on the home network? Does it really make a difference if I'm in a coffee shop (which are closed all over the world today) or at home?
OK, coffee routers can be configured differently. They can be in a pool with other users, or each user can be on a standalone network. The provider may or may not be snooping. The network can even be cracked by third parties. But aside from internal routing issues, the Internet is the same in both places.
At home, some routers may have a firewall, sure, but what rules are there. And some routers - usually the ones that come directly from the ISP - don't have one. I wouldn't dare say that everyone has a good router.

Is there anything in the above settings that has caused the connection to drop - `oh, that's bad'. I would like to hear your opinion on this subject.

[SwampRabbit]

@hkjz i didn’t say it makes no difference whether you have it on or not, obviously there is a difference.

As far as the difference of being in a coffee shop, your firewall won’t stop someone from sniffing the traffic coming your computer to the router, you need a VPN for that. But even then that’s not 100% because technically someone could spoof the public wifi router in the coffee shop and perform attacks as soon as you get to it. Don’t need to hack the coffee shop when you CAN BE the coffee shop.

Home routers do more than just provide a basic Stateful Firewall (connection based), they also provide NAT, which (while not 100%), provides protection based on the simple fact that bad guys cannot see your computer directly, they see the router. The router has the public IP and all systems behind it have a private IP.

You also have to remember that in this day and age a lot of the internet service providers (ISP) have many protections built into their networks. You’d be surprised what an ISP (good ones at least) is blocking from getting to your computer.

We can go over all the IF, AND, BUT, MAYBE... but this isn’t a Cybersecurity or hacking forum.

The chances of someone directly hacking your home router or computer are small. It’s the automated attacks (bots, worms, etc) that are the biggest concern for most people. A average user is not a huge target for a bad guy to spend time on manually trying to bypass a random home router.

As far as my statements are concerned, don’t try to over analyze them, or pick them part.

It’s exactly why I don’t get into these conversations here, I don’t have time to discuss and cover everything under the sun.