Tux Training

Since I’ve been writing this blog and collecting tutorials, I’ve tried to keep a focus on security and privacy. In light of your computer rights at boarder security, the House Passing the Pro-IP act, malicious script kiddies and crackers in this world, and if it’s a business machine, also worrying about your competition, there are a lot of people in this world that want to know what you’re doing on your computer and online, legally and illegally.

I’m not going to go through any actual tutorial here as most of everything I wish to explain I’ve covered, but tutorials will be linked. I just think step by step we should approach security in Linux.

Drive Encryption

First thing first we need to make sure our drives are encrypted. OpenSuse, Ubuntu, Debian, the upcoming Fedora 9 can all do this for you on the install.

1. Use Yast to Encrypt Partitions
2. Encrypted Root File System During Install in openSuse 10.3
3. Encrypt Your Ubuntu During Install
4. The option to encrypt the entire system is also present during the install for current offerings of Debian and Fedora (see Fedora screenshot below)
5. 

We will also want to secure access to the disks by placing a password on the BIOS (varies by system), by password protecting GRUB and single user mode.

1. Password protect Grub Bootloader
2. How to password protect the single user mode in Linux

Luks via Yast in openSuse, as well as TrueCrypt can also encrypt volumes within container files. I personally stay away from truecrypt for my linux discs and use it solely for my USB keys. Truecrypt cannot encrypt every volume on your linux system, and it’s better to use Luks.

File Encryption and Secure Deletion

You may want to further encrypt single files in case someone accesses your system while it’s up and running with your encrypted volumes mounted.

1. Encrypt-Decrypt file using GPG
2. Encrypt files with OpenSSL

And furthermore hide files with steganography:

1. Steganography in Linux

And when you no longer need files, securely delete them.

1. Securely Delete Files with Wipe
2. Securely Delete files from Journaling Filesystems in Linux
3. Delete Files Permanently and Securely with Shred & SecureDelete

Securing Your System from Network Based Attacks

First thing you should try to abide by as close as you possibly can are the NSA Guides to Securing Redhat Enterprise Linux. This can be applied to just about any distribution. This is a must read.

1. NSA Guides for Securing Red Hat Enterprise Linux 5

You will also want to learn a bit about AppArmor or SELinux, depending on your distro.

1. Securing Your Server With AppArmor
2. A step-by-step guide to building a new SELinux policy module

It’s also a good idea to do file transfers to other machines with ssh/scp or sftp, rather than unencrypted protocols:

1. Basics of ssh and scp
2. The basics of ftp and sftp(remember, it’s generally better to simply use sftp on a machine that’s already running the ssh server so you’re not running more services than necessary. The less there is running, the less there is to make mistakes with and the less vulnerabilities that are exposed.)

You need to know how the linux firewall works (iptables) and configure it tightly. Only allow incoming and outgoing services that YOU manually chose.

1. Basics of iptables
2. Iptables: How to save and restore rules at boot & shutdown

It is also best to run a firewall on your system on top of a firewall provided by your router. On the router, keep the firmware upgraded. Do not allow remote administration of the device, be sure to change it’s default password. Only use wireless if you absolutely need to. If you must turn it on, use WPA over WEP. WPA is much harder to crack.

If you must have the SSH Server turned on, really lock down your box concerning this service:

1. Linux to Linux Key Based SSH
2. Preventing Brute Force Attacks With Fail2ban(somewhat OpenSuse centric)
3. Protect SSH Access With hosts files and a proper sshd_config(tcp wrappers)
4. Mounting a SSH folder locally with sshfs
5. My Personal Tip: Get a piece of junk computer or put one together. Follow the tutorials above regarding using SSH keys, fail2ban (denyhosts is another alternative), properly configure the tcpwrappers, configure the sshd_config properly, limit what users can ssh out of the machine in the ssh_config, configure the firewall tightly, but do not store any data on this machine. Now this machine should be the only machine allowed to connect to your pc within your network. On your machine, duplicate all the following tutorials.

So the connection inwards should look like this: Your ssh connection –> Forward through non-standard port on the router –> to the junk machine after being allowed through via RSA Key/firewall/tcpwrapper/fail2ban/sshd_config –> to your machine after being allowed through RSA Key/firewall/tcpwrapper/fail2ban/sshd_config again.

Overkill? More than likely.

Know who is on your system and know file permissions

First thing you want to know is file and directory permissions. If a user does not have the proper permissions to a file this can be a lifesaver preventing the wrong information from getting into the wrong hands.

1. Linux file permissions
2. How to change a file’s owner and group in Linux
3. umask

You can also check who’s currently logged onto your system with the ‘w’ or the ‘who’ command. And if you don’t like what you see….

1. Kick a user off your linux box

Using Linux as a Secure Desktop

But what about everything else? All those applications we need day to day, email, web surfing, chatting with some buddies, all of this is open to be sniffed by someone else and various vulnerabilities can compromise your system.

Browsers: Most of us already use Firefox. And there’s some ways to make Firefox more secure.

1. NoScript
2. CookieSafe
3. SafeCache
4. Use https sites when the option is available.
5. Set Firefox to clear private data each time the browser is closed as well.
6. In regards to a master password, I avoid Firefox or any browser saving any password. There’s a debate as to whether the MasterPassword to protect your saved passwords is really more secure.

Chat: Use Pidgin with Off the Record Messaging or Gaim Encryption. Encourage others to use Pidgin with OTR or Gaim Encryption as well.

1. Use OTR to Encrypt Pidgin Conversations

Email: I’ve found Evolution and Thunderbird the easiest to setup GPG encryption on. I love me some Kmail, but until security integration works better, I’ll stick with one of these two:

1. Sign & Encrypt your Emails with Thunderbird/Enigmail
2. Encrypt / Sign your Email in Evolution

Bit Torrent: There’s very few networks that are monitored as heavily as bit torrent. But I just can’t keep myself from it. There’s a number of approaches I take.

To avoid traffic shaping, encrypt the bit torrent headers.

1. How to Encrypt Bit Torrent Traffic With Ktorrent and Azurues

Use a client that supports PeerGuardian Blocklists.

1. Ktorrent (built in, but must be enabled)
   
2. Deluge (built in, but must be enabled)
3. Azureus with SafePeer

Use a secure VPN service when using Bit Torrent:

1. Relakks
   

Check Regularly for Compromises

Check for Rootkits: Rootkits are probably the thing you need to check for most. As most Unix based systems normally don’t get infected with spyware and viruses.

1. Scanning for rootkits with chkrootkit
2. Search for rootkits with RKhunter

Check for Viruses: But just in case there is a virus, you should know how to scan for them and remove them.

1. Installing and Running Clam Anti Virus in Linux

Port Scan Attacks: Also you should know how to periodically scan for port scan attacks.

1. The Port Scan Attack Detector

There are a number of systems to aid you in finding compromises and break-ins as well.

1. Detect intruders on your network with Snort
2. Secure your system with Tripwire

And of course there’s some common sense tips:

1. Use strong 12+ character, alphanumeric, upper and lower case passwords, with a symbol that change frequently. Try to avoid words and names as they are vulnerable to dictionary based attacks.
2. When you have the chance to use encrypted keys in place of or in addition to passwords, do so.
3. Change your password every 45-90 days.
4. Never leave your machine logged in when you are away from the box.
5. If possible, keep the system turned off when you’re not using it. If single user mode, grub, the bios, and the unlocking ability for your encrypted drives are all password protected it would be hell to get into the box itself from an off state. Also, in the extremely rare cases that someone can freeze your ram to obtain your LUKs keys, if your machine is already in an off state, chances are those keys will not be in your memory by the time someone accesses the box.
6. Do not allow passwords to be saved by any application. This is tricky with security. Sometimes saved passwords can avoid keyloggers, but if a password is stored, it generally can be retrieved (like Pidgin’s/Gaim’s plaintext accounts.xml file).
7. Extremely limit the personal data you store online. Run your own email server if you have the ability to and learn how to secure that. If you use a third party web mail service, use something along the lines of Hushmail.
8. Do your updates regularly for your system and make sure any repository you connect to is one you can trust.
9. When confronted with law enforcement, know your rights in the country you reside in. For American’s: it’s good to acknowledge that the courts have found passwords that protect encrypted information is protected by our 5th Amendment. You do not have to provide them to anyone.
10. Do not stay logged into the root account. If you log into it in anyway, via ssh, on the commandline locally, or into the desktop environment, and have a problem remembering that you logged in, start using sudo instead.
    1. Root, Superuser, and User Management Basics
    2. Understanding /etc/passwd, /etc/group, /etc/sudoers, and /etc/skel/
11. Don’t get cocky or arrogant with how secure your system is. This is extremely important. Many mac guys and even unix guys criticize how insecure Windows is, and Microsoft products in general. But the main weakness in Windows is it’s users. And that doesn’t change just because you’re using a system with a low adoption ratio, and that doesn’t change simply because you have a unix box. You are not invincible. The safest computer is a non-existing one and there is no such thing as being 100% secure. If you can remember that and not be elitist and arrogant about it like a certain fruit loving tech crowd, you’re good to go.