Re: security issues

To: debian-user@lists.debian.org
Subject: Re: security issues
From: Dejan Jocic <jodejka@gmail.com>
Date: Sat, 26 Aug 2017 10:13:38 +0200
Message-id: <[🔎] 20170826081338.barr7enz4xeke2uo@ddeb.ddeb.net>
In-reply-to: <[🔎] CAKD1F6906b+E9ik_p7jr9ZNY6Rr4V6qy7XRNJUtZZUVVAa9bqg@mail.gmail.com>
References: <[🔎] CAKD1F6906b+E9ik_p7jr9ZNY6Rr4V6qy7XRNJUtZZUVVAa9bqg@mail.gmail.com>

On 26-08-17, R Calleja wrote:
> Buenos dias, soy usuario de debian 8.9 desde hace 2 años.
> Tengo problemas de seguridad que me obligan a reinstalar el sistema a
> menudo, una vez al año.
> He leido documentos y ayuda para mejorar la seguridad.
> Pero no soy un usuario con conocimientos avanzados de sistemas.
> Mi objetivo es conseguir una estacion de trabajo segura .
> He conocido herramientas como:
> Lynis, openval, nessus, grsecurity,apparmor, selinux, etc
> Si puede alguien con conocimientos de seguridad  ayudarme. O hay alguna
> empresa que de soporte.
> 
> Muchas gracias, Roberto
> 
> 
> Good afternoon, I have been debian 8.9 user for 2 years.
> I have security issues that force me to reinstall the system often, once a year.

What security issues?

> I have read documents and help to improve security.

What documents?

> But I am not a user with advanced systems knowledge.

That is not problem, you can find lots of tutorials and documents
around.

> My goal is to get a safe work station.
> I have known tools like:
> Lynis, openval, nessus, grsecurity, apparmor, selinux, etc.

Apparmor and selinux do not go together, use just apparmor because it is
easier to set up and easier not to mess up. Selinux in theory can
provide you with more protection, but in practical use you will not see
it. Lynis is probably too much for you. Openval I do not know, nessus I
did not use. Grsecurity is, according to Linus Torvald:

"

    Don't bother with grsecurity.

    Their approach has always been "we don't care if we break
    anything, we'll just claim it's because we're extra secure".

    The thing is a joke, and they are clowns. When they started
    talking about people taking advantage of them, I stopped
    trying to be polite about their bullshit.

    Their patches are pure garbage.

    Linus
"
> If anyone with safety knowledge can help me. Or is there any support company.
> 
> Thank you very much, Roberto

For someone who knows little, you are sure installing too much things.
Here are some general advices, but do not take this for granted, it is
based on personal opinion after all, and I'm not security expert, though
I did read for few of those have to say about security in linux.

1. Firewall. If you are connected to net and use some services you
really want it. Choose simple one, like gufw. That is front end for ufw
( uncomplicated firewall ) and will serve your needs well. If you want
something more secure, but really more complicated, you will have to
learn iptables.

2. Always keep your system updated with latest security patches. So, do
your daily routine of apt-get update && apt-get upgrade. Even apt-get
dist-upgrade, in case of need.

3. apparmor can help to mitigate risks of some exploits and is easier to
setup than selinux.

4. Use some tools that can help you detect potential rootkits. So, learn
how to use rkhunter, chkrootkit and some of intrusion detection tools,
like aide, or tripwire. Also some network based intrusion detection
tools like Snort, or suricata.

5. If you use ssh, disable root login, disable logging with passwords,
use pair of keys. When we are at root account, if someone else can
physically access your comp, you should disable it too and use sudo. But
it is not necessary and will not increase your security as standalone
solution in cases where someone can poke your comp freely. For further
reading about restricting root account: https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-wstation-privileges-noroot.html

6. Just in case that you are connected to some windows based machines,
you can install and use clamav. But it will not protect you personally,
will just make you better neighbour.

7. Oh, yes, secure password is good thing to have too. Do not use your
name, your family names, your dog name, nor anything that can be
connected to you, or is susceptible to dictionary attacks. You can
install some tool like john the riper to check if your password is weak.

8. Encrypt your data and use backups.

9. Do a lot of reading about all that, practice a bit and do not put
high hopes in paying someone to protect you. If you do not know what are
you doing, no one can babysit your 24 hours a day.

10. I'm sure that there is more and that some people around can tell
you more, but complete guide to security is hard to get on this list, or
in some forums. There are some books around about that subject, written
by people that know lots and can presented better than I can. Again, it
requires lots of reading, research and practicing. And no one can do it
for you. If you want to be more secure, than you must get "advanced
knowledge".

Hope that this can help you a bit.

Reply to:

Follow-Ups:
- Re: security issues
  - From: Nicolas George <george@nsup.org>
- Re: security issues
  - From: Gene Heskett <gheskett@shentel.net>

References:
- security issues
  - From: R Calleja <rcalleja4@gmail.com>

Prev by Date: Does KDE desktop environment work with Stretch VNC server?
Next by Date: Re: Does KDE desktop environment work with Stretch VNC server?
Previous by thread: security issues
Next by thread: Re: security issues
Index(es):
- Date
- Thread