Secure your Linux Desktop (Incomplete)
This mini-guide is intended for those which still learning security specs or wish to implement an effective way to raise their security level up.
This guide is focused on Fedora Core, but you can run it at any Linux distro if you can get the appriopiate packages or tarballs.
This mini-guide includes to the very security basics, protect sshd and vnc, an effective firewall and the habit to continously check their logs with the right tools.
Internet is a very unsafe place to be, hackers use special tools like "sweepers" in order to find someone vulnerable to be attacked, in an attack attempt, one can be addressed more than 50,000 in a single hour (standard dictionary attack) and the worst thing... they can succeed, why? Because our system has flaws we should cover.
The Very Basics of Security
- Make an strong Username and password: This is the most common flaw by any newbie ! In order to create a secure username and password, make sure that the username is longer than 10 characters and the words that compose it doesn't contain words that could be found on an standard dictionary. The passwords must be a little bit more stronger. Its better to change them at least every month, 15 chars at least, use mixed capitals and numbers that doesn't derive from personal data (your birthday at numbers, you license #, etc...) and do not write them down ! Try to memorize them, there are simple techniques to create strong and easy to remember passwords.
- Leave your Computer off when you don't need it: That's right ! If you use it as a normal PC, downloading stuff to same time is not an excuse, you can do it if you know what you're doing and if you already took your precautions.
- Enable only the services you use: Don't enable httpd or ftpd if you think that you would use it, other newbie flaw ! If you use as a normal PC, you don't need httpd or ftpd, sshd can do the job if you want to retrieve data from your computer, and even more secure ! But if your computer is an advanced workstation or server, please enable this services only if you can monitor your connections, if it's a LAN, then give certain permissions (hosts_allow) to those you really trust inside your LAN, we'll do this in a few moments...
- Take care from Social Engineering: What's that? This really means "Don't let yourself be tricked by others", "Social Engineering" is the very basic form of hacking... How? You'll might receive some email or even phone calls asking about your username and password in order to "solve" your Internet conexion, could be other types of hoaxes but keep in mind... A real Admin will contact you in a "safe" manner and the least he'll request you is a username and password. Other ways to prevent is to add a strong password with your screensaver and inmediatly "lock" your desktop if you have to go for a while.
- Encrypt any Sensible Data: Do you have inside your computer sensible information that you don't want to share? There's tools to prevent this unauthorized access. The first one is to use "gpg", the other one is to use encrypted loopback devices, this is just if you manage large portions of sensible data and other option is to use aespipe, this last tool requiers "gpg" too but it adds an AES256 encryption with it.
- Learn not to trust: As it said, do not trust anyone, anywhere. If someone tries to access your system, add it automatically at your black list, tolerance leads to security flaws.
- Continously update your system: DoS, backholes and other hacking techniques could be truth if you don't update your system often, try to do this around every week.
- Use a good AV: There's not much viruses for linux, but in order to prevent infection spreading we have to use a powerful one, Bitdefender is a good alternative AV scanner and very easy to use !
- Use a properly configured firewall: Firestarter would be our choice and learn to configure it too.
- Read your system logs: grepping is in the past, you can use "Splunk" to achieve this task, the free version allows a PC and a Small workstation user to easily read they logs like using "Google".
- Create a "Black List": Attack Event? Inmediatly log the remote host IP, MAC, port or service he tries to access, times trying to access... Add it to the "Black List", update your Firewall and Crypto-share with your collabs !
More about username and passwords...
I really would like to enforce about this, a normal username is formed by the persons name, surname or nickname, as plain as that, but let's add a few "spices" in order to make it easy to remember and hard to decipher:
- For your normal username, try to add anything you like and you feel is personal, something longer than 10 characters (ex: "john" could change to "johnlennington" assuming your wife surname is "Lennington")
- Still short? Then try to add a few numbers by random (and try to memorize it of couse, Ex: from our last sample "johnlennington" we could add a few numbers like "johnlennington78964", let's assume this numbers you can recall it very easily because it matches a total sum of your shoes, height in feet and any random number you choose to create it, anything's valid !)
- Using concatenation symbols (like "-" or "&" or "__") helps and makes harder to decipher. (Ex: "johnlennington78964" could transform into "johnlennington78964-fragcedega" assuming you love to play Quake under linux, any combination that you CAN RECALL is valid ! )
I know... looks a little bit exaggerated, but don't hesitate if someone could "crack" your system, so please at least take consider my efford.
The past "algorhythm" works too for passwords, but for passwords must be done a little tune-up:
- Use Capitals and long numers: Please and first create a SAFE password using the past mentioned "algorhythm", then exchange a few words with capitals in order to make it harder (Ex: RITPsSoD77824455, this composition was made with "Ride in the Park (RITP)", "Super Shurikens of Doom (sSoD)" and a little bit of "mental entropy (77824455)")
<<To be continued... I'm terribly sorry ! College and my headache won't let me finish right now :dazed: but I promess to complete it in less than 24 hrs. Admins and Moderators... Please do not erase this thread made by this poor and geek CSE College Student XD, Anyway... Thanks for your support and by reading so far... >>