how to secure my computer
This is a discussion on how to secure my computer within the Linux Security forums, part of the System Security and Security Related category; Newsbox wrote: > On Mon, 10 Apr 2006 09:08:24 -0700, Mikhail Zotov wrote: > > Ertugrul Soeylemez wrote: &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-11-2006
|
|||
|
|||
Re: how to secure my computer
Newsbox wrote:
> On Mon, 10 Apr 2006 09:08:24 -0700, Mikhail Zotov wrote: > > Ertugrul Soeylemez wrote: > >> Penguin_X <email@nospam.com> (06-04-09 21:06:01): > >> > Indeed not. my private life isn't 100 % secure and I wish I could > >> > make it a little safer from intruders. > >> > >> What makes you think that it isn't 100% secure? > > > > Perhaps, because of this post: > > > > http://groups.google.com/group/comp....bfb9329991ba7b > > > Don't be misrepresenting what I said, which was only to answer this one > specific question in the affirmative, and truthfully. I am sorry. This was (partially) a joke and I tried to indicate this by: > > ;^) Since you have already found a link to ESR's writeup, I don't put it here. Instead, below is an asorted list of sites mostly related to generic Linux (UNIX) security. Maybe someone will find it useful. http://www.securityfocus.com/ http://security.linux.com/ http://www.linuxsecurity.com/ http://www.linuxexposed.com/ http://www.net-security.org/index.php http://www.securiteam.com/ http://www.localareasecurity.com/ http://www.thc.org/index.php http://www.justlinux.com/nhf/Security http://alcor.concordia.ca/~syl/secur...ring_unix.html http://alcor.concordia.ca/nonalcor/s...checklist.html http://www.cert.org/tech_tips/unix_c...uidelines.html http://www.sns.ias.edu/~jns/wp/categ...unix-security/ http://www.wilyhacker.com/1e/ http://www.linuxsecurity.com/resourc...to/ch6.en.html http://www.puschitz.com/SecuringLinux.shtml http://www.schneier.com/blog/ http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ http://www.linuxtopia.org/LinuxSecurity/index.html http://www.informit.com/guides/guide...=security&rl=1 http://www.linuxsecure.de/index.php?action=0 http://www.wittsend.com/mhw/1999/sec.../txtindex.html http://www.insecure.org/tools.html A kind of apologies :-) Still, I think nobody (maybe except a few computer security professionals) can be sure that his/her private life is secure in the e-world. Just to the opposite. Almost anybody can be sure it isn't secure. Regards, Mikhail 
|
|
04-11-2006
|
|||
|
|||
|
Re: how to secure my computer
On Mon, 10 Apr 2006 21:20:18 -0700, Mikhail Zotov wrote:
> Newsbox wrote: >> On Mon, 10 Apr 2006 09:08:24 -0700, Mikhail Zotov wrote: >> > Ertugrul Soeylemez wrote: >> >> Penguin_X <email@nospam.com> (06-04-09 21:06:01): >> >> > Indeed not. my private life isn't 100 % secure and I wish I could >> >> > make it a little safer from intruders. >> >> >> >> What makes you think that it isn't 100% secure? >> > >> > Perhaps, because of this post: >> > >> > http://groups.google.com/group/comp....bfb9329991ba7b >> > >> Don't be misrepresenting what I said, which was only to answer this one >> specific question in the affirmative, and truthfully. > > I am sorry. This was (partially) a joke and I tried to indicate this by: > >> > ;^) > > Since you have already found a link to ESR's writeup, I don't put it > here. Instead, below is an asorted list of sites mostly related to > generic Linux (UNIX) security. Maybe someone will find it useful. > > http://www.securityfocus.com/ > http://security.linux.com/ > http://www.linuxsecurity.com/ > http://www.linuxexposed.com/ > http://www.net-security.org/index.php http://www.securiteam.com/ > http://www.localareasecurity.com/ > http://www.thc.org/index.php > http://www.justlinux.com/nhf/Security > http://alcor.concordia.ca/~syl/secur...ring_unix.html > http://alcor.concordia.ca/nonalcor/s...checklist.html > http://www.cert.org/tech_tips/unix_c...uidelines.html > http://www.sns.ias.edu/~jns/wp/categ...unix-security/ > http://www.wilyhacker.com/1e/ > http://www.linuxsecurity.com/resourc...to/ch6.en.html > http://www.puschitz.com/SecuringLinux.shtml > http://www.schneier.com/blog/ > http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ > http://www.linuxtopia.org/LinuxSecurity/index.html > http://www.informit.com/guides/guide...