Re: [PLUG] security for home users

LeRoy Cressy on 22 Jul 2005 20:17:03 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] security for home users

From: LeRoy Cressy <ldc@lrcressy.com>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] security for home users

Date: Fri, 22 Jul 2005 16:15:43 -0400

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Debian/1.7.8-1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris wrote: > Its also good to start a password with # crackers,brute force etc ignore > lines with # for comments, the odds of a cracker cracking a password with ^# > are nill > > Chris S > chris@jynx.net > www.Jynx.net > -----Original Message----- > From: plug-bounces@lists.phillylinux.org > [mailto:plug-bounces@lists.phillylinux.org] On Behalf Of Jason > Sent: Friday, July 22, 2005 8:57 AM > To: Christopher M. Jones > Cc: Philadelphia Linux User's Group Discussion List > Subject: Re: [PLUG] security for home users > > On 7/21/05, Christopher M. Jones <cjones@partialflow.com> wrote: > >>I've done 1-4. But beyond that, I don't even know what the issues are. >>So that's why I asked for the basic tutorial. I've just never had to >>worry about security and I think it's something I should know about >>anyway. Thanks for the suggestions. > > > Excellent start then. Definitely work your way from outside to inside. > > Next steps would be to do a bit of hardening to your OS. > > Strip off extraneous services you don't use. Why start nfs daemons if > you're not using nfs? Why start (postfix|sendmail|exim|etc.) if > you're not running a mail server? Do you need to have Apache, MySQL, > PostgreSQL and 17 other services running on your workstation? > Probably not. Check your (inetd|xinetd) configuration too. You > probably don't need much of anything in there. In fact, you may find > that you can just completely disable (inetd|xinetd). Lots of people > recommend scripts like Bastille. While a fine idea to download and > look at what it does, I'm a big believer in self-implementation - that > way you learn something along the way. Otherwise, you learned how to > run a script. > > If your distribution provides it, consider using SELinux. You get > SELinux in (at least) FC3, FC4, RHEL4, CentOS 4 and WBEL 4. > I don't think that a beginner would be very qualified to set up a desktop with selinux. The documentation on how to secure X is awsome. Also the distros come with a rudimentary default configuration for selinux. It would be a lot easier for a beginner to set up posix access control lists on their system along with encrypted file systems. The new linux 2.6.12 kernel has some neat methods for encrypting devices. http://www.saout.de/misc/dm-crypt/ which look nicer that the older crypto-loop. Also, I think that the new user needs to know how to set the umask in the .bashrc file umask 066 which means: 000 110 110 which makes every new file 110 000 000 rw- --- --- This means that only the files owner can read and write to the file. Another simple thin is to make the cookies.txt file a symlink to /dev/null > Things like prohibiting root ssh sessions (in the /etc/ssh/sshd_config > file) are always good. > > Choose good passwords. The strongest passwords contain mIxEd CaSE > words, letters, numbers and even special characters such as + , . | ( > * ) and so on. Rather than a simple password, a great way to go is to > choose a phrase that you'll easily remember, and convert that into a > password. Eg: > > Suppose you had a daughter, Jennifer, and she was 13 years old. This > might lead you to the phrase, "My daughter, Jennifer is 8 + 5 years > old.", or a password of: > > MdJi8+5yo. > > Don't login as root. Use su, or better still, sudo. > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > > - -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ < FAX: 215-535-4285 gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA For info on enigmail: http://lrcressy.com/linux/mozilla.pdf For info on gpg: http://www.gnupg.org/ Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFC4VPuP+/m2oUBr+oRAhUXAJ9u42mvuzJjVRJzGzh/SeENZ0C8SQCeJrWL syx3tB71dK3n8gLqK2GYxuw= =bNI3 -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: [PLUG] DVD

Next by Date: Re: [PLUG] [OT] Free to good home

Previous by thread: [PLUG] DVD

Next by thread: [PLUG] Ubuntu XFCE

Index(es):

Date

Thread