# Is this enough or do i need to do me to secure pc?

## FizzyWidget

I know that security is a trade of between it and usability, but just want to make sure i havent missed anything really.

All machines are for home use and behind a router which has SPI and all ports are closed, only opened when they are needed.

I have read through the gentoo security pages and have done

2.d. Restricting Console Usage

4.a. Mounting partitions - adding the extra mount options is suggests

10. Securing Services - samba, mysql,ssh (removed root logings, blank passwords changed port) and X

12. Firewalls

```
#!/bin/bash

iptables -F

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

#

#Ethernet

iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#

# Wireless inet 0

#iptables -A INPUT -i wlan0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -o wlan0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -o wlan0 -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#

# Wireless inet 1

#iptables -A INPUT -i wlan1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -o wlan1 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i wlan1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -o wlan1 -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#

# Wireless inet 2

#iptables -A INPUT -i wlan2 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -o wlan2 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i wlan2 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -o wlan2 -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT

#iptables -A INPUT -s 192.168.1.0/24 -i wlan0 -j ACCEPT

#iptables -A INPUT -s 192.168.1.0/24 -i wlan1 -j ACCEPT

#iptables -A INPUT -s 192.168.1.0/24 -i wlan2 -j ACCEPT

iptables -A INPUT -i eth0 -j DROP

#iptables -A INPUT -i wlan0 -j DROP

#iptables -A INPUT -i wlan1 -j DROP

#iptables -A INPUT -i wlan2 -j DROP
```

and have added an IDS, in this case tripwire and moved everything onto encrypted usb stick.

Is there anything i have missed or will that cover a home system, without restricting it to much?

----------

## avx

Depends, what threats are you expecting?

You could use encryption, sandboxing some applications, have filtering proxies and more, not forgetting backup systems. All that is related to what you fear, though, so you should at first make your head up about this.

----------

## FizzyWidget

general threats, i already run from encrypted lvm, having just come from windows to linux full time, im not sure what is enough or to much to make sure you keep people out that you dont want in on your pcs.

Most of if not all the out going traffic will be from me as i use the pcs the most, just concerned about holes or issues that might let people in

----------

## avx

As long as you're not blindly clicking everything, you shouldn't have much to worry about. Lockdown flash and JS in your browser and that should more or less be enough. But if you want more, there are things like SELinux/AppArmor, kernel additions like SMACK or RSBAC, you could run a hardened system, etc. Many of these things aren't convinient to use, though and some need much knowledge, so maybe read up and then decide.

----------

## West201

It would be helpful if you learn how to implement SELinux properly. One of the biggest threat to any Linux system is the RootKit http://en.wikipedia.org/wiki/Rootkit.

----------

## phajdan.jr

Make sure to update regularly.

----------

## FizzyWidget

Yes I update once a day, as to the rootkit, i was advised against using chkrootkit and rkhunter as it was said they produce false positives, should i install them ?

----------

## Bones McCracker

It's a good practice to treat wireless networks as being somewhat non-secure.  Rather than treating them like your LAN (you are accepting all traffic), you may want to reject traffic coming in on the wireless interfaces by default, and then specifically add rules to accept new connections of only certain types (or only from certain MAC addresses).

I didn't notice if you are using the hardened kernel or hardened profile.  That's an option.

----------

## FizzyWidget

no im not using either, as i hear harden comes with its own problems, and seeing as I have only been on linux full time less than a week, i think i need to get to know how it works and how i work with it before i start down that path, the pcs are wired only, so that leaves the laptop, and i only use wireless on that if i obsoletely need to, how would you tell iptables to allow mac addresses? would it be in place of ip?

----------

## Bones McCracker

Yes, something like that.

There are tutorials online for how to configure iptables.  You seem to have done a pretty good job figuring it so far, for somebody who's only been using Linux for a week.   :Smile: 

If you have control of the wireless network, and you are using strong security (like WPA2/PSK with a good complex passphrase), then don't worry about it so much (although it seems like each wireless security standard in turn has each eventually been cracked).  If you're using your laptop on other people's wireless networks, you want to be more careful.

If you're using it on a public wireless network, then you should be handling that just like it's the open internet.

----------

## FizzyWidget

 *BoneKracker wrote:*   

> Yes, something like that.
> 
> There are tutorials online for how to configure iptables.  You seem to have done a pretty good job figuring it so far, for somebody who's only been using Linux for a week.  
> 
> 

 

I have been testing it out for many months though  :Smile:  thought it best to test the water before i jumped in with both feet   :Laughing: 

 *BoneKracker wrote:*   

> If you have control of the wireless network, and you are using strong security (like WPA2/PSK with a good complex passphrase), then don't worry about it so much (although it seems like each wireless security standard in turn has each eventually been cracked).

 

yes its mainly my home wireless router, it has WP2 and a 64 digit random code

----------

## Bones McCracker

 *Dark Foo wrote:*   

>  *BoneKracker wrote:*   Yes, something like that.
> 
> There are tutorials online for how to configure iptables.  You seem to have done a pretty good job figuring it so far, for somebody who's only been using Linux for a week.  
> 
>  
> ...

 

So why do you have three wireless network interfaces (wlan0, wlan1, and wlan2)?  Do you use three different wireless networking devices?

----------

## FizzyWidget

one comes with the laptop, the other one works some of the time, you have to wiggle it about to get it to work, so i went and got a wireless N usb to replace that one and to match new wireless N router, unfortunately the drivers for the wireless N one only allow G atm, so bit pissed at that.

Was during the testing phase so i can remove those entries from iptables, just haven't got around to it, busy readying core i7 pc for the big move  :Smile: 

----------

## Bones McCracker

You're okay.  Just remember that you're allowing all traffic from that private IP network block.  So if you take your laptop to a cafe or something, you could conceivably expose yourself to connection attempts from people on it there.

I imagine you also know enough to use long, complex passwords that do not include anything which can be found in a dictionary.

----------

## FizzyWidget

yes i try to use 15 digits or more with upper and lower case symbols and numbers, you would find the words in a dictionary, but hopefully not in the phrases i use them   :Laughing: 

----------

