I just wanted to thank you and everyone else who replied for your many excellent suggestions. I understand Chris' and Alex's replies from last November's Installfest better now.
Steve Bill Broadley wrote: > Here's a list of my suggestions, none of which are particularly linux centric: > * Run something with patches. If you think patches might stop (like say for > fedora) before you want to reinstall pick an OS with longer support (like > say centos, debian stable, or ubuntu LTS (all 5 years afaik). > * Disable password logins via ssh, use a cert if you want to login remotely. > * Use a good passphrase to protect your cert > * Only keep your private key/cert on machines you trust. > * Set a secure user and root password (not strongly word based, and no zero > instead of O doesn't make a dictionary word secure). Do not type that > password anywhere else. Do not share that password with any other > machine/service that you don't trust > * if you check email from less secure computers use a different password > than your user/root password. > * nmap your laptop remotely. Ideally nothing but ssh would be open, or a > service that you are familiar with and you have a reason to run. > * spend the absolute minimal time as root, don't download random binaries from > random places and run them as root. > * If you build things from source in /opt/src and install them in /opt/pkg > make both of those directories owned by a system (non-root) user, then > run the ./configure;make;make install as that user. > * Use firefox 3, read all dialogs, never type any username/password without > checking that SSL is used, the URLs look right, and firefox is happy with > the certificate. Do NOT assume that your bank, your email account, or > related probably forgot to renew a cert, click ok, and login anyways. > * If firefox asks if you want to execute something from a website, say no. > * If something triggers a please type the root/user password dialog and you > do not know exactly what and why, believe in both the source and the reason > say no. > * No matter what the explanation, do not ever send your username/password > to anyone for any reason. > * Assume every machine you do not personally admin is hacked. > * If someone you don't know says that this really cool video (storm footage, > earthquakes, twin towers, embarassing political videos, tsunamis, > aliens, or whatever) just requires you to install a binary... don't. If > the standard tools like mplayer, vlc, and friends can't play it, it's likely > not worth playing. > * Do not accept a binary from anyone you wouldn't give your social security > number and a credit card to. > * Anything you aren't positive about run as a different user, logout, login, > tinker with it. > * patch when patches come out, most environments will put up a notification on > the default desktop. > * Unless your browser says you are using SSL or you are using ssh, assume > every byte that comes to/from your computer over the network is being > recorded, redirected, and maliciously changed. > * backup the stuff you care about, I'd suggest at least /home and /etc. Keep > at least 2 copies, ideally in at least 2 places. Even rsync is fine for > this, or one of a zillion backup programs. > * Keep your laptop as physically secure as possible > > > If you are more paranoid: > * Install from CD > * make sure you are behind a firewall/ip nat/masq (not internet visible) > * patch > > The above should be plenty to keep most linux users from getting hacked. > > If you want to be more paranoid and learn more about a system: > * run ps, get familiar with all processes running > * read /var/log/*, get familiar with that. > * watch your network traffic lights on your dsl/cable/modem, figure out why > and what is using your network. > * run strace on existing processes > * run lsof on existing processes > * run tcpdump and watch your network connection > * run snort > * run df, or related utilities to analyze storage. Figure out how much you > use and where it is. > > For the very paranoid (I don't do this): > * encrypt your disk > * boot from trusted media, build a tripwire database, write it to write once > media, then periodicially verify that things that shouldn't change don't. > _______________________________________________ > vox-tech mailing list > vox-tech@lists.lugod.org > http://lists.lugod.org/mailman/listinfo/vox-tech > > _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech