Security for newbies

[MrLeek]

Some excellent replies, both from my fellow newbies and the guru's. No way I can comment on every aspect that's been covered but I'll try my best here.

Well... I think there are two things here. For one if you do not KNOW you are using VNC or SSH, then there is probably an issue.....If you don't understand the basics of Linux before reading the security stickies you probably won't get much out of them....

I agree. The more you know about a subject, the more informed you are – and you know what you don't know (if you follow me). But newbies coming from Windows have existed with a security blanket around them – they know they have AV installed, etc. (that doesn't mean that the system is more secure or not, just that Windows users can at least “see” security on their systems.
So how do I find out if I have VNC or SSH? Olle's post was great and great basis to answering that question. VNC did nothing (so I'm assuming that's not running?) but SSH showed that the server programs were listed (eek!). When I try

Code:

ps -au root | grep ssh   # the command

nothing happens. Good or bad? That's the sort of info I think is useful to newbies.

So the FAQ for this particular bit looks a bit like this:
The two most common cracks posted on these forums are ssh and vnc, both running with password authentication” (source: bodhi.zazen's awesome security sticky)

• Do you know what ssh and vnc are? If not then you need to make sure that they're turned off as you almost certainly don't need them!!
• Insert instructions on how to check for ssh/vnc and to ensure that it's not running.
• Want to learn more about ssh and vnc? Insert links to material here

[QUOTE=Olle Wiklund;11416567] But you can't leave the newbies with a statement, that they don't know, so they cannot be safe. I think it is a good idea to provide tips and hints what to do and what to avoid. What has the Ubuntu mason done, that newbies should not tamper with?

Unfortunately as with anything the level of value you take from it is directly proportional to the level of knowledge you have going into it. So tips and tricks are nice, but truthfully if you don't understand the reasoning behind them your level of understanding of some concepts will never move beyond that of hobbyist.
Both statements are true. It's impossible to cover every possible scenario, but it may be possible to cover the basics. Plus, implementing these simple tips may encourage users to read more, to learn more...to understand just how powerful a terminal window can be.

This is taking on a life of it's own so I better stop! (hurray!) Let me rephrase my original idea - 10 easy things to increase your security (e.g.):

• Install No Script. Learn how to use it properly (i.e. don't allow everything because No Script annoys you!)
• Make sure Automatic Security Updates are turned on (how do I do that? Do x, y and z)

[SIZE=1][COLOR=#000000][FONT=Verdana, sans-serif]The user may still not understand what he's done, but some will learn new things and look to learn more. From here add something a little more complex (e.g.Why reusing passwords is a bad idea, or why don't I need any AV in Linux?)

I certainly don't want to annoy the security pro's on here – far from it. But the Linux learning curve can be a little steep and any way to make that curve a little easier to manage will go down well with with us newbies! Plus we'll be asking more intelligent questions...which is bound to be a change for the guru's!

[WasMeHere]

...

Code:

ps -au root | grep ssh   # the command

nothing happens. Good or bad? That's the sort of info I think is useful to newbies.

It means that the server daemon is not running, which is good if you want to be sure it is not used by an attacker, but bad if you want to use it yourself to login or share files from another computer.

I certainly don't want to annoy the security pro's on here – far from it. But the Linux learning curve can be a little steep and any way to make that curve a little easier to manage will go down well with with us newbies! Plus we'll be asking more intelligent questions...which is bound to be a change for the guru's!

I think we might do something good together. Thank you for starting this thread, good luck and have fun finding out
Olle

[mr-woof]

I've been using Linux for about 2-3 years now and I stil consider myself inexperienced, I've read a lot of threads on here about systems being broken into and it does seem to come down to remote desktops(VNC) and ssh being enabled incorrectly.

Me personally, on a fresh install of a Ubuntu machine, I always install gufw and enable the firewall, remove remote desktop viewer as I don't need it. You'll have the ssh client installed and that's fine, it's the ssh server you have to be careful with. Disable upnp on your router as well.

Installing ubuntu server in a vm and playing around with ssh server was a good learning experience for me, I'll post what changes I make if anyone wants me to?

I always install no script/ad blocking in FF as well, very good for secure browsing. Security is a learning experience, using virtual machines is a good way to test,break and fix things.

