I do have ssh and sshd and ftp and some things like that - sorry, bit thick, do you mean uninstall them?

Why do you have these things "ssh and sshd and ftp" ?
Do you use or need them?

If you don't know for certain that you need these services (and I suspect you do not), or cannot be bothered to find out how to turn them off, then maybe the best thing to do is just uninstall them.

Then they cannot be run, and you can forget about their potential security issues.

Your computer will still enable you to browse the web, use email etc.

If you run into problems Eg "Error: ssh - Service not available / not configured". Then I suggest you reconsider.

Thanks have uninstalled most of the obvious stuff like that, used to use them on home network. Been reading http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/ paranoia inducing. Alarming perhaps that the mysql server on my box started failing to start soon after putting box on internet.

1) Turn off or remove any services you do not need, like ssh, ftp, telnet etc.
2) Use a firewall either a hardware one or software and configure it properly.
3) Keep your system updated and do not run things like your browser as root.
4) Bastille is a nice easy way to lock things down as are the various harden packages.
5) Use your distro's package management system and only install packages from trusted repos/sites.

Really there isn't much more to it. Nothing like windows, no daily scanning, no AV updates or anti-malware apps slowing down your system.

Thanks, unfortunately bastille does not support Lenny 5.0. Slightly oddly since it's on the CDs.

Sure it does, it just throws a weird error when you start it. I run sid and it works just fine.

$ apt-cache policy bastille
bastille:
Installed: 1:3.0.9-12
Candidate: 1:3.0.9-12
Version table:
*** 1:3.0.9-12 0
990 http://ftp.debian.org sid/main Packages

the slightly paranoid approach (and slightly paranoid is quite good when it comes to security...its just that very paranoid is better) is to ensure that those services are not running (ie, just use something like ps -ef and ensure that there is nothing running there that has potential for evil).

If you know that you aren't going to use it though, why would you need it installed? This also corresponds to the very paranoid approach of not installing anything ever that is not needed in the short term. After all, it it ain't there, it can't be exploited (even if it is there, but not running, maybe someone has a way of getting in and running it and can then maybe they utilise it in some bad way).

More to the point, ftp?????? That's about as insecure as a jail where they didn't bother to build the jail. You should not be running an ftp server on your system. The only use for ftp is if someone else provides an ftp service from which you want to get a file and it doesn't require a password. Or, if it does use a password, that password cannot be in any way related to other passwords in use.

ssh is a bit of an interesting case; this, very, very unlike ftp, was designed to be secure, but still there is a problem. A lot of bad guys are trying 'brute force' ssh attacks. So, if it was designed to be secure, why would people be even trying a brute force attack? Well, they have made the observation that, if there is no penalty for/problem with keep trying things, they can keep trying and trying until they eventually get somewhere.

So my recommendation would be that if you make an ssh service available on a box that you own (and want to carry on owning, in the general sense) you have to take at least one of the following extra security measures

• use an unusual port for ssh
• look through the logs for signs of incipient problems
• use a 'port knocking' scheme to make it more difficult for the 'brute forcers'
• only allow particular machines (by, eg, mac address) to ssh in, in your firewall
• use, eg, fail2ban in your firewall to keep out the guys who try to do nasty stuff repeatedly

(...just the first just on its own is inadequate, but the first and the second combined, maybe)

and if you don't want to do at least one of those or you don't want to understand the problem, don't allow anyone to ssh into your box, ever. You may well find your life is easier just not being able to ssh into your box at all (not having it also means that you don't have to track new vulnerabilities and patches), but if you decide that you need it, you have to do a competent job with it.

Alright, thanks, installed the most up to date version from the link and it worked. So, for the record, it asks you questions and hardens up your file permissions and shuts down servers and stuff like that. It will set up a firewall if you want.

salasi: Got this quite big computer fairly recently and have taken the attitude that you might as well install everything in sight.

So it's a quite fundamental philosophy change: "Only install what you certainly need - especially any sort of server, presumably."