Web lists-archives.com

Re: security issues




On Saturday 26 August 2017 04:13:38 Dejan Jocic wrote:

> On 26-08-17, R Calleja wrote:
> > Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> > Tengo problemas de seguridad que me obligan a reinstalar el sistema
> > a menudo, una vez al año.
> > He leido documentos y ayuda para mejorar la seguridad.
> > Pero no soy un usuario con conocimientos avanzados de sistemas.
> > Mi objetivo es conseguir una estacion de trabajo segura .
> > He conocido herramientas como:
> > Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> > Si puede alguien con conocimientos de seguridad  ayudarme. O hay
> > alguna empresa que de soporte.
> >
> > Muchas gracias, Roberto
> >
> >
> > Good afternoon, I have been debian 8.9 user for 2 years.
> > I have security issues that force me to reinstall the system often,
> > once a year.
>
> What security issues?
>
> > I have read documents and help to improve security.
>
> What documents?
>
> > But I am not a user with advanced systems knowledge.
>
> That is not problem, you can find lots of tutorials and documents
> around.
>
> > My goal is to get a safe work station.
> > I have known tools like:
> > Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.
>
> Apparmor and selinux do not go together, use just apparmor because it
> is easier to set up and easier not to mess up. Selinux in theory can
> provide you with more protection, but in practical use you will not
> see it. Lynis is probably too much for you. Openval I do not know,
> nessus I did not use. Grsecurity is, according to Linus Torvald:
>
> "
>
>     Don't bother with grsecurity.
>
>     Their approach has always been "we don't care if we break
>     anything, we'll just claim it's because we're extra secure".
>
>     The thing is a joke, and they are clowns. When they started
>     talking about people taking advantage of them, I stopped
>     trying to be polite about their bullshit.
>
>     Their patches are pure garbage.
>
>     Linus
> "
>
> > If anyone with safety knowledge can help me. Or is there any support
> > company.
> >
> > Thank you very much, Roberto
>
> For someone who knows little, you are sure installing too much things.
> Here are some general advices, but do not take this for granted, it is
> based on personal opinion after all, and I'm not security expert,
> though I did read for few of those have to say about security in
> linux.
>
> 1. Firewall. If you are connected to net and use some services you
> really want it. Choose simple one, like gufw. That is front end for
> ufw ( uncomplicated firewall ) and will serve your needs well. If you
> want something more secure, but really more complicated, you will have
> to learn iptables.

If the security being worried about is external, coming in and attacking  
you from the internet, then I would recommend getting an aftermarket 
router with enough flashable memory to support reprogramming it with 
dd-wrt. I don't worry about local security here as we're an older couple 
and the wife is not computer litterate, so I am the only user.  I don't 
install any of the firewall type stuff, dd-wrt in the router is the best 
guard dog. I've been running some form of it for 15 or more years, and 
have not been breached.

OTOH, if other family members are able to access your machine, then it 
may be that apparmor needs to be installed & setup.

> 2. Always keep your system updated with latest security patches. So,
> do your daily routine of apt-get update && apt-get upgrade. Even
> apt-get dist-upgrade, in case of need.

Excellent advice.

> 3. apparmor can help to mitigate risks of some exploits and is easier
> to setup than selinux.
>
> 4. Use some tools that can help you detect potential rootkits. So,
> learn how to use rkhunter, chkrootkit and some of intrusion detection
> tools, like aide, or tripwire. Also some network based intrusion
> detection tools like Snort, or suricata.
>
> 5. If you use ssh, disable root login, disable logging with passwords,
> use pair of keys. When we are at root account, if someone else can
> physically access your comp, you should disable it too and use sudo.
> But it is not necessary and will not increase your security as
> standalone solution in cases where someone can poke your comp freely.
> For further reading about restricting root account:
> https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-wstation-pr
>ivileges-noroot.html
>
> 6. Just in case that you are connected to some windows based machines,
> you can install and use clamav. But it will not protect you
> personally, will just make you better neighbour.
>
> 7. Oh, yes, secure password is good thing to have too. Do not use your
> name, your family names, your dog name, nor anything that can be
> connected to you, or is susceptible to dictionary attacks. You can
> install some tool like john the riper to check if your password is
> weak.
>
> 8. Encrypt your data and use backups.
>
> 9. Do a lot of reading about all that, practice a bit and do not put
> high hopes in paying someone to protect you. If you do not know what
> are you doing, no one can babysit your 24 hours a day.
>
> 10. I'm sure that there is more and that some people around can tell
> you more, but complete guide to security is hard to get on this list,
> or in some forums. There are some books around about that subject,
> written by people that know lots and can presented better than I can.
> Again, it requires lots of reading, research and practicing. And no
> one can do it for you. If you want to be more secure, than you must
> get "advanced knowledge".

+10

> Hope that this can help you a bit.


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>