[Ms. Daisy]

The whole FAQ for newbies that you ask for is that holy grail of documents every one wants where it abstracts the complex and makes things simple.

OK, I'm really feeling this thread. To Dangertux & haqking, we all seem to agree that you have to dig deep to attain true security. But is there a way to enable some simple features, especially through the GUI, that can provide a little more security for the average noob until they get a clue? I hardly think I'm unique in my intention to learn Ubuntu by installing it & playing around. It's that learning window that needs to be sort of temporarily secured so new users aren't completely overwhelmed by that steep learning curve we've all talked about. So this elusive "Security For New Users" FAQ could actually be created. Here's what I see as a very rough outline:

1. enable these features using the GUI: firewall, x, y, z. Insert links to resources.
2. check to make sure a, b, c are disabled (as MrLeek suggested)
3. don't be stupid: follow standard good practice while connected to the internet. Insert links to common good internet security tips.
4. if you have to do banking on your Ubuntu computer, then some of the experts recommend that you DO a, b, c. And they recommend that you don't do x, y, z. Links to resources.
5. once you've learned more about linux, it's imperative that you look into utilizing this, that, and the other thing. Insert links to resources. I'm gonna say that apparmor goes in this category. Thoughts?

MrLeek, if you want links to various tutorials & sources, I'll be happy to provide them. I've spent a lot of time looking at the written material on various topics and they vary in their target audiences. I've got beginner's eyes, so I'll give you the "for Dummies" links. PM me if you're serious. If not, I may steal your idea

[Dangertux]

OK, I'm really feeling this thread. To Dangertux & haqking, we all seem to agree that you have to dig deep to attain true security. But is there a way to enable some simple features, especially through the GUI, that can provide a little more security for the average noob until they get a clue? I hardly think I'm unique in my intention to learn Ubuntu by installing it & playing around. It's that learning window that needs to be sort of temporarily secured so new users aren't completely overwhelmed by that steep learning curve we've all talked about. So this elusive "Security For New Users" FAQ could actually be created. Here's what I see as a very rough outline:

1. enable these features using the GUI: firewall, x, y, z. Insert links to resources.
2. check to make sure a, b, c are disabled (as MrLeek suggested)
3. don't be stupid: follow standard good practice while connected to the internet. Insert links to common good internet security tips.
4. if you have to do banking on your Ubuntu computer, then some of the experts recommend that you DO a, b, c. And they recommend that you don't do x, y, z. Links to resources.
5. once you've learned more about linux, it's imperative that you look into utilizing this, that, and the other thing. Insert links to resources. I'm gonna say that apparmor goes in this category. Thoughts?

MrLeek, if you want links to various tutorials & sources, I'll be happy to provide them. I've spent a lot of time looking at the written material on various topics and they vary in their target audiences. I've got beginner's eyes, so I'll give you the "for Dummies" links. PM me if you're serious. If not, I may steal your idea

Okay, I think there is something that should be addressed with this, and I know I've discussed this with you before Ms. Daisy (at least I think I did). Security is a broad term it's a giant all encompassing vacuum that will quickly 'suck' you in if you let it.

That being said, that does not mean a reasonable level of security (best practices) are difficult to attain for the average end user. However, when you talk about best practices there is still a level of risk involved that is higher than it could be.

If you were setting up a home system to be "secure" within the realm of best practices, which would be fine for most (and I mean like 90%+) of the average user's use case. You might consider things like the following , that have been harped on to no end on this forum already.

1 - Strong passwords. If it takes a password it needs to be a good one (more than 16 characters containing upper and lower case, numeric, special characters and white space. Not being based on a dictionary word, or something like the fact that your eyes are blue or your birth date.) If you can use an RSA key for it (eg: SSH) better still.

2 - Don't run services you don't need. If you don't need an SSH server or VNC server running on your personal computer don't do it. If you do, make sure it is properly secured. Firewalled from the outside world, confined with apparmor/selinux strong credentials, proper configuration and permissions ,etc. (PS : do NOT run VNC just don't do it.)

3 - Browser addons like NoScript. I can't emphasize enough. Browser exploits get alot of people, usually people who think they're perfectly fine because they run Linux/Mac OSX/Something else other than Windows. This is where 90% of home users who aren't running a server of some kind get in trouble.

4 - Keep your updates , well...updated. This is important, unless you're writing security patches yourself (which you're probably not) this should be way high on your todo list.

5 - Use your firewall PROPERLY. Don't set it and forget it, learn how it works, set decent rules. It takes 5 minutes to configure UFW/GUFW to tell iptables to enforce pretty decent inbound and outbound rules. Maybe 10 if its the first time you've done it. I harp on this one a lot because by and large the "you have no open ports" argument is stupid.

See this post I made : http://ubuntuforums.org/showthread.php?t=1871177

(which btw got a whopping 1 reply thanks for the love everyone I kid..I kid..)

6 - Use common sense. A very smart friend of mine once said these words.

"Did you go on the Internet to download something? No...Then why are you downloading something?"

This applies to all facets of security. Set out with a purpose, if you find yourself veering away from that purpose, ask yourself why and if its something you should be doing. For instance you should not have to run the following command to play supertuxkart.

Code:

sudo nc -l -p 31337 -e /bin/sh

*don't do this*

If someone tells you that you do, well...Don't listen.

7 - Least privileges, always : Always make sure you are utilizing the least amount of privileges/permissions to do the task necessary. Use only what you need nothing more. This involves learning about DAC and how to use file permissions and non-privileged users (which Ubuntu makes very easy). Additionally we can strengthen this with things like Apparmor, which I do recommend learning. The learning curve is pretty steep but take a few hours to educate yourself on it now, it is a great asset.

8 - Be consistent, if you do these things with your desktop Ubuntu system you will find it is actually pretty secure. Now apply this to the other devices on your network. This includes any other computers, cell phones, routers, printers, game consoles whatever. Your network's security is only as strong as the weakest link. Once an attacker gains a foothold in a network, whether it's in a DMZ or behind a firewall compromising the rest of the network becomes MUCH easier.

Hope all this helps.

[Ms. Daisy]

My thoughts are flowing on this issue. I recommend that at the outset you define the target audience for the FAQ.

This FAQ is intended for the typical, average home user that is in the process of learning how to use Ubuntu. Average home use is:
1. surfing the net
2. playing games online & off line
3. on-line personal banking
4. storing documents that could contain a little sensitive information (like name, address, DOB, SSN, etc)
5. whatever else is typical.

This FAQ is NOT intended for
1. people who use Ubuntu in their corporate environment. Certain industries must follow certain internet and data storage regulations. Rely on this thread at your own peril for these uses.
2. If you're a home user that is employed by a company, and you occasionally work on company business on your home computer. You should consult with your company's IT department to comply with their security measures.
3. Whoever else should be excluded.

[Ms. Daisy]

Security is a broad term it's a giant all encompassing vacuum that will quickly 'suck' you in if you let it.

Yeah, too late.

Sounds to me like Dangertux just wrote a large chunk of that FAQ.

[haqking]

Dangertux is 5 hours behind me but he seems to be more awake, his caffeine fuelled typing skills are strong in him today

I myself am battling with some bluetooth issues.

+1 to everything he said

[Ms. Daisy]

Oh yes, and something also to address would be a quick discussion of fallacies that are common in this forum as well as in the world in general:
1. Linux is secure out of the box. False. It's as secure as you make it, it's as insecure as you allow it.
2. the typical Windows user mindset is that you can install program X, let it run quietly in the background, and you'll be fine. That's actually not true for Windows and it's not true for Ubuntu either. Security is an active process on all OSs.
3. yadda yadda. You get my drift. There are many of these addressed in this forum, I'd be happy to hunt them down for you.

In fact, nearly all of the information that should go in the FAQ already exists in numerous posts across the forum. The idea is to combine them into one "Security for Newbies" place.

Again MrLeek, I hope you were serious about writing this FAQ. I'll help by writing any and all sections you want me to.

[Dangertux]

Awake...it's such an inaccurate term. It's more like what happened in that movie Vanilla Sky without the fringe benefits of being Tom Cruise.

Also something else I didn't cover.

If you use Wireless access. Make sure you're using STRONG encryption, not WEP but WPA/WPA2 with a GOOD passphrase use all 63 characters, you only have to type it once anyway.