[vox-tech] Ubuntu Security Software

[Bill Broadley]

Here's a list of my suggestions, none of which are particularly linux centric:
* Run something with patches.  If you think patches might stop (like say for
  fedora) before you want to reinstall pick an OS with longer support (like
  say centos, debian stable, or ubuntu LTS (all 5 years afaik).
* Disable password logins via ssh, use a cert if you want to login remotely.
* Use a good passphrase to protect your cert
* Only keep your private key/cert on machines you trust.
* Set a secure user and root password (not strongly word based, and no zero
  instead of O doesn't make a dictionary word secure).  Do not type that
  password anywhere else.  Do not share that password with any other
  machine/service that you don't trust
* if you check email from less secure computers use a different password
  than your user/root password.
* nmap your laptop remotely.  Ideally nothing but ssh would be open, or a
  service that you are familiar with and you have a reason to run.
* spend the absolute minimal time as root, don't download random binaries from
  random places and run them as root.
* If you build things from source in /opt/src and install them in /opt/pkg
  make both of those directories owned by a system (non-root) user, then
  run the ./configure;make;make install as that user.
* Use firefox 3, read all dialogs, never type any username/password without
  checking that SSL is used, the URLs look right, and firefox is happy with
  the certificate.  Do NOT assume that your bank, your email account, or
  related probably forgot to renew a cert, click ok, and login anyways.
* If firefox asks if you want to execute something from a website, say no.
* If something triggers a please type the root/user password dialog and you
  do not know exactly what and why, believe in both the source and the reason
  say no.
* No matter what the explanation, do not ever send your username/password
  to anyone for any reason.
* Assume every machine you do not personally admin is hacked.
* If someone you don't know says that this really cool video (storm footage,
  earthquakes, twin towers, embarassing political videos, tsunamis,
  aliens, or whatever) just requires you to install a binary... don't.  If
  the standard tools like mplayer, vlc, and friends can't play it, it's likely
  not worth playing.
* Do not accept a binary from anyone you wouldn't give your social security
  number and a credit card to.
* Anything you aren't positive about run as a different user, logout, login,
  tinker with it.
* patch when patches come out, most environments will put up a notification on
  the default desktop.
* Unless your browser says you are using SSL or you are using ssh, assume
  every byte that comes to/from your computer over the network is being
  recorded, redirected, and maliciously changed.
* backup the stuff you care about, I'd suggest at least /home and /etc.  Keep
  at least 2 copies, ideally in at least 2 places.  Even rsync is fine for
  this, or one of a zillion backup programs.
* Keep your laptop as physically secure as possible


If you are more paranoid:
* Install from CD
* make sure you are behind a firewall/ip nat/masq (not internet visible)
* patch

The above should be plenty to keep most linux users from getting hacked.

If you want to be more paranoid and learn more about a system:
* run ps, get familiar with all processes running
* read /var/log/*, get familiar with that.
* watch your network traffic lights on your dsl/cable/modem, figure out why
  and what is using your network.
* run strace on existing processes
* run lsof on existing processes
* run tcpdump and watch your network connection
* run snort
* run df, or related utilities to analyze storage.  Figure out how much you
  use and where it is.

For the very paranoid (I don't do this):
* encrypt your disk
* boot from trusted media, build a tripwire database, write it to write once
  media, then periodicially verify that things that shouldn't change don't.