Alan McKinnon wrote: > On Saturday 05 September 2009 11:56:09 Dale wrote: > >> Hi, >> >> As some may know already, I recently got DSL. It's not a super fast >> connection by broadband standards but it does mean that my box may be >> easier to find for a hacker. So, I have a few questions about >> security. I think I am OK but want to make sure. >> >> 1: I have a good root password. It's not something someone would guess >> for sure. Nothing related to my history, birthdays or anything. It is >> still fairly easy for me to type tho. >> > > Good. Also disable root login using sshd >
Since ssh is not running, I assume it doesn't matter at this point? > >> 2: I went to this link: https://www.grc.com/x/ne.dll?bh0bkyd2 >> According to that site my ports are in "stealth" mode which is good from >> what I understand. >> > > That's Gibson. Sometimes he talks sense and has good ideas, but he always > rambles. Wheat and chaff. > > Run "netstat -atnup" and see what's open. Apply brainpower to what you see. > Learn how to drive nmap and throw it at localhost. Apply brainpower to what > you see. > This looks OK to me. It is things that I have connected to the internet and am using. I have Seamonkey running and Kopete is logged into Yahoo at the moment. Still want to get rid of that pesky upgrade message tho. ;-) I do have cups running but nothing is shared. It's just a local printer. I have no idea what the mDNSResponderP thing is. That is something that is pulled in by something else and it showed up ages ago. r...@smoker / # netstat -atnup Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3493 0.0.0.0:* LISTEN 26885/upsd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 5428/cupsd tcp 0 0 127.0.0.1:3493 127.0.0.1:40613 ESTABLISHED26885/upsd tcp 0 0 127.0.0.1:38147 127.0.0.1:631 TIME_WAIT - tcp 0 0 127.0.0.1:631 127.0.0.1:38148 ESTABLISHED5428/cupsd tcp 0 0 192.168.1.1:53247 68.180.217.6:5050 ESTABLISHED6730/kopete tcp 1 0 192.168.1.1:45608 204.2.215.83:80 CLOSE_WAIT 6269/gpg-agent tcp 1 0 192.168.1.1:45609 204.2.215.83:80 CLOSE_WAIT 6269/gpg-agent tcp 0 0 127.0.0.1:38148 127.0.0.1:631 ESTABLISHED6795/seamonkey-bin tcp 0 0 127.0.0.1:40613 127.0.0.1:3493 ESTABLISHED28709/upsmon udp 0 0 0.0.0.0:40143 0.0.0.0:* 5382/mDNSResponderP udp 0 0 0.0.0.0:5353 0.0.0.0:* 5348/mdnsd udp 0 0 0.0.0.0:5353 0.0.0.0:* 5382/mDNSResponderP udp 0 0 0.0.0.0:60777 0.0.0.0:* 5348/mdnsd udp 0 0 192.168.1.1:123 0.0.0.0:* 25561/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 25561/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 25561/ntpd r...@smoker / # > >> 3: I have no servers running here. No Apache, MySql, or any of that. >> I also have turned off/stopped ssh since I have only one box at the >> moment. >> > > no services running by default is a sane starting point for personal use. But > you will likely need *some* services, so deploy them one by one and audit > each > one before taking it live. Start them only when you need them. > > >> 4: I'm currently using this kernel: 2.6.25-gentoo-r9 I plan to >> upgrade that in the next day or so. >> > > Kernel bugs exist of course, but in terms of numbers, it's far easier for > someone to access your box using other routes. Like php. > > Pay attention to kernel bugs but you also have to prioritize by risk factor, > so that one is correspondingly lower on the list. > > >> The DSL modem I am using is the Motorola 2210. It seems to be a gateway >> thing. I have no router at the moment but if I build a new rig I will >> be getting one then. Most likely a Linksys or something. I'll post >> here before getting one anyway. ;-) >> >> Am I missing anything? If you need more info, let me know. I just want >> to make sure no one can get into my box without me knowing about it and >> getting into mischief. >> > > By far the most common attack vector into home machines is users doing stupid > things with mail and dodgy links. This is how phishers work. So you need to > apply diligence in what you click and where you go. But, you are likely > exercising this already. > > Top of my list is always to lock down things that give shell access. No > telnet, no root login, access for specific users only. I use "AllowGroups" in > sshd_config a lot - only that group's members may log in and one grep shows > you exactly who is in that group. > > You deal with brute force attacks using packages like fail2ban and denyhosts. > The general idea is that if a certain number of failed attempts show up in > the > logs in a short time, that IP is locked out for a few hours. > > john the ripper is excellent at finding weak passwords. I don't know how much > benefit you will get - having only two users with passwords - but I use it > routinely on my servers. There's a certain satisfaction in attending security > forum meetings and telling some manager with a stick up his ass that you are > the one who trashed his access because you found his password in 38 seconds > :-) > > I don't think anyone can login here except through something local. I can't remember where but it has to be a local connection for it to let you login. Basically, I don't want anyone to be able to login, root or user, from anything but my chair. I think that is how it is set up. I don't access or need access from a remote location basically. I am careful with things like bank sites, credit card sites even myspace and others. I don't click on links in emails or anything. I have most everything bookmarked in Seamonkey and keyworded so I don't have to type much. For my google email account, I type in gmail and it goes to my google email account. My bank and credit card doesn't allow form managers which in a way I don't like. I used to have a really long password that was about as secure as it could get but now that I have to type all that crap in, I changed it to something shorter. Yea, me and the bank went a few rounds on that one. I'll check into fail2ban and denyhosts. Any one better or more preferred than the other? Thanks. I knew you would help me on this. LOL Dale :-) :-)
