[vox-tech] Ubuntu Security Software

Steve Weiss stevew at bbenginc.com
Tue Aug 19 20:57:12 PDT 2008 

I just wanted to thank you and everyone else who replied for your many 
excellent suggestions. I understand Chris' and Alex's replies from last 
November's Installfest better now.

Steve


Bill Broadley wrote:
> Here's a list of my suggestions, none of which are particularly linux centric:
> * Run something with patches.  If you think patches might stop (like say for
>   fedora) before you want to reinstall pick an OS with longer support (like
>   say centos, debian stable, or ubuntu LTS (all 5 years afaik).
> * Disable password logins via ssh, use a cert if you want to login remotely.
> * Use a good passphrase to protect your cert
> * Only keep your private key/cert on machines you trust.
> * Set a secure user and root password (not strongly word based, and no zero
>   instead of O doesn't make a dictionary word secure).  Do not type that
>   password anywhere else.  Do not share that password with any other
>   machine/service that you don't trust
> * if you check email from less secure computers use a different password
>   than your user/root password.
> * nmap your laptop remotely.  Ideally nothing but ssh would be open, or a
>   service that you are familiar with and you have a reason to run.
> * spend the absolute minimal time as root, don't download random binaries from
>   random places and run them as root.
> * If you build things from source in /opt/src and install them in /opt/pkg
>   make both of those directories owned by a system (non-root) user, then
>   run the ./configure;make;make install as that user.
> * Use firefox 3, read all dialogs, never type any username/password without
>   checking that SSL is used, the URLs look right, and firefox is happy with
>   the certificate.  Do NOT assume that your bank, your email account, or
>   related probably forgot to renew a cert, click ok, and login anyways.
> * If firefox asks if you want to execute something from a website, say no.
> * If something triggers a please type the root/user password dialog and you
>   do not know exactly what and why, believe in both the source and the reason
>   say no.
> * No matter what the explanation, do not ever send your username/password
>   to anyone for any reason.
> * Assume every machine you do not personally admin is hacked.
> * If someone you don't know says that this really cool video (storm footage,
>   earthquakes, twin towers, embarassing political videos, tsunamis,
>   aliens, or whatever) just requires you to install a binary... don't.  If
>   the standard tools like mplayer, vlc, and friends can't play it, it's likely
>   not worth playing.
> * Do not accept a binary from anyone you wouldn't give your social security
>   number and a credit card to.
> * Anything you aren't positive about run as a different user, logout, login,
>   tinker with it.
> * patch when patches come out, most environments will put up a notification on
>   the default desktop.
> * Unless your browser says you are using SSL or you are using ssh, assume
>   every byte that comes to/from your computer over the network is being
>   recorded, redirected, and maliciously changed.
> * backup the stuff you care about, I'd suggest at least /home and /etc.  Keep
>   at least 2 copies, ideally in at least 2 places.  Even rsync is fine for
>   this, or one of a zillion backup programs.
> * Keep your laptop as physically secure as possible
>
>
> If you are more paranoid:
> * Install from CD
> * make sure you are behind a firewall/ip nat/masq (not internet visible)
> * patch
>
> The above should be plenty to keep most linux users from getting hacked.
>
> If you want to be more paranoid and learn more about a system:
> * run ps, get familiar with all processes running
> * read /var/log/*, get familiar with that.
> * watch your network traffic lights on your dsl/cable/modem, figure out why
>   and what is using your network.
> * run strace on existing processes
> * run lsof on existing processes
> * run tcpdump and watch your network connection
> * run snort
> * run df, or related utilities to analyze storage.  Figure out how much you
>   use and where it is.
>
> For the very paranoid (I don't do this):
> * encrypt your disk
> * boot from trusted media, build a tripwire database, write it to write once
>   media, then periodicially verify that things that shouldn't change don't.
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>

More information about the vox-tech mailing list