Security for newbies

[haqking]

Yes, I think many people are looking forward to a security FAQ for newbies

Have fun finding out
Olle

I can only speak for myself, but i think i am right in assuming dangertux's opinion may be similar.

The whole FAQ for newbies that you ask for is that holy grail of documents every one wants where it abstracts the complex and makes things simple.

Sorry but that wont happen.

The stickies and such like are the closest you will get to that, thats what we were trying to say, admittedly we are security professionals, and we are not being elitist.

Infact i always try to help out alot here where i can.

The fact is that though we can say do this and that, unless there is a real foundational understanding it is meaningless. We cannot tell anyone how to secure their machine, if we do it step by step then without understanding what or why it was done those steps can be easily undone without knowing.

Security is a broad subject, ongoing process, steep learning curve and there is no newbie FAQ i am afraid.

The best security is education, and a forum or a FAQ will not give you that.

The best we can do as sec professionals in a support capacity is to keep pushing the need to educate and point out gaping holes when they appear as obvious.

IMHO

Edit: I am talking for myself here and please dont take me as elitist, but more a realist

[Thewhistlingwind]

The best security is education, and a forum or a FAQ will not give you that.

A forum indeed will. However, it's only during the rare juicy bits where the discussion shifts to hows and whys that this happens.

[haqking]

A forum indeed will. However, it's only during the rare juicy bits where the discussion shifts to hows and whys that this happens.

yeah i didnt put across what i meant there really.

I meant it as , you can be on a forum and listen to others and ask for advice, but the real way to learn security is to do it.

Set up VM, real hardware, test and research vulnerabilites, exploits etc. play with the plethora of tools outs there.

The thing with forums and faq's are. People are often lazy. They hear about UFW for example, enable it and think there machine is safe now, and dont know anyhing about what they did other than enabled a firewall.

They use Linux and think they are automatically secure.

People often take advice (and i am generalising) then do it (or not) and thats it.

Unless they take the time to figure out what it all meant it is useless.

And like i say i am generalising, there are alot of people on here and elsewhere who i am sure soak it all up, and go off and maybe themselves get interested so much they end up working in the field.

I refer really to the whole, security FAQ thing, there is no simple explanations for a topic which covers at the minimum 10 themselves very broad domains of knowledge.

People often look for a fix all command or application, and there isnt one, it is an ongoing process along with the constant education

[Dangertux]

I'm with haqking on this one. Again, not trying to be elitist or all knowing. Admittedly I'm exposed to things by very amazing talented minds every day that truly humble me.

That being said, an FAQ would be great, and I also would be willing to help. However, there is no short cut here. For instance let's take a commonly asked question.

"Do I need a firewall with Ubuntu?"

That would certainly be a frequently asked question as I know I've answered it 3-4 times in the last week alone on this forum (and I've been less active then I usually am)

If you look at the answer it is not nearly as simple as the question.

There are a few commonly given answers to this question. For instance.

"You have no open ports so you don't need one."

Now, I'm almost certain if you actually thought about how firewalls work, and how the threats you are exposed to work you might find that using a firewall wit strong inbound and outbound rules is preferable to not using one.

Now that's just a simple recommendation, based on only partial knowledge and a simple question. We can further this by complicating the original situation.

For instance different use cases might require different levels of security. On my personal machine I literally do nothing of consequence, so I'm not going to spend time securing my home network and personal computer that much. I don't use it for banking , I rarely make a purchase on my home computer, in fact I pretty much browse these forums and other websites that amuse me. Or I may play around with some idea I have in a VM. In any case all inconsequential things.

That being said, someone else in this very thread may work from home and rely on e-commerce to pay their bills. Their needs may be considerably different in terms of security than mine. Their risk is higher, thus their expected loss is higher, rightly they should spend more time securing their home system.

So suddenly the answer to a six word question isn't really so short anymore, in fact I could increase this wall of text with more information making it a veritable K2 of security factoids.

So when making an FAQ you really have to ask yourself what is the average use case? This is where best practices come into play. Which in my opinion the security stickies cater to nicely.

With the exception of a few things from the stickies that I disagree with, or think could be worded more appropriately I think an FAQ might prove to be a duplication of effort in some regards, unless it somehow became a more comprehensive document, based on questions that forum users asked more specifically than "do I need antivirus". As the cookie cutter security topics in Ubuntu have been covered ad nauseum for those converting from the Windows world.