=security&rl=1 > http://www.linuxsecure.de/index.php?action=0 > http://www.wittsend.com/mhw/1999/sec.../txtindex.html > http://www.insecure.org/tools.html > > A kind of apologies :-) Still, I think nobody (maybe except a few > computer security professionals) can be sure that his/her private life > is secure in the e-world. Just to the opposite. Almost anybody can be > sure it isn't secure. > > Regards, > Mikhail Thank you Mikhail. I am sure this is a very useful collection of links for any who are truly interested in reading and learning. I will return to this list myself and browse. I hope it will help others to learn how to better protect themselves, and to become and to feel more secure. And I did and do appreciate your humor. Perhaps you will appreciate my chagrin that the Government(s) that we support and that are "protecting us" are now creating some of the worst conditions for personal and business security we have yet seen. Honest ordinary competent hard-working men and women, and legitimate businesses of all description, upon whom and which we depend for necessities and amenities are having our and their vital data (legally????) mined and stolen, at our own expense, by organizations that cannot manage to keep our Income Tax data confidential (not to mention DOD, DOJ, etc.) (That is, only if we cannot prevent them from such. AFAIK, it is not yet illegal to try to protect one's own property and data.) I could see it all as laughable if I could see it as less troubling. Eric and Rick, more knowledgeable and experienced than I, are also better writers. And if I were equal, there would still be no need for me to reinvent the wheel. They have already said these things very well. Kindness and compassion notwithstanding, sometimes some people just need to be reminded to sit up and pay attention. I know that is not you. I appreciate your kindness, your assistance and your gracious response. Thanks again and sincere best wishes.
|
|
04-11-2006
|
|||
|
|||
|
Re: how to secure my computer
On Tue, 11 Apr 2006 02:30:27 -0400, Newsbox wrote:
( > > Thank you Mikhail. I am sure this is a very useful collection of links > for any who are truly interested in reading and learning. I will return > to this list myself and browse. I hope it will help others to learn how > to better protect themselves, and to become and to feel more secure. > > And I did and do appreciate your humor. Perhaps you will appreciate my > chagrin that the Government(s) that we support and that are "protecting > us" are now creating some of the worst conditions for personal and > business security we have yet seen. Honest ordinary competent > hard-working men and women, and legitimate businesses of all description, > upon whom and which we depend for necessities and amenities are having > our and their vital data (legally????) mined and stolen, at our own > expense, by organizations that cannot manage to keep our Income Tax data > confidential (not to mention DOD, DOJ, etc.) (That is, only if we cannot > prevent them from such. AFAIK, it is not yet illegal to try to protect > one's own property and data.) I could see it all as laughable if I could > see it as less troubling. > I'll add a thank you to Mikhail as well - you are not the only one who has found some of the posts here recently to be *alarming*. I've saved your list of internet sites for future reference. I must say though that some of the posts made here recently make me wonder if the "benefits of the internet" are worth the risks of accessing them. The question is present in my mind anyway. Newsbox, if I was a citizen (and as knowledgeable and as articulate as you are) I would try to make my voice heard in the proper channel - as effectively as I could. This is not the time to be modest about your communications skills - which are excellent by the way. All your concerns are valid and well explained and there *are* others that are even worse. President Bush has described a report that he is contemplating a preemptive (probably nuclear) strike against Iran as "wild speculation" but did not deny the report. I hope Congress and the courts can pick up the reins that they have let drop - in time to prevent things already bad from getting a *lot* worse. I wish you well, obviously.
