D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Linux - and security

 
On 3 November 2012 18:00, bad apple <ifindthatinteresting@xxxxxxxxx> wrote:

<snip>

<snip> some more.

Some really, really good advice here.

I'll add a few coppers' worth on some specific points, although I don't disagree with any of it.

AVG. This had fame about 8 years ago as the best free windows AV. It hasn't been since then (Strangely, Microsoft's Security Essentials is about the best freebie at present). And I agree, you don't need file-scanning antivirus on Linux, except for some exceptions:

1. It's acting as an executable file server for windows machines.
2. You backup windows clients to it (using BackupPC for example), and run clamav on the backups. I do this for work and it very occasionally highlights me to an infected file that has been backed up which was missed by the Windows' client's PC. (Running mostly Eset at present). Clamav is not the best zero-hour protection IME, but "better" ones have some dubious methods of achieving such claims. (Anyone else remember Macafee being caught paying virus writers to give them the source a few days ahead of new viruses being released into the wild? I was reminded of this with the founder of Macafee currently hiding from Police on drugs charges)

SSH. Agree, block root, it's a given and I'm amazed not every distro does this by default. I ran kippoo for some months to learn about SSH attacks. Interesting stuff. From my findings; almost all were scripted attacks running batches of IPs. (I have consecutives, they would move from one to another, same source IP). Originating IP would change every now and then. All those I had used standard bruteforce attempts, running between 3 and 2,000 attempts. A few got through, and when they did most immediately logged back out after running 'w'. I only had four humans try to do more interesting things, but none persevered beyond kippoo's fairly basic shell.

Sorry, waffling. My single biggest lesson from ssh attacks is that EVERY SINGLE ATTEMPT WAS ON PORT 22! I move my ssh port elsewhere as standard and although certain important boxes do run fail2ban as a secondary, not one has ever triggered in some 3 or 4 years. This is from around five internet-exposed linux servers. Port 22 goes nowhere and the bot or human just moves on. Unlike other ports you may have to expose on a server, like http or smtp, SSH is very changeable. (Incidentally, I get around 200 automatic relay attempts on any internet exposed port 25 - and yes, on one server I had not setup Exim properly and it acted as a spam relay for a few days before I noticed, which was annoying...)

Granted, somebody singling me out would portscan and try likely open ports manually, but so far, this has not happened.

On subject of truecrypt thumb drives and cloud backups: Again, I don't disagree, but research automated syncing as a priority, otherwise everything just goes stale too quickly. I am also far too quick to lose flash drives, and I've seen some shockingly fast cracks of encrypted files and file systems so that now I don't feel totally safe relying solely on encryption.

In a perfect world, you would treat personal and important data like a responsible gambler does his bets. Don't risk more than you're happy losing.  In reality, I don't think many people are happy with the extra admin in maintaining that.  Understand the risks as much as you can and establish your own ground rules that you are comfortable with. If you make it so tight it's hard for you to get into, human nature means you'll probably get sloppy after a few weeks because it's getting in the way.

In most, maybe all, cases of data theft or malicious damage, a human fell short somewhere. We're prone to sloppiness and sometimes arrogance. This, I believe, is the biggest weakness in any security, computer or not.

Si
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq