DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I get the impression that you don't need ssh, vpn or any fancy services allowing the outside world to access your network; if so, turn them off, preferably at the point closest to the big, bad, internet that you can (optional; turn them off in several places).
I do have ssh and sshd and ftp and some things like that - sorry, bit thick, do you mean uninstall them?
I do have ssh and sshd and ftp and some things like that - sorry, bit thick, do you mean uninstall them?
Why do you have these things "ssh and sshd and ftp" ?
Do you use or need them?
If you don't know for certain that you need these services (and I suspect you do not), or cannot be bothered to find out how to turn them off, then maybe the best thing to do is just uninstall them.
Then they cannot be run, and you can forget about their potential security issues.
Your computer will still enable you to browse the web, use email etc.
If you run into problems Eg "Error: ssh - Service not available / not configured". Then I suggest you reconsider.
Why do you have these things "ssh and sshd and ftp" ?
Do you use or need them?
If you don't know for certain that you need these services (and I suspect you do not), or cannot be bothered to find out how to turn them off, then maybe the best thing to do is just uninstall them.
Then they cannot be run, and you can forget about their potential security issues.
Your computer will still enable you to browse the web, use email etc.
If you run into problems Eg "Error: ssh - Service not available / not configured". Then I suggest you reconsider.
Thanks have uninstalled most of the obvious stuff like that, used to use them on home network. Been reading http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/ paranoia inducing. Alarming perhaps that the mysql server on my box started failing to start soon after putting box on internet.
Last edited by lugoteehalt; 10-30-2009 at 07:18 PM.
1) Turn off or remove any services you do not need, like ssh, ftp, telnet etc.
2) Use a firewall either a hardware one or software and configure it properly.
3) Keep your system updated and do not run things like your browser as root.
4) Bastille is a nice easy way to lock things down as are the various harden packages.
5) Use your distro's package management system and only install packages from trusted repos/sites.
Really there isn't much more to it. Nothing like windows, no daily scanning, no AV updates or anti-malware apps slowing down your system.
I do have ssh and sshd and ftp and some things like that - sorry, bit thick, do you mean uninstall them?
the slightly paranoid approach (and slightly paranoid is quite good when it comes to security...its just that very paranoid is better) is to ensure that those services are not running (ie, just use something like ps -ef and ensure that there is nothing running there that has potential for evil).
If you know that you aren't going to use it though, why would you need it installed? This also corresponds to the very paranoid approach of not installing anything ever that is not needed in the short term. After all, it it ain't there, it can't be exploited (even if it is there, but not running, maybe someone has a way of getting in and running it and can then maybe they utilise it in some bad way).
More to the point, ftp?????? That's about as insecure as a jail where they didn't bother to build the jail. You should not be running an ftp server on your system. The only use for ftp is if someone else provides an ftp service from which you want to get a file and it doesn't require a password. Or, if it does use a password, that password cannot be in any way related to other passwords in use.
ssh is a bit of an interesting case; this, very, very unlike ftp, was designed to be secure, but still there is a problem. A lot of bad guys are trying 'brute force' ssh attacks. So, if it was designed to be secure, why would people be even trying a brute force attack? Well, they have made the observation that, if there is no penalty for/problem with keep trying things, they can keep trying and trying until they eventually get somewhere.
So my recommendation would be that if you make an ssh service available on a box that you own (and want to carry on owning, in the general sense) you have to take at least one of the following extra security measures
use an unusual port for ssh
look through the logs for signs of incipient problems
use a 'port knocking' scheme to make it more difficult for the 'brute forcers'
only allow particular machines (by, eg, mac address) to ssh in, in your firewall
use, eg, fail2ban in your firewall to keep out the guys who try to do nasty stuff repeatedly
(...just the first just on its own is inadequate, but the first and the second combined, maybe)
and if you don't want to do at least one of those or you don't want to understand the problem, don't allow anyone to ssh into your box, ever. You may well find your life is easier just not being able to ssh into your box at all (not having it also means that you don't have to track new vulnerabilities and patches), but if you decide that you need it, you have to do a competent job with it.
Alright, thanks, installed the most up to date version from the link and it worked. So, for the record, it asks you questions and hardens up your file permissions and shuts down servers and stuff like that. It will set up a firewall if you want.
salasi:
Quote:
This also corresponds to the very paranoid approach of not installing anything ever that is not needed in the short term. After all, it it ain't there, it can't be exploited (even if it is there, but not running, maybe someone has a way of getting in and running it and can then maybe they utilise it in some bad way).
Got this quite big computer fairly recently and have taken the attitude that you might as well install everything in sight.
So it's a quite fundamental philosophy change: "Only install what you certainly need - especially any sort of server, presumably."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.