|
|
04-11-2006
|
|||
|
|||
|
Re: how to secure my computer
Newsbox wrote:
> Thank you Mikhail. I am sure this is a very useful collection of links > for any who are truly interested in reading and learning. My pleasure Newsbox. I am sure you know all these resources and many more. I hope the list can be useful for somebody absolutely new to the field. > I hope it will help others to learn how > to better protect themselves, So do I. > and to become and to feel more secure. Maybe to become a little bit more secure but hardly to feel more secure. At this point, I feel myself pessimistic: "For in much wisdom is much grief: and he that increaseth knowledge increaseth sorrow." > And I did and do appreciate your humor. Thank you. :-) > Perhaps you will appreciate my > chagrin that the Government(s) that we support and that are "protecting > us" are now creating some of the worst conditions for personal and > business security we have yet seen. Definitely yes. > Honest ordinary competent > hard-working men and women, and legitimate businesses of all description, > upon whom and which we depend for necessities and amenities are having > our and their vital data (legally????) mined and stolen, at our own > expense, by organizations that cannot manage to keep our Income Tax data > confidential (not to mention DOD, DOJ, etc.) (That is, only if we cannot > prevent them from such. AFAIK, it is not yet illegal to try to protect > one's own property and data.) I could see it all as laughable if I could > see it as less troubling. IMHO, it's hard to put this better. .... > Kindness and compassion notwithstanding, sometimes some people just need > to be reminded to sit up and pay attention. I know that is not you. Thank you. :-) You are more kind to me than I'm worth. > I appreciate your kindness, your assistance and your gracious response. And so do I. This has been a good lesson for me. Best regards, Mikhail
|
|
04-11-2006
|
|||
|
|||
|
Re: how to secure my computer
On Sun, 09 Apr 2006 21:06:01 -0400, Penguin_X wrote:
> Hi everyone. > > I have been using Linux since nearly 3 years and recently, during a > reading on computer security i came up on the following question: Is my > computer and my private life really secure ? > > Indeed not. my private life isn't 100 % secure and I wish I could make > it a little safer from intruders. > > Considering I am running Linux, what would you do at first to make my > system safer from intruders ? I mean by intruders: ad wares, personal > infos gathered by web servers and so on... I am currently using 2 > e-mails addresses (1 used for MSN, websites, forum, etc and another one > used to send and receive important mails). I consider that PGP would be > a great choice as a encryption program (mail). Mercury is absolutely > necessary when chatting on MSN. Using it allows to encrypt > conversations. > > If you know any way or hints to get aware from threats on Internet or > tools to encrypt my data, write me back. There are so much information > gathered about users on the WWW. > > So. If you have any tutorials/links about security concerning Linux, > please post them :) > > Cheers, > > And... Sorry for my awful English. Cheers back at You. :) Your English is actually quite good, although it is not hard to see that it was not your native language. Most people, if they have the time can understand and live with, very well, the good level of language skills that you show. The bigger danger here is that you will not be able to express your best thoughts and foremost questions and concerns to everyone's best advantage. And your concerns about security are widely shared, and very valid. Thank you for asking. I'll throw a few things "onto the table" in no particular rationale or order. First, do look at the list of links that Mikhail posted below in this thread. I have not yet studied them thoroughly myself. But I have no doubt that they point to much valuable information regarding your question. Also as your time allows, there are many good suggestions in the other messages in this thread and in this group. Please don't be intimidated or offended by anything you read and don't be afraid to post back with feedback or specific questions. It is very easy for misunderstandings to develop on usenet; most of us understand that part and don't let it bother us unnecessarily. Don't let it bother you unnecessarily. If there is something posted that is not clear or understood, google is usually the fastest remedy. Or man pages or info documents. Many distros have lots of less-known software installed that can be useful in a security context. Lots of other good software is freely available. If you are able to help, many worthwhile projects could use it. Some more on this below. First, to add to Mikhail's list of sites, some I find of interest: http://isc.sans.org http://www.f-secure.com/weblog/ Now, some "nitty-gritty", basics. Always run a firewall. Check it; understand it; read the logs. Improve it as necessary. Run antivirus software. I use clamav and freshclam. Install and use an IDS, Intrusion Detection System. I suggest tripwire. This is not for everyone, or for casual or automatic use. It takes considerable system time and is only useful under specific conditions: set your initial scan on a new, known-good system. When you run it, look at what it tells you. Takes time. But if you do it you are unlikely to have undetected unwanted malware on your system. Tripwire only detects the damage after the malware is on your disk (although it might not necessarily have already run). Another good IDS is SNORT. SNORT is not for beginners and takes substantial system resources. But once set up it runs in the background and protects sort of the same way a firewall works, except to protect your systems from malware on a much higher level than a firewall. Snort often has signatures available to detect and stop new malwares even before major AV vendors have sigs out. SNORT is very, very good protection. SNORT will detect malwares and stop them *before* they can