Setting up a secure environment in Linux

Off Topic Lounge
1

I’m setting up my newest secure Linux environment to run the Ywallet and Zingo wallets. If anyone wants to help me, I’ll install Debian 13 and do this:

#!/bin/bash

# =========================================================

# Minimal secure firewall for YWallet / Zingo (Global)

# =========================================================

# This script configures firewalld to:

# 1. Block all traffic by default

# 2. Allow only essential services for YWallet / Zingo

# - HTTPS (443 TCP)

# - DNS (53 TCP/UDP)

# - NTP (123 UDP)

# 3. Block all IPv6 traffic

# 4. No HTTP (80 TCP) is allowed for maximum security

# =========================================================

echo “Starting global secure firewall configuration for YWallet/Zingo…”

# -------------------------------

# Enable firewalld and start it

# -------------------------------

sudo systemctl enable --now firewalld

echo “Firewalld is now active.”

# -------------------------------

# Set default zone to DROP (block everything by default)

# -------------------------------

sudo firewall-cmd --set-default-zone=drop

echo “Default zone set to DROP (all traffic blocked by default).”

# -------------------------------

# Allow essential services

# -------------------------------

# Allow HTTPS (secure web communication)

sudo firewall-cmd --zone=drop --add-service=https --permanent

# Allow DNS (resolve domain names)

sudo firewall-cmd --zone=drop --add-service=dns --permanent

# Allow NTP (time synchronization)

sudo firewall-cmd --zone=drop --add-service=ntp --permanent

echo “Essential services allowed: HTTPS, DNS, NTP.”

# -------------------------------

# Configure NTP for global servers

# -------------------------------

# Allow UDP port 123 to all IPv4 addresses

sudo firewall-cmd --zone=drop --add-rich-rule=‘rule family=“ipv4” source address=“0.0.0.0/0” port port=“123” protocol=“udp” accept’ --permanent

echo “NTP allowed for global servers.”

# -------------------------------

# Block IPv6 completely

# -------------------------------

sudo firewall-cmd --zone=drop --remove-service=dhcpv6-client --permanent

sudo firewall-cmd --zone=drop --add-rich-rule=‘rule family=“ipv6” drop’ --permanent

echo “All IPv6 traffic blocked.”

# -------------------------------

# Apply all changes

# -------------------------------

sudo firewall-cmd --reload

echo “Firewall configuration applied successfully!”

# -------------------------------

# Show current status

# -------------------------------

echo “======================”

echo “Current firewalld configuration:”

sudo firewall-cmd --list-all

echo “======================”

echo “Firewall is now ready for secure global use with YWallet and Zingo!”

1 Like
2

#!/bin/bash

# =========================================================

# Initial VM setup for secure graphical application

# =========================================================

# This script sets up:

# 1. Firewalld with minimal essential services (HTTPS, DNS, NTP)

# 2. Docker environment for isolated graphical applications

# 3. Builds a Docker container for your application

# =========================================================

APP_NAME=“application” # Name of your application

APP_PATH=“$HOME/isolado/$APP_NAME” # Path to your executable

CONTAINER_NAME=“app_$APP_NAME” # Docker container name

echo “Starting initial VM setup for $APP_NAME…”

# -------------------------------

# :one: Configure firewalld for security

# -------------------------------

echo “Configuring firewalld…”

sudo systemctl enable --now firewalld

sudo firewall-cmd --set-default-zone=drop

# Allow only essential services: HTTPS, DNS, NTP

sudo firewall-cmd --zone=drop --add-service=https --permanent

sudo firewall-cmd --zone=drop --add-service=dns --permanent

sudo firewall-cmd --zone=drop --add-service=ntp --permanent

# Allow NTP globally for IPv4

sudo firewall-cmd --zone=drop --add-rich-rule=‘rule family=“ipv4” source address=“0.0.0.0/0” port port=“123” protocol=“udp” accept’ --permanent

# Block all IPv6 traffic

sudo firewall-cmd --zone=drop --remove-service=dhcpv6-client --permanent

sudo firewall-cmd --zone=drop --add-rich-rule=‘rule family=“ipv6” drop’ --permanent

# Reload firewall rules

sudo firewall-cmd --reload

echo “Firewalld configured successfully.”

# -------------------------------

# :two: Install Docker and graphical dependencies

# -------------------------------

echo “Installing Docker and graphical libraries…”

sudo apt update && sudo apt upgrade -y

sudo apt install -y docker.io x11-apps libgtk-3-0 libgl1-mesa-glx

sudo systemctl enable --now docker

# -------------------------------

# :three: Create Docker container for the application

# -------------------------------

echo “Creating Docker container for $APP_NAME…”

DOCKER_DIR=“$HOME/docker_$APP_NAME”

mkdir -p $DOCKER_DIR

cp $APP_PATH $DOCKER_DIR/$APP_NAME

cat < $DOCKER_DIR/Dockerfile

FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt update && apt install -y x11-apps libgtk-3-0 libgl1-mesa-glx && rm -rf /var/lib/apt/lists/*

RUN useradd -m appuser

USER appuser

COPY $APP_NAME /home/appuser/$APP_NAME

RUN chmod +x /home/appuser/$APP_NAME

WORKDIR /home/appuser

CMD [“./$APP_NAME”]

EOF

docker build -t $CONTAINER_NAME $DOCKER_DIR

echo “Docker container $CONTAINER_NAME ready for use!”

echo “Initial VM setup completed successfully.”

3

#!/bin/bash

# =========================================================

# Host script to launch the graphical application

# =========================================================

# This script:

# 1. Starts the VM if it is not running

# 2. Executes the Docker container inside the VM

# 3. Opens the application directly on your desktop

# =========================================================

VM_NAME=“vm_application” # Name of the VM

APP_CONTAINER=“app_application” # Docker container name

VM_USER=“user_vm” # Replace with your VM username

echo “Starting VM $VM_NAME if not already running…”

virsh list --all | grep -q $VM_NAME

VM_STATE=$(virsh domstate $VM_NAME)

if [ “$VM_STATE” != “running” ]; then

virsh start $VM_NAME

echo "VM $VM_NAME started. Waiting for boot..."

sleep 20  # Adjust depending on VM boot time

fi

# Get VM IP address

VM_IP=$(virsh domifaddr $VM_NAME | grep -oP ‘(\d+\.\d+\.\d+\.\d+)’)

if [ -z “$VM_IP” ]; then

echo "Unable to detect VM IP. Make sure the VM network is configured."

exit 1

fi

echo “Launching application container inside VM…”

ssh -o StrictHostKeyChecking=no $VM_USER@$VM_IP \

“export DISPLAY=:0; xhost +local:docker; docker run --rm --network none -e DISPLAY=\$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix $APP_CONTAINER”

echo “Application launched successfully!”

1 Like
4

I set it up with gpt chat, which made it more complex, a docker inside a VM running the wallet. Knowing that the main machine will have firewalld configured. I believe that to provide a little more security it will be necessary to use a dedicated hardware firewall.

I haven’t tested it yet. I’m going to mount everything on an old hard drive and a test PC. By the end of the month, I’ll try to create this environment on Linux. Does anyone think there’s something wrong with the code or logic? Does anyone want to contribute new ideas or improvements to the script? I’m thinking about creating a GitHub.

1 Like