linux security books
Rajinder Yadav
devguy.ca-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Oct 7 21:38:24 UTC 2010
On Sun, Oct 3, 2010 at 11:22 AM, Mike Kallies <mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On 10/2/2010 8:18 PM, Rajinder Yadav wrote:
>> i am behind a router firewall
>
>
> If you're behind a router-firewall, you've already most of the way there.
>
> Check your router manufacturer site to make sure there are no recent
> firmware patches to your router. There have been attacks against the
> routers themselves.
>
> Ensure that the router cannot be remotely administered, or if it can,
> that it has a stunningly complex password, because it will be attacked
> endlessly, and are you *really* going to watch it?
>
> If the router does wifi, use WPA or better (Only WPA2 should be
> considered actually secure) remember that anyone on the wifi network can
> get into your home network.
>
> It sounds like you're learning, and you're also talking about protocols
> like VNC. Free versions of VNC are not secure without some kind of
> tunnel. The following is a very lazy configuration:
>
> - patch and secure your router/firewall
> - set your computer to automatically install security updates to ssh
> - use your router to forward port 22 to serve ssh to the Internet
> - configure ssh to not allow root logins. If you must allow root
> logins, force ssh keys.
> - Use strong passwords on all your ssh accounts and don't give accounts
> to anyone you don't trust to use a strong password.
> - Do a portscan from a free remote portscanning website to ensure you
> got your router config right.
>
> To reach your code repository, use SSH port forwarding, it's a
> poor-man's tunnel, but ssh is easy to maintain. You can do the same for
> VNC. You can even use ssh to tunnel back to your router to remotely
> administer it without remote administration being enabled.
>
> The end result is that you're sharing one well-known, well-trusted and
> well patched service (SSH) to access all services on your machine.
>
> In this configuration, you don't need to bother with SSL either. If you
> want to be paranoid, configure the server to only serve http on
> 127.0.0.1, then you can only reach it locally or from your ssh tunnel.
>
> The principle here is to simplify, expose as little as possible and then
> secure, maintain and monitor what's exposed.
>
> ...the books will tell you how to open up the configuration securely to
> do more interesting things.
>
> -Mike
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
Mike thanks for the checklist, it's very handy for the kind of setup i want.
--
Kind Regards,
Rajinder Yadav | http://DevMentor.org | Do Good! - Share Freely
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list