harm your systems or even get on your disks. (BTW, SNORT is also available for other platforms, such as *gag* windows.) Only install software from trusted sites. Check md5 sums (or other integrity systems) before installing. Or use Yum Extender for updates, which does all the checking for you. To the best extent possible, run current versions of all software. Protect your systems from unauthorized or untrusted access. Lock the room where your computer or workstation is when you are not there. (Also lock the room with the file cabinet where your paper records are kept. You *do* have a file cabinet, don't you?) Alarm the room if necessary. Use strong passwords. Protect the secrecy of your passwords. If someone is watching while you type your password, change it. There used to be a small utility named mkpasswd to generate random strong passwords; no idea what's available now. Now some network stuff: If you know your network well, if your correspondents are known, some network vulnerabilities can be mitigated or bypassed by "hard-wiring" the MAC and IP addresses into the files /etc/ethers and /etc/hosts(*). You can also use the "host" command to check IP addresses and reverse DNS lookup hostnames for important remote connections. See if they are the same as what you had last time. This could be helpful in avoiding some "phishing" attacks and also some "DNS poisoning" attacks. Avoid "human engineering" attacks by educating yourself and other of your users to avoid such things as clicking on links in e-mails, opening executables in e-mails, and opening untrusted executables in general. If you run a DNS server (BIND-"named"?) keep it private and isolated from outside public network access via firewall. Turn off recursive lookups unless you really know what you are doing. Whether or not you run your own DNS server, do set up and run nscd (Name Server Caching daemon) on each of your local machines. I increase the refresh time from the default of 3600 seconds to 14400, but that might not be best in all cases. Properly configured (in /etc/nscd.conf? ) ncsd will first check in its cache for recent resolution of a domain name, and only if that fails will go out to your ISP's DNS servers. Therefore, it will cut down on the number of calls to outside sources, and the amount of information that can be harvested about your activities from outside sources. Once set up it runs transparently in the background. It is probably already installed in many distros. You need to turn it on, set it to run on reboot, and configure it. That is very easy for anyone who can read and follow simple instructions. See if you may want to install and run "Tor" (The onion router). Tor will probably slow your internet throughput substantially, particularly in peak periods. Tor uses a system of peers to route your traffic and substantially reduce the ease of traffic analysis, and the points from which it can be analyzed. Tor interfaces well with the (Mozilla) Firefox (1.5.0.1) web browser, and also requires a proxy (suggested privoxy). There is a Firefox plugin called Switchproxy that makes using all this painless once installed and configured (not too hard to do). Tor (does a DNS lookup,) sets up a SSL (encrypted) link with a Tor server that only provides one or more routes to your real target through (volunteer - peer) Tor servers. Tor uses encrypted headers so that no individual Tor server knows, except for the previous and next hop, where the traffic is coming from or going to. Full details are on the Tor homepage. Tor is partially supported by EFF. If you like Tor and can see your way clear, they can use help and support. One easy way to help is to run a Tor server, which helps other Tor users have better, faster and less transparent throughput. They can also use money and programming help. The traffic itself can also be separately encrypted if desired, without impairing Tor in any way. If you are a United States resident, become familiar with what has been written about the Narus 6400 and the warrentless wiretap program. This is an incredible widespread program to capture phone and internet traffic. Reportedly it is in operation *now*. When you become sufficiently concerned or alarmed, please contact your local, state and federal government representatives and communicate your concerns to them. If you are eligible to vote but are not registered, register; these folks often check voter lists to see if they need to care what you think or say. If you are registered, _DO_ go to the polls on election day and go through the motions, even if you don't mark a single line on the ballot. They watch how many people go through (as well as who) to gauge how closely they need to watch voter sentiment. Most intend to retire from their public service jobs, and may do only what they think they need to do to watch out for their own future job security. There are links to the Narus 6400 and the warrentless wiretap program, posted by John, earlier in this thread. Or google (as always) might work, but it's pretty new content (past week), and google can take days or weeks to catalogue some content. Also write to or call your local and regional news media, and communicate your concerns to them and to your friends and neighbors. This is somewhat breaking or developing news, and there are probably many people who are not yet fully aware of what is going on. Do them a favor and inform them on the issue, as well as your own concern or alarm, as the case may be. If you reside outside of the United States you should still familiarize yourself with the issue. This will not stop at US borders. When you become sufficiently concerned or alarmed, and if you are able to do so in your location, communicate your concern or alarm, as the case may be, to whomever you know who might be most influential in controlling the spread of this abomination to your locale. When you know what this is, you will not want it anywhere near you. End of appeal, getting off soapbox now. Thanks for reading. And best wishes and safe computing to all.