Hope this clarifies my original point.

[WasMeHere]

@ Dangertux & haqking

I have read several of your posts in the Ubuntu Forums, and I really appreciate your contributions. I realize that you know what you are writing about and that you really want to help the people who are posting questions.

What if MrLeek, Ms. Daisy and I start asking a few questions relevant to us (and maybe to some of our friends)? Other people may show up asking their questions. Do you think that our questions would be relevant to other people? Would your answers be relevant only to us or also to other people in similar situations?

-o-

I have no incoming port open on my firewall, a simple router + firewall. I have a wired LAN inside the firewall with computers for my family members. The children have dual boot, Linux + Windows (Vista and XP). I have a vanilla Ubuntu 10.04 LTS Desktop where I have installed server demons for ssh and samba to make it easy to share files and scanner. I have also a workstation for multimedia and HD video editing with Ubuntu Studio and Win XP. A printer is attached via the LAN.

Q1 Would you recommend that I shut down the server demons?

Q2 We use Panda (paid) and Avast (free) antivirus in windows. What would you recommend? Do we need antivirus for Linux?

Q3 Is there any email or social network services that we should avoid?

Q4 What about cloud file servers?

Q5 What about internet banking and credit card payment?

Q6 Are there any risks with electronic login and signature via a system via files in the computer (supported by Swedish banks and used by several public service organisations as well as the tax authority.)

Edit: Q7 I backup my 'workhorse computer' once every month unless a lot of work (or pictures/movies) make me do it more often. I use unison to sync my multimedia partition with an external disk and I use Clonezilla to make images of the other partitions. I keep one external disk in a bank vault, so that my pictures won't burn if the house would burn. The other computers are also cloned but not as frequently.

Quantum satis: What do you want to add, that I have overlooked at this late hour

Olle

[Dangertux]

@ Dangertux & haqking

I have read several of your posts in the Ubuntu Forums, and I really appreciate your contributions. I realize that you know what you are writing about and that you really want to help the people who are posting questions.

What if MrLeek, Ms. Daisy and I start asking a few questions relevant to us (and maybe to some of our friends)? Other people may show up asking their questions. Do you think that our questions would be relevant to other people? Would your answers be relevant only to us or also to other people in similar situations?

-o-

I have no incoming port open on my firewall, a simple router + firewall. I have a wired LAN inside the firewall with computers for my family members. The children have dual boot, Linux + Windows (Vista and XP). I have a vanilla Ubuntu 10.04 LTS Desktop where I have installed server demons for ssh and samba to make it easy to share files and scanner. I have also a workstation for multimedia and HD video editing with Ubuntu Studio and Win XP. A printer is attached via the LAN.

Q1 Would you recommend that I shut down the server demons?

Q2 We use Panda (paid) and Avast (free) antivirus in windows. What would you recommend? Do we need antivirus for Linux?

Q3 Is there any email or social network services that we should avoid?

Q4 What about cloud file servers?

Q5 What about internet banking and credit card payment?

Q6 Are there any risks with electronic login and signature via a system via files in the computer (supported by Swedish banks and used by several public service organisations as well as the tax authority.)

Quantum satis: What do you want to add, that I have overlooked a this late hour

Olle

Obviously the answer will be most relevant to the situation it is directed at. That is not to say another user could not find themselves in a similar situation or where the information could still be useable.

Now on to the questions

A1) No, I would not recommend disabling daemons that you are utilizing. The goal is to be as secure as possible while maintaining the needed functionality. That being said what I would recommend is that you keep the services up to date with the latest security updates. Also, make sure you are using strong credentials for authentication with those services. I would also recommend making sure they are properly confined inside the local network. For instance if you don't need them accessible from the outside world, or only certain ip's within the network you should use iptables to make that the case. I would also consider enforcing mandatory access controls (Apparmor), paticularly on samba which is the more vulnerable of the two services.

A2) It's my personal belief that an anti-malware solution for linux is a great idea. Too bad nobody makes one that works well that is free or even mildly affordable for home use. Anti-Malware/Virus provides an additional active layer of heuristics based protection that can stop some threats even if not signatured threats. (Again it has to be decent ClamAV doesn't fill the bill)

A3) Yes all of them. However in line with best practices... Use the ones you like. However make sure you're using strong credentials, a browser addon such as NoScript, and security questions that aren't something like "what color is your house that is shown in your profile picture?". Also make sure you're not reusing your passwords across emails and different social networking sites.

A4) What about them? For backing up non-valuable personal files I think they're great. That being said you could argue cloud security is half decent since services like dropbox do rely on a strong encryption method (AES). Depends on what you're putting on them. Your personal financial information. No. Some family photos from your last vacation sure why not?

A5) Again what about it? Force https, don't access it from public wifi use NoScript.Make sure the rest of your system security is decent, IE: your samba service didn't get exploited because your printer was running a telnet server that you didn't know about and lexmark is bad with updates, and after all this now your home PC is keylogged and rootkitted because someone sniffed your ssh credentials via an ssh version attack

A6) I'm not familiar with the technology the swedish government uses for this so I can't comment.

A7) Good job doing back ups, but that's not a question.

Extra Credit : Don't give attackers more information than they need. For instance, an explanation of every service operating system and relative patch level running on your network, probably shouldn't be posted on the internet.

Hope this helps

[haqking]

ok well Dangertux covered everything well there.

One point i will mention, as we already pointed out it is all about education. And it is often very hard to give specific answers without really having access to the network or details of.

I would like to draw something from your post, the "what about cloud server" question. This is what we mean, how do we answer a non specific question that covers a topic which covers so many broad domains.

For the most part a cloud server is just a server in a cloud, the security principles remain the same.

email and social sites. well what can we say without an understanding of email transport mechanisms and protocols, social sites and there XSS and CSFR issues etc, data mining etc.

Every security question can cover multiple areas which all rely on foundational topics.

[WasMeHere]

Thank you Dangertux & haqking

for the clarifying answers and for your patience! I have to look into AppArmor and NoScript.

Your answers created new questions.

Q8 What do you know about the Brother drivers for network printers?

Q9 A relative of mine uses Avast antivirus for Linux. Do you know anything about it?

Q10 Would it be a good idea to do the economical transactions from the multimedia computer instead of the 'workhorse', because there are no servers for ssh, samba and printer. And it is switched off most of the time (Ubuntu Studio 11.04, Natty).

Having fun finding out
Olle

[Dangertux]

Thank you Dangertux & haqking

for the clarifying answers and for your patience! I have to look into AppArmor and NoScript.

Your answers created new questions.

Q8 What do you know about the Brother drivers for network printers?

Q9 A relative of mine uses Avast antivirus for Linux. Do you know anything about it?

Q10 Would it be a good idea to do the economical transactions from the multimedia computer instead of the 'workhorse', because there are no servers for ssh, samba and printer. And it is switched off most of the time (Ubuntu Studio 11.04, Natty).

Having fun finding out
Olle

A8 ) Don't know of any vulnerabilities off the top of my head without researching them (this doesn't mean they're not there)

A9) I've tested it, it's pretty much useless against anything other than known Windows Malware.

A10) Obviously separation of resources will help strengthen your security model. Ever hear the expression "Don't put all your eggs in one basket"? Same concept here. So long as the overall security level of the "workhorse" system is equal or better than the overall level of the server.

Hope that helps.

[vasa1]

Thank you Dangertux & haqking

for the clarifying answers and for your patience! I have to look into AppArmor and NoScript.
...

I'm reading this thread with great interest and some of the newbie comments certainly reflect my concerns as well.

I also empathize with the experts point of view but a greater adoption of Linux is going to mean more people wanting "security" out of the box with little or no effort on their part.

To some extent, the problem could be broken down into two parts.

The first would be making things more secure fundamentally, using the strengths of Linux.

The second would be educating people about "social engineering" which is basically parting with information about oneself to crooks, installing software provided by crooks, and the like.

I feel the second aspect, including using a browser safely, can be picked up anywhere but the first has to come from Linux-specific education.

I can point to so many sources that claim that Linux is safe out of the box, but then, after poking about a bit, one reads about
people who've enabled ufw and experts who have locked stuff down using AppArmor.

As Ms. Daisy said, we who've moved over from Windows, miss our blankets.

I would welcome a tutorial for dummies about security for the home user of Linux.