I have been mostly just reading this forum, but I decided it is time to comment on this thread.
To Craig, I agree. Courtesy and respect would go a long way in making this forum more attractive to new attendees. I find myself afraid to post questions because of some of the snide responses. To Jake, Wow, excellent advice, which I plan on taking myself since I am about to abandon Suse for fedora, the reason I have been reading this forum. Thank you for such clear and well thought out instruction. To Linda, good luck in securing your system. I looks like you got some good advice. On Thu, Dec 15, 2011 at 8:08 AM, Jake Shipton <jak...@fedoraproject.org>wrote: > On 14/12/11 23:13, Linda McLeod wrote: > > Re: Screensaver takes too much time to fade-out the previous pix, but... > > Re: "RE: F14 login fails on backup copy; gdm error?" > > > > From: > > "Joe Zeff" <j...@zeff.us> > > To: > > <users@lists.fedoraproject.org> > > > > > > > > "Extraordinary claims require extraordinary proof. What evidence do you > > have that strangers have targeted your machine and repeatedly trashed > > it?" > > > > > > The evidence is in this 5-inch stake of evidence, and in this box beside > > the tower.. which proves that they destroyed a lot of my property, and > > proves that psychotic-humans destroyed their greatest scientist yet... > > > > > > > > "What have you done to make your computer either an easier or harder > > target?" > > > > Everything I could understand, in the many Linux forums... > > > > Okay.. Let's talk security :-). > > Right so before I get started I would like to say: > > If you are serious about making your machine secure, you will have to > learn a thing or two about security. Reason being: a machine is only as > secure as you make it. (Regardless of OS) > > In this mail I will try to give you some basic security tips which > should get you a bit more secure than you appear to be now. From my own > personal experience. > > You claim to have people "targeting" you.. and considering what you say > and claim it wouldn't surprise me. But anyhow, that's not what I am here > to discuss :-). > > So, first things first. If your machine has recently been targeted and > "trashed", reinstall the OS. Chances are, if they got in once, they > probably left them selves a nice easy backdoor (rootkit even). > > The safest and quickest way to remove one of these on a home computer is > to just wipe the OS (They can be removed manually, but that takes a bit > more skill..) - Install the very latest version of Fedora (16), (if > using Fedora, I'm assuming you are as your on a Fedora list) > > Ensure when setting up your system you do not use the same password > twice, or the same password you use anywhere else. Each password should > be unique and should consist of Upper and Lower case letters, Numbers > and Symbols (For example: MyPa55W0rd&2012&2011). > > Once you've got your new shiny OS installed, immediately run "yum > update" as root. Make sure all packages are downloaded and installed. > > The Next step is to find out exactly what you will and won't be using. > Obviously, you will need a GUI if this is a home computer so use yum to > install a desktop environment such as GNOME or XFCE or KDE etc, > depending on your preferences. Personally I prefer XFCE. > > Remove all software which you do not use at all. (You may want to > research things before removing them) > > Now you should set up your firewall (through a GUI if you prefer) ensure > you have no open ports which you do not use. So in Fedora's case open up > system-config-firewall. The first screen you will see probably has a > load of checkboxes next to various service names. You will probably want > to untick if unused the following: > > - SSH (I will explain later how to make one of these a bit more secure.) > - FTP > - HTTP > > and any others of which you do not recognise. Switch to "Other Ports" > ensure this is blank and empty, or if needed open any ports not listed > on previous page which you _NEED_. > > Go to trusted interfaces. Also mostly should pretty much be all unticked > unless otherwise required. > > Switch to ICMP Filter, and tick the following: > > - Echo Reply > > Now click apply (You'll be amazed how many people forget to click apply > and just close the firewall settings..) > > Okay cool, so that's your firewall sorted (For now) > > Let's move onto securing services, and disabling one's you do not use. > > For example, you said you have no idea what SSH is, if I remember > correctly this is enabled by default. If you do not use it disable it: > > systemctl disable sshd.service > > Do the same for other unused services (Be very careful with this though...) > > Just as a safecheck ensure you do have your firewall enabled: > > systemctl enable iptables.service > and > systemctl enable ip6tables.service > > Now lets talk system logs. System logs are a great way to detect odd > behaviour on your machine. Most machines report these by default with > "logwatch" so no setup necessary though a quick yum install logwatch > wouldn't hurt to be sure it's actually installed. > > These logs are mailed to the root user (in my case..) at 3am. And > generally speaking while this is a safe place for them to go, it's not > the best of choices to be logging in as root in any case other than to > do administrative tasks. > > So what do you do? > > Simple! you get them forwarded to your normal user account. To do this: > > nano /etc/aliases > > Go right to the bottom and find/add: > > # Person who should get root's mail > root: YourUsername > > Press Ctrl + X to exit and save. > > This change won't take affect until you run the following command: > > newaliases > > Cool! Now your user account will begin receiving all of roots mail.. But > your probably wondering "Okay, so how do I read it?" > > There's two ways to do this. > > 1) Use "mail" command > 2) Setup dovecot and use a local email client to fetch it. > > For quickness I advise mail command, for seriousness I advise dovecot. I > will not go into explaining dovecot, otherwise this email may end up > rather long :-). > > I personally use Dovecot with Postfix and Thunderbird.. but be warned: > It can get pretty tricky. There are loads of tutorials out there on how > to set these up. But just don't follow the parts of them asking you to > open up ports, or setting up DNS for remote access etc. > > Ideally on a home system you only want root mail to be local to you and > not remotely accessible. > > Just to be sure everything is running, as root run this command: > > logwatch --output mail --range today > > Check your setup method for the said email. Either with mail command as > your normal user, or via email client. > > Now just double check and make sure SELinux is enabled. > > One last thing to setup would probably be "rkhunter". I'll quickly run > through the setup of this. > > "yum install rkhunter" and optionally and recommended "yum install unhide" > > now as root run "rkhunter --update" then "rkhunter -c" > > It'll give a couple of warnings due to it's database is not setup. And > probably a couple of false positives. Just look out for the part where > it scans for rootkits. > > Now seeings as this is a new install chances of being attacked already > are pretty low. So you could go ahead and run: > > "rkhunter --propupd" > then again: > > "rkhunter -c" to verify everything is okay and clean. > > So now you have a basic semi-secure system. This would hold off most > script kiddies and whatnot. And if they do try you'll probably see them > in your logs. > > There is of course more you can do to secure your system such as setting > up fail2ban and tripwire. > > My next advise would be to do the following: > > 1) Regularly change your password, say every 3/6 months. > 2) Watch your logs > 3) Study up on security so you can perform tests against your own > machine. (So you find the holes before they do..) > 4) Stay up-to-date with system updates. > 5) Don't give anyone your passwords. > 6) Don't write down passwords on paper.... > > With all of this, I don't think your system will suffer many more > security problems if any. This is basic security (imo) and will keep you > secure, at least more secure than you sound now. > > Hope this helps you stay safe :-). > > PS: Sorry for any grammar issues or misspellings, English is my only > language. > > -- > Jake > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org >
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
