If you start Puppy from CD-ROM (or from a CD-image on your harddrive, see chapter 4.3) no potentially harmful programs can install on your computer. With every reboot all potential malware is gone.
However you are not wholly protected against malware while you are online, because (in theory) malware can be installed on your computer and can be active until the next reboot. That is why you should always run a firewall (see chapter 5). Besides you can store checksums of all your files (see chapter 11.4) to make sure, no one has manipulated your files.
In contrast to most other Linux distributions Puppy does not differentiate between a normal user and the administrator root. Rather you always works as root, which simplifies the use of Puppy. The question arises if it is unsecure to work as root and to have full access to all files, programs and data.
For the normal home user, there are no special risks compared to other Linux distributions. On the contrary, Puppy is probably a bit safer than many other distributions.
First let’s analyze the risk of a distribution, which differentiates between user and root. The user works as a normal user, who does not have privileges to write/delete programs and system files. An intruder can compromise only the user’s files. However the intruder has an entrance to the system and can try to gain root-privileges (find the password file, use exploits to transfer malware code and so on), and afterwards try to get access to all files.
As long as Puppy starts from CD-ROM (and is not installed on the harddrive) the program-files and system-files are secure. Everytime you reboot any malware programs, which an intruder could have left, are gone. Of course your own files stored into the pup_save.3fs-file or on a harddrive can be compromised by an intruder, but this can happen to the normal user of another Linux-distribution as well. If you want to be safe from intrusion, store checksums of all files and backup your files regulary (see chapters 9 and 11.4).
The firewall (see chapter 5) should always be active. You can configure which ports are open to the Internet. Ideally all ports are closed. You should open only the ports you need to use. If you need some ports occasionally, keep the ports closed when not in use.
An open port is normally not risky in itself. Only if a server-program (called daemon) runs on your computer and waits at the port for inquiries, can it become dangerous. Therefore no daemons should run on your PC unless required.
The following instruction shows which ports are open and which daemons run:
nmap localhost
Now you see the opened ports. If you are running Puppy at home without a home-network all ports should be closed.
netstat -anp --ip
Now you see the running daemons. If you are running Puppy at home no daemons should run.
If you want to scan your files or a Windows computer you can use F-Prot virus scanner. You can download the program from the Forum. After you have downloaded and installed the program open a shell and enter the following command while you are still online.
When the virus scan has finished you can find the log-file at /root/xfprot.log.
If you want to scan another Windows computer, you can remaster Puppy (see chapter 13). Boot the Windows computer from the remastered Puppy CD (boot-option puppy pfix=ram) and scan the PC as described above.
For further improvement of your security you should store a checksum (a fingerprint) for all files. At regular intervals, but in any case before a backup, you examine the checksums of your files. If the checksums do not agree, the file was changed or deleted.
In order to compute and store the checksums, you open a shell and enter the following commands:
Create a checksum of the program md5sum. Write down the checksum.
Mount the harddrive with your files.
Create the file check1.dat with the checksums of all files.
Create a checksum of the file. Write down the checksum.
If you want to check, which files have been changed enter these commands:
Create a checksum of the program md5sum. Compare the checksum with the checksum of step (1).
Create a checksum of the file /root/check1.dat. Compare the checksum with the checksum of step (3).
Mount the harddrive with your files.
Create the file check2.dat with the actual checksums of the files.
Compare the two files check1.dat and check2.dat. The differences are written to the file diff.txt.
Create a checksum of the new check1.dat-file. Write down the checksum.
You should encrypt very sensitive files with the program bcrypt. Bcrypt uses the secure Blowfish-algorithm.
Open a shell and enter:
Then you are asked a passwort (at least eight characters long; you can abort bcrypt with "Ctrl" + "C"). Bcrypt encrypts your file and appends the extension bfe to the file. The original file is deleted automatically.
If you want to encrypt more than one file or a complete directory you should create an archive-file. Start the program "Menu | Utilities | Xarchive archiver". Afterwards you encrypt the archive-file.
Note that bcrypt deletes the original file automatically. You can't recover the file. If you don't want to delete the file start bcrypt with the option -r:
If you want to decrypt the file start bcrypt again:
Than you enter your passwort.
For further information see :