Re: [vox-tech] Ubuntu Security Software
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Ubuntu Security Software
I just wanted to thank you and everyone else who replied for your many
excellent suggestions. I understand Chris' and Alex's replies from last
November's Installfest better now.
Bill Broadley wrote:
> Here's a list of my suggestions, none of which are particularly linux centric:
> * Run something with patches. If you think patches might stop (like say for
> fedora) before you want to reinstall pick an OS with longer support (like
> say centos, debian stable, or ubuntu LTS (all 5 years afaik).
> * Disable password logins via ssh, use a cert if you want to login remotely.
> * Use a good passphrase to protect your cert
> * Only keep your private key/cert on machines you trust.
> * Set a secure user and root password (not strongly word based, and no zero
> instead of O doesn't make a dictionary word secure). Do not type that
> password anywhere else. Do not share that password with any other
> machine/service that you don't trust
> * if you check email from less secure computers use a different password
> than your user/root password.
> * nmap your laptop remotely. Ideally nothing but ssh would be open, or a
> service that you are familiar with and you have a reason to run.
> * spend the absolute minimal time as root, don't download random binaries from
> random places and run them as root.
> * If you build things from source in /opt/src and install them in /opt/pkg
> make both of those directories owned by a system (non-root) user, then
> run the ./configure;make;make install as that user.
> * Use firefox 3, read all dialogs, never type any username/password without
> checking that SSL is used, the URLs look right, and firefox is happy with
> the certificate. Do NOT assume that your bank, your email account, or
> related probably forgot to renew a cert, click ok, and login anyways.
> * If firefox asks if you want to execute something from a website, say no.
> * If something triggers a please type the root/user password dialog and you
> do not know exactly what and why, believe in both the source and the reason
> say no.
> * No matter what the explanation, do not ever send your username/password
> to anyone for any reason.
> * Assume every machine you do not personally admin is hacked.
> * If someone you don't know says that this really cool video (storm footage,
> earthquakes, twin towers, embarassing political videos, tsunamis,
> aliens, or whatever) just requires you to install a binary... don't. If
> the standard tools like mplayer, vlc, and friends can't play it, it's likely
> not worth playing.
> * Do not accept a binary from anyone you wouldn't give your social security
> number and a credit card to.
> * Anything you aren't positive about run as a different user, logout, login,
> tinker with it.
> * patch when patches come out, most environments will put up a notification on
> the default desktop.
> * Unless your browser says you are using SSL or you are using ssh, assume
> every byte that comes to/from your computer over the network is being
> recorded, redirected, and maliciously changed.
> * backup the stuff you care about, I'd suggest at least /home and /etc. Keep
> at least 2 copies, ideally in at least 2 places. Even rsync is fine for
> this, or one of a zillion backup programs.
> * Keep your laptop as physically secure as possible
> If you are more paranoid:
> * Install from CD
> * make sure you are behind a firewall/ip nat/masq (not internet visible)
> * patch
> The above should be plenty to keep most linux users from getting hacked.
> If you want to be more paranoid and learn more about a system:
> * run ps, get familiar with all processes running
> * read /var/log/*, get familiar with that.
> * watch your network traffic lights on your dsl/cable/modem, figure out why
> and what is using your network.
> * run strace on existing processes
> * run lsof on existing processes
> * run tcpdump and watch your network connection
> * run snort
> * run df, or related utilities to analyze storage. Figure out how much you
> use and where it is.
> For the very paranoid (I don't do this):
> * encrypt your disk
> * boot from trusted media, build a tripwire database, write it to write once
> media, then periodicially verify that things that shouldn't change don't.
> vox-tech mailing list
vox-tech mailing list