Re: Newbie friendly security and firewall docs (cookbook?)
On 09/10/14 00:12, Richard Owlett wrote:
> koanhead wrote:
>> On 10/06/2014 04:20 AM, Richard Owlett wrote:
>>> I'm a relatively new convert from Windows to Debian...
>>> I'm looking for a reference document that wouldn't scare my friend off
>>> Debian and also give me the required information to:
>>>    1. close the maximum number of ports.
>>>       I see him using browser, email, ftp file downloading.
>>>       I don't see him being a server. All incoming packets should be to
>>>       fulfill a previous outgoing request - [correctly phrased?].
>>
>> https://wiki.debian.org/iptables should be as much as you need to
>> accomplish this.
> 
> That page is unsuitable for the audience I wish to reach. I saw it some
> time ago and had gone looking for something I could use. It's one of
> those Debian pages that reminds me of CPM-80 manuals of decades ago. The
> information present, but ...
The hard bit about things like firewalling, is that there is really a
minimum technical understanding necessary to do it properly.
Even commercial firewall products aimed at the non-technical user, fail
miserably on this front.
The user typically gets bombarded by messages regarding some program
executable wants access to "the Internet" with "allow" and "deny"
buttons.  A user who can translate that filename to a program they're
using might stand a chance but many will just click "Allow" because
things break when they click "Deny".
Windows has an advantage over Linux in that it can block access on a
per-binary executable basis.  Netfilter AFAIK doesn't provide filter
rules for blocking distinct executables.
If you can come up with a well-written guide that discusses the basics
well, great, but I suspect this is going to be very difficult to
achieve.  I suspect many are going to expect a "program" they can
download, which in our case could be a netfilter front-end.
The good news is that the "stereotypical Linux user" is generally more
technically competent than the "stereotypical Windows user".
>> Any service you're not currently using should be disabled. Any service
>> you won't use should not be installed.
> 
> Yeah. But ;/ The devil is in the details.
> Where is a list of services.
> How would Joe the Janitor and Mary the Florist chose?
A good start is in /etc/init.d and the update-rc.d utility, but once
again, not good in your usecase as it assumes a reasonable level of
understanding.
The closest in Windows I can think of is msconfig: and I'd wager not
many stereotypical Windows users would venture there.
-- 
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
  ...it's backed up on a tape somewhere.
Reply to: