linux security books

Rajinder Yadav devguy.ca-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Oct 7 21:38:24 UTC 2010


On Sun, Oct 3, 2010 at 11:22 AM, Mike Kallies <mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On 10/2/2010 8:18 PM, Rajinder Yadav wrote:
>> i am behind a router firewall
>
>
> If you're behind a router-firewall, you've already most of the way there.
>
> Check your router manufacturer site to make sure there are no recent
> firmware patches to your router.  There have been attacks against the
> routers themselves.
>
> Ensure that the router cannot be remotely administered, or if it can,
> that it has a stunningly complex password, because it will be attacked
> endlessly, and are you *really* going to watch it?
>
> If the router does wifi, use WPA or better (Only WPA2 should be
> considered actually secure) remember that anyone on the wifi network can
> get into your home network.
>
> It sounds like you're learning, and you're also talking about protocols
> like VNC.  Free versions of VNC are not secure without some kind of
> tunnel.  The following is a very lazy configuration:
>
> - patch and secure your router/firewall
> - set your computer to automatically install security updates to ssh
> - use your router to forward port 22 to serve ssh to the Internet
> - configure ssh to not allow root logins.  If you must allow root
> logins, force ssh keys.
> - Use strong passwords on all your ssh accounts and don't give accounts
> to anyone you don't trust to use a strong password.
> - Do a portscan from a free remote portscanning website to ensure you
> got your router config right.
>
> To reach your code repository, use SSH port forwarding, it's a
> poor-man's tunnel, but ssh is easy to maintain.  You can do the same for
> VNC.  You can even use ssh to tunnel back to your router to remotely
> administer it without remote administration being enabled.
>
> The end result is that you're sharing one well-known, well-trusted and
> well patched service (SSH) to access all services on your machine.
>
> In this configuration, you don't need to bother with SSL either.  If you
> want to be paranoid, configure the server to only serve http on
> 127.0.0.1, then you can only reach it locally or from your ssh tunnel.
>
> The principle here is to simplify, expose as little as possible and then
> secure, maintain and monitor what's exposed.
>
> ...the books will tell you how to open up the configuration securely to
> do more interesting things.
>
> -Mike
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>

Mike thanks for the checklist, it's very handy for the kind of setup i want.

-- 
Kind Regards,
Rajinder Yadav | http://DevMentor.org | Do Good! - Share Freely
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list