Re: Newbie friendly security and firewall docs (cookbook?)

To: debian-user@lists.debian.org
Subject: Re: Newbie friendly security and firewall docs (cookbook?)
From: koanhead <koanhead@riseup.net>
Date: Wed, 08 Oct 2014 16:08:05 -0700
Message-id: <[🔎] m14g4s$inj$1@news.albasani.net>
In-reply-to: <o90fU-5C-13@gated-at.bofh.it>
References: <[🔎] 543278E8.3090401@cloud85.net> <[🔎] m109ql$fak$1@news.albasani.net> <[🔎] 5435464A.1080900@cloud85.net>

On 10/08/2014 07:20 AM, Richard Owlett wrote:
> koanhead wrote:
>> On 10/06/2014 04:20 AM, Richard Owlett wrote:
>>> I'm a relatively new convert from Windows to Debian...
>>> I'm looking for a reference document that wouldn't scare my friend off
>>> Debian and also give me the required information to...

>> https://wiki.debian.org/iptables should be as much as you need to
>> accomplish this.
> 
> That page is unsuitable for the audience I wish to reach. 

My apologies: I misunderstood you and thought you were looking for such
a document for your own use.
To my knowledge, there's not such documentation for iptables that is
suitable for a nontechnical user (that is, someone without a working
knowledge of TCP/IPv4 networking).
However, there are simplified frontends to iptables that are available
in the repositories. gufw [1]
comes to mind, and you could probably walk your friend through its use
fairly painlessly. It comes with a sensible (for some people) set of
defaults.

[1] https://packages.debian.org/wheezy/gufw see also
https://launchpad.net/gui-ufw

> 
> I'll take you up on that. I volunteered for something else this weekend
> that may help me coherently describe what I'm looking for.

☺

>>
>>>    2. list of daemons/services/??? that should be disabled or not
>>> installed.
>>
>> It depends on what your friend will do with his computer...
>>
>> Any service you're not currently using should be disabled. Any service
>> you won't use should not be installed.
> 
> Yeah. But ;/ The devil is in the details.
> Where is a list of services.
There's one at /etc/services. It's a list of 'well-known' services and
their associated ports, not a list of things which are installed or
running.
To my knowledge the package manager does not make a distinction between
services and packages for 'non-services'. There's probably a clever way
to `aptitude search` for it, but I don't know - apart from `aptitude
search *-daemon` or so.
There's also no definitive way to get a list of running services under
sysvinit. IIRC the `systemctl` command in systemd does this, but you
won't have it available in wheezy. You can try the following to
approximate it:
`ps --ppid 1` - lists all processes of which init is direct parent.
Should include all services, but not only services.
`service --status-all |grep [+]` - should list all the services the
service command knows are running. Not definitive as the service command
does not manage all services.

> How would Joe the Janitor and Mary the Florist chose?

They should stick with the installed defaults. Those are pretty safe.
They should not install sshd (because why would they?) nor use sudo
unless and until they are properly configured.

Reply to:

Follow-Ups:
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: Joe <joe@jretrading.com>

References:
- Newbie friendly security and firewall docs (cookbook?)
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: koanhead <koanhead@riseup.net>
- Re: Newbie friendly security and firewall docs (cookbook?)
  - From: Richard Owlett <rowlett@cloud85.net>

Prev by Date: obnam speed
Next by Date: Re: the Rabbit of Caerbannog
Previous by thread: Re: Newbie friendly security and firewall docs (cookbook?)
Next by thread: Re: Newbie friendly security and firewall docs (cookbook?)
Index(es):
- Date
- Thread