|
|
04-11-2006
|
|||
|
|||
|
Re: how to secure my computer
On Sun, 09 Apr 2006 21:06:01 -0400, Penguin_X wrote:
> Hi everyone. > [...] > Cheers, > Cheers again, I missed some things in my post earlier this afternoon, which was mostly on disaster prevention. You also need disaster recovery. Make regular system backups. Do it daily, weekly or whatever makes sense, but do it on a regular schedule, else you will end up not doing it often enough or at all. Keep backup data disks and system re-installation spare disks handy and secure, but keep a _current_ set somewhere off site as well. We all like to think (hope?) that "It Can't Happen Here". But if it _does_, plan for recovery. If you don't have a good friend or relative really close by, get a lock box (or two!) and put your current disks in it. Knock on your (hopefully friendly) neighbor's door and ask if they would keep it in their closet for a week, when you will return and exchange it for the new set. Explain what you are doing and why. they will be impressed at your care and sophistication. It would be wise to encrypt your data backups. And not least, when you think you have it all covered - double check it, and then try a recovery from scratch. You'll have to either wipe your box (*ewe!*), or get a spare and try to reconstruct your system there. Only this way can you truly have confidence in what you are doing. But if you do have that confidence, then when disaster hits, malware takes your system over or some other unspeakable disaster..., well you won't be tempted to do the all too common worst thing. That worst thing is deny it in the face of reality. Leave it on-line. Run it anyway - maybe it will go away... - - - Don't do it. Just unplug it, wipe it and rebuild it from scratch. It takes a few hours, which you would otherwise waste in agonizing and then still have to do it all anyway. And I didn't say but should have in my earlier message: Encrypt everything possible, especially whatever traffic goes on to a public network (internet). If your experience is like mine, you may find that few people want to be bothered with all that encryption stuff. As I said encrypt everything possible. And, ... try to stay far away from people who aren't concerned about their security (or *yours*.) Ok, that's some of what I missed, anyway. -- Best.
|
|
04-12-2006
|
|||
|
|||
|
Re: how to secure my computer
On Tue, 11 Apr 2006 18:38:49 -0400, Newsbox wrote:
> On Sun, 09 Apr 2006 21:06:01 -0400, Penguin_X wrote: > >> Hi everyone. >> > [...] >> Cheers, >> > Cheers again, one more time Some people like rkhunter, which is probably limited in some ways, but may tell you some things on your system to be corrected even if you don't have any rootkits. It checks a lot of things and runs very well in most cases, at least as far as I have heard. Another variant of this is ckrootkit (IIRC). > Sorry I couldn't get this all in one message. HTH -- Best.
|
|
04-13-2006
|
|||
|
|||
|
Re: how to secure my computer
On Thu, 13 Apr 2006 15:21:09 -0400, Newsbox wrote:
> Thanks john. I'd jevgr zber but V'z erny ohfl rapelcgvat and > boshfgvpngvat j%w].q ynetr svyrf ubcr v pna erzrzore ubj gb haqb nyy > ixypoortsa guvf fghss pnhfr vgf !va gur obbx (Ynhtuvat). *Lbh pna nyjnlf jevgr gur qverpgvbaf qbja naq cnfgr vg ba lbhe zbavgbe. *:-)
|
Linear Mode
