Welcome - 10/21/17 [] DESKTOP/BROWSER SECURITY ALE - Atlanta Linux Enthusiasts - http://ale.org/ - sign up for our email lists - General email list - ale - ALE Study Group list - ale-study - Meetup.com Group (google "_ale linux_") https://www.meetup.com/ALE-Atlanta-Linux-Enthusiasts/ THANKS FOR COMING OUT! We are volunteers. Just some guys trying to spread Linux knowledge. Server Security is VERY DIFFERENT This doesn't apply to Server Security. DESKTOPS AND SERVERS ARE VERY DIFFERENT. Desktop Security Info - Take VERSIONED backups daily/weekly/monthly - Enforce Strong Passwords - Limit root access - Physical access is everything, almost always - live CDs, etc - Install Software only from trusted sources - NEVER copy/paste scripts/commands into a terminal - always copy/paste into an editor first. - Stay patched - Stay on a currently supported release Use a Password Manager - Use a Password Manager - Use a Password Manager - Use a Password Manager KeePassX - F/LOSS - not proprietary. KeePassX - it is cross platform. KeePassX - it has a DB that works on Linux, Windows, Android. KeePassX - it doesn't put your passwords on the internet. KeePassX - it isn't just for passwords (license keys, passport info, Bank/Insurance accounts, emergency contacts, HDD encryption keys, professional licenses, adoption decrees, etc.) KeePassX - supports 2-factor authentication. 101 Uses for a Password Manager Anti-Virus / Running as root - A/V is for Windows - Viruses CAN happen if you use WINE - never run WINE as root. - Avoid running GUI programs as root Firewalls - Firewall is built into Linux Kernel - End-user tools are just interfaces to the kernel firewall - ufw, gufw, firewalld, iptables, etc. - Block inbound by default Browser Security Info - Block JavaScript, Java, Flash from untrusted sites, by default - NoScript - Only use session cookies, first-party - Block 3rd party cookies - Never store Flash/HTML5 _local objects_ - Try to use HTTPS whenever possible - HTTPS-Everywhere - Block ad sites - not hard - /etc/hosts - Pi-Hole - uBlock / Adblock+ - Firejail - no need to trust INCognito modes EFF Browser Tracking Test That's It ... Mostly. But we can go deeper ... since we are all _Power Users_ Parts to Desktop Security - Versioned Backups - always the #1 Security tool - Stay Patched - Logging - Access Controls - Encryption for all portable devices - Blocking the Bad Guys - hosts/Javascript - Informed End-User - don't do stupid things - Firejail (Advanced) Versioned Backups - Automatic - Daily - Bug Free - always work - Efficient - Encrypted transfer and storage - Verified/Tested Restores Stay Patched Every week ... - sudo apt update && sudo apt upgrade If there are any issues, track them down ASAP and fix it. Package manager issues don't get better over time. NEVER try to upgrade releases when a package manager isn't working perfectly. Logging Log files are located under - /var/log/ - {program}/logs/ - dmesg - boot logs - syslog - auth.log $ sudo egrep -i 'warn|err' /var/log/*log* $ sudo apt install logwatch Configure logwatch in /etc/logwatch/ to send daily emails with log highlights Access Controls - Principle of least privilege - Only allow the minimum access required to do the job - umask 077; Use 600/700 permissions when in doubt - Accounts - expirations, password limits, limit network protocols - Network access - block access from everywhere EXCEPT where you need it - Physical access - assume any system can be hacked Accounts - Multi-user system - Take advantage of that for process segmentation - Set expirations - Set min length limits - Set password complexity - Limit ssh, sftp, at, unless you KNOW the account needs it - Block outbound email to the internet at the system level Network Access - Firewalls should block all inbound requests, even if you are behind a local router - Firewalls might need to block most outbound requests too - Don't use passwords for network access - Use ssh and ssh-keys as your default method - Fail2Ban and DenyHosts - manage dynamic firewall rules - Never use VNC without a VPN or tunnel - VNC has a ~~localhost option~~ use it! Physical Access - Lock unattended computers - Use Whole Disk Encryption - Be wary of USB devices/Flash drives - 15 sec and a USB flash drive is all it takes to pwn a system. Encryption - All portable devices need strong encryption - LUKS on Linux - Solid Passwords - 20+ characters - Devices are lost or stolen all the time - Quick automatic locking 10 min, tops - Fingerprints, facial recognition, patterns aren't secure. Break! Break - 5 minutes More Resources - Google "{distro} desktop security" - Secure Browser Settings - Secure Linux Desktops - Blocking Ads with /etc/hosts - WiFi Router Security Checklist Blocking the Bad Guys - Network Architecture - split networks by risks - Firewalls / Block all inbound connections by default - /etc/hosts - block known phishing sites, malware hosts, ads - Blocking Flash and other dangerous addons by default - Blocking Javascript from untrusted locations by default - Even if you are behind a NAT router, every system needs to run a firewall Calendar September October Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa 1 2 1 2 3 4 5 6 7 3 4 5 6 7 8 9 8 9 10 11 12 13 -- 10 11 12 13 14 15 16 15 16 17 18 19 20 21 17 18 19 20 21 22 23 22 23 24 25 26 27 28 24 25 26 27 28 29 30 29 30 31 - -- means no meeting Thanks / Feedback - Thanks for coming. - Please let us know how we are doing. - Slides are here: - lpi.jdpfu.com/2017-Fall/17-10-21-Desktop_Security.html - Email - DJPfulio - at - jdpfu.com blog.jdpfu.com