linux security books

Mike Kallies mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Sun Oct 3 15:22:15 UTC 2010


On 10/2/2010 8:18 PM, Rajinder Yadav wrote:
> i am behind a router firewall


If you're behind a router-firewall, you've already most of the way there.

Check your router manufacturer site to make sure there are no recent
firmware patches to your router.  There have been attacks against the
routers themselves.

Ensure that the router cannot be remotely administered, or if it can,
that it has a stunningly complex password, because it will be attacked
endlessly, and are you *really* going to watch it?

If the router does wifi, use WPA or better (Only WPA2 should be
considered actually secure) remember that anyone on the wifi network can
get into your home network.

It sounds like you're learning, and you're also talking about protocols
like VNC.  Free versions of VNC are not secure without some kind of
tunnel.  The following is a very lazy configuration:

- patch and secure your router/firewall
- set your computer to automatically install security updates to ssh
- use your router to forward port 22 to serve ssh to the Internet
- configure ssh to not allow root logins.  If you must allow root
logins, force ssh keys.
- Use strong passwords on all your ssh accounts and don't give accounts
to anyone you don't trust to use a strong password.
- Do a portscan from a free remote portscanning website to ensure you
got your router config right.

To reach your code repository, use SSH port forwarding, it's a
poor-man's tunnel, but ssh is easy to maintain.  You can do the same for
VNC.  You can even use ssh to tunnel back to your router to remotely
administer it without remote administration being enabled.

The end result is that you're sharing one well-known, well-trusted and
well patched service (SSH) to access all services on your machine.

In this configuration, you don't need to bother with SSL either.  If you
want to be paranoid, configure the server to only serve http on
127.0.0.1, then you can only reach it locally or from your ssh tunnel.

The principle here is to simplify, expose as little as possible and then
secure, maintain and monitor what's exposed.

...the books will tell you how to open up the configuration securely to
do more interesting things.

-Mike
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list