Am I safe ?

**leclerc65** · March 21st, 2012

With the exception of AppArmor , I think I can follow these guidelines without much problem...but
1) Updates: the router is at the basement, wireless reception on the second floor of my house is really bad - signal can drop anytime. The only distro that works well is Puppy which was not recommended. If the signal drops while doing a 'sudo apt-get upgrade' it can be a nightmare. Beside, if you get these 'Aw - Snap' messages often from your browser, you know why I hated Updates.

2) I still don't understand the NoScript part. Who can put a bad script there, my Bank itself ? Please remember that I set my Home Page as the Bank's URL, I don't navigate anywhere, I don't even use emails on that machine. So please educate me. But I will do it if you say so.

I should also have mentioned that I do have Mac Address blocking,the Router Admin's password is 8 char long, so the door is not wide opened as it might seem.

Thanks everybody.

**Ms. Daisy** · March 21st, 2012

You may consider boosting the wireless signal so it won't drop out on the second floor. Maybe you can move the router to a more central location or add a repeater. Or hardwire the computer to the router. That's less of a security thing and more of a functionality thing. Losing the signal all the time would drive me nuts.

Who can put a bad script in your bank's website? Scripts make the internet interactive and cool. But scripts can be misused to compromise your browser. Surely your bank has a hardcore team of security experts working to keep the web server safe. The problem is you don't have any control over what happens to your bank's website. If you use NoScript, then you can prevent malicious scripts from running in your browser in the event that the bank's website gets cracked. Honestly this is probably venturing into true paranoia country if you're really only going to visit the one web page. But your original question was "Can I be sure that that machine cannot be compromised?" You'll never be totally sure but NoScript will make you a little more sure.

There are some links in the basic security wiki that go into more detail about what NoScript prevents if you still have questions.

**needhelppeeps** · March 23rd, 2012

Increasing the wireless footprint will decrease security further since the signal will be available over a larger area. It is advisable to use the minimum signal you need. It's worth trying to move the attenaeas horizontal instead of vertical. MAC filtering only serves to keep someone honest from accidentally connecting. I would install STP cat5 and use secure transmission protocols such as https, ssh, etc. You should also disable remote management of the wireless on the WAN side and consider restricting management to a single IP on the LAN side and only from a cabled connection. On your switch, disable all ports except the ones you need and turn limit those to known MAC addresses. I would also consider segmenting those ports for any PCs that do not need to "see" each other. Once you've done that, use full disk encryption for your offsite backups and any laptops, at the very least. Purchase cables for the laptops and lock them except when traveling. Laptops are a targeted theft item. You should definitely install NoScript and turn on your Uncomplicated firewall and lock it down to only the ports that must be open. Modify the default apparmor profile for firefox, I found the defaults to be rather open. I found setting up HIDS for a general purpose machine to be too much trouble, but if you have the time to mess with it, it's certainly effective at noting changes. However, if something were created in a frequently updated folder, you likely wouldn't notice as it's not practical to investigate changes in those folders. I suppose you could script flushing of those folders nightly.

**MasterGamerJK** · March 23rd, 2012

Use Trucrypt and DONT browse the internet from that machine and that's about all you need : )

PS: NEVER NEVER NEVER use a public access point.

**TheS0urce** · March 25th, 2012

Originally Posted by sammiev

puppy runs from root from what I have tested. If a hacker gets into your root, then they have control. Just my 2 cents. Ms. Daisy posted a great link that can only help.

I agree, that's why I recommend lightweight portable security. It has no root and you can't mount to any devices.

If you do internet banking, reboot and then do it. Any infections will be gone.

http://www.spi.dod.mil/lipose.htm

**Ms. Daisy** · March 25th, 2012

Originally Posted by TheS0urce

I agree, that's why I recommend lightweight portable security. It has no root and you can't mount to any devices.

If you do internet banking, reboot and then do it. Any infections will be gone.

http://www.spi.dod.mil/lipose.htm

Did you read the rest of the posts in this thread?
A live CD will prevent malware from being installed permanently, but it will not prevent browser exploits (like your bank and email passwords getting stolen).

**OpSecShellshock** · March 25th, 2012

I think we're already talking about a single-task, dedicated system. In that sense, using a live CD or USB won't get you anything you're not already getting by having a system entirely dedicated to doing one thing only.

The biggest potential threats for a dedicated system are going to be direct physical access to the machine by another person, weak wireless encryption and/or password, and a router the integrity of which has been somehow compromised (i.e. DNS settings have been maliciously altered). Focus of security effort should be more toward those things.

**sammiev** · March 25th, 2012

Originally Posted by Ms. Daisy

Did you read the rest of the posts in this thread?
A live CD will prevent malware from being installed permanently, but it will not prevent browser exploits (like your bank and email passwords getting stolen).

+1 no need to add more info!