Welcome - 10/21/17
Desktop/Browser Security
ALE - Atlanta Linux Enthusiasts
- http://ale.org/ - sign up for our email lists
- General email list - ale
- ALE Study Group list - ale-study
- Meetup.com Group (google "ale linux")
https://www.meetup.com/ALE-Atlanta-Linux-Enthusiasts/
Thanks for coming out!
We are volunteers. Just some guys trying to spread Linux knowledge.
Server Security is VERY DIFFERENT
This doesn't apply to Server Security.
Desktops and servers are VERY DIFFERENT.
Desktop Security Info
- Take versioned backups daily/weekly/monthly
- Enforce Strong Passwords
- Limit root access
- Physical access is everything, almost always - live CDs, etc
- Install Software only from trusted sources
- NEVER copy/paste scripts/commands into a terminal - always copy/paste into an editor first.
- Stay patched
- Stay on a currently supported release
Use a Password Manager
- Use a Password Manager
- Use a Password Manager
- Use a Password Manager
KeePassX - F/LOSS - not proprietary.
KeePassX - it is cross platform.
KeePassX - it has a DB that works on Linux, Windows, Android.
KeePassX - it doesn't put your passwords on the internet.
KeePassX - it isn't just for passwords (license keys, passport info, Bank/Insurance accounts, emergency contacts, HDD encryption keys, professional licenses, adoption decrees, etc.)
KeePassX - supports 2-factor authentication.
101 Uses for a Password Manager
Anti-Virus / Running as root
- A/V is for Windows
- Viruses CAN happen if you use WINE - never run WINE as root.
- Avoid running GUI programs as root
Firewalls
- Firewall is built into Linux Kernel
- End-user tools are just interfaces to the kernel firewall
- ufw, gufw, firewalld, iptables, etc.
- Block inbound by default
Browser Security Info
- Block JavaScript, Java, Flash from untrusted sites, by default - NoScript
- Only use session cookies, first-party
- Block 3rd party cookies
- Never store Flash/HTML5 local objects
- Try to use HTTPS whenever possible - HTTPS-Everywhere
- Block ad sites - not hard - /etc/hosts - Pi-Hole
- uBlock / Adblock+
- Firejail - no need to trust INCognito modes
That's It ... Mostly.
But we can go deeper ... since we are all Power Users
Parts to Desktop Security
- Versioned Backups - always the #1 Security tool
- Stay Patched
- Logging
- Access Controls
- Encryption for all portable devices
- Blocking the Bad Guys - hosts/Javascript
- Informed End-User - don't do stupid things
- Firejail (Advanced)
Versioned Backups
- Automatic
- Daily
- Bug Free - always work
- Efficient
- Encrypted transfer and storage
- Verified/Tested Restores
Stay Patched
Every week ...
- sudo apt update && sudo apt upgrade
If there are any issues, track them down ASAP and fix it.
Package manager issues don't get better over time.
NEVER try to upgrade releases when a package manager isn't
working perfectly.
Logging
Log files are located under
- /var/log/
- {program}/logs/
- dmesg - boot logs
- syslog
- auth.log
$ sudo egrep -i 'warn|err' /var/log/*log*
$ sudo apt install logwatch
Configure logwatch in /etc/logwatch/ to send daily emails with log
highlights
Access Controls
- Principle of least privilege
- Only allow the minimum access required to do the job
- umask 077; Use 600/700 permissions when in doubt
- Accounts - expirations, password limits, limit network protocols
- Network access - block access from everywhere EXCEPT where you need it
- Physical access - assume any system can be hacked
Accounts
- Multi-user system
- Take advantage of that for process segmentation
- Set expirations
- Set min length limits
- Set password complexity
- Limit ssh, sftp, at, unless you KNOW the account needs it
- Block outbound email to the internet at the system level
Network Access
- Firewalls should block all inbound requests, even if you are behind a local router
- Firewalls might need to block most outbound requests too
- Don't use passwords for network access
- Use ssh and ssh-keys as your default method
- Fail2Ban and DenyHosts - manage dynamic firewall rules
- Never use VNC without a VPN or tunnel
- VNC has a
localhost optionuse it!
Physical Access
- Lock unattended computers
- Use Whole Disk Encryption
- Be wary of USB devices/Flash drives
- 15 sec and a USB flash drive is all it takes to pwn a system.
Encryption
- All portable devices need strong encryption - LUKS on Linux
- Solid Passwords - 20+ characters
- Devices are lost or stolen all the time
- Quick automatic locking 10 min, tops
- Fingerprints, facial recognition, patterns aren't secure.
Break!
Break - 5 minutes
More Resources
- Google "{distro} desktop security"
- Secure Browser Settings
- Secure Linux Desktops
- Blocking Ads with /etc/hosts
- WiFi Router Security Checklist
Blocking the Bad Guys
- Network Architecture - split networks by risks
- Firewalls / Block all inbound connections by default
- /etc/hosts - block known phishing sites, malware hosts, ads
- Blocking Flash and other dangerous addons by default
- Blocking Javascript from untrusted locations by default
- Even if you are behind a NAT router, every system needs to run a firewall
Calendar
September October
Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa
1 2 1 2 3 4 5 6 7
3 4 5 6 7 8 9 8 9 10 11 12 13 --
10 11 12 13 14 15 16 15 16 17 18 19 20 21
17 18 19 20 21 22 23 22 23 24 25 26 27 28
24 25 26 27 28 29 30 29 30 31
- -- means no meeting
Thanks / Feedback
- Thanks for coming.
- Please let us know how we are doing.
- Slides are here:
- lpi.jdpfu.com/2017-Fall/17-10-21-Desktop_Security.html
- Email - DJPfulio - at - jdpfu.com