
Ask HN: I finally ditched Windows for Ubuntu - How do I keep things secure? - wikiburner
I'm a Python programmer who finally got fed up enough with Windows to take the plunge.<p>The thing is I'm totally new to Linux, and am pretty paranoid about security (former Win user, remember.) I really feel like I'm flying blind here.<p>I know the standard, glib line is that you don't have to worry about security once you leave Microsoft, but I have a hard time accepting that. It seems like I should be installing Anti-virus, anti-malware, and firewall software.<p>Does anyone know of any basic intros to Linux/Ubuntu security, or have any tips?<p>Thanks in advance.
======
lifeisstillgood
This is a pretty good question - mostly because the heart of good security,
good airline safety and good surgery is a checklist.

And I don't think I have a checklist thats uptodate, even the one in my head.

ShowHN: using HN as my personal todo list cos I actually look at my threads
list daily...

[https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...](https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks)

<https://help.ubuntu.com/community/Security>

<https://news.ycombinator.com/item?id=4018426>

[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/fi...](http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html)

<http://www.freebsd.org/doc/handbook/security.html>

That site on secondary GPGkeys I keep failing to find

------
proto
Linux is, unfortunately just as vulnerable to cross-site scripting and other
browser-based attacks. The browser is also the biggest vector for Windows, and
Linux has no better immunity, unfortunately.

I would recommend using NoScript or eqiv. plugin for your browser.

In my opinion, Windows' biggest security flaw, is teaching users to install
software via the browser. But for non-open-source software ecosystems, it's
quite difficult to create a white-list of safe programs.

My second recommendation is to, as much as possible, only use software from
your repository.

In regards to the other recommendations about firewalls, while definitely not
bad advice, if you are behind a NAT router, and on a small, trusted LAN, I
wouldn't worry too much about it personally.

------
jerrac
<https://help.ubuntu.com/community/Security>

------
GaryGapinski
Start with (as root)

    
    
        apt-get install openssh-server
        apt-get install fail2ban
        ufw allow OpenSSH
        ufw enable
    

I use the following suffix to the /etc/ssh/sshd_config file:

    
    
        …
        72	#
        73	# local tweaks
        74	#
        75	Protocol 2
        76	PermitRootLogin no
        77	Banner /etc/ssh/banner
        78	UseDNS yes
        79	MaxStartups 1
        80	LoginGraceTime 15
        81	PubkeyAuthentication yes
        82	PasswordAuthentication no
        83	ChallengeResponseAuthentication no
        84	X11Forwarding yes
        85	AllowTcpForwarding yes
        86	DebianBanner no
    
        87	Match Address 192.168.0.0/24,127.0.0.1,192.168.1.0/24
        88	PasswordAuthentication yes
    

Line 82 should be commented out until you have generated an SSH key pair and
placed the public key in ~/.ssh/authorized_keys, as it prevents logins using
just a password. Lines 87-88 remove this restriction for local nets. Line 77
references a banner that you can provide which is presented upon SSH
connection.

fail2ban with its default configuration will essentially just block
objectionable SSH traffic. If you decide to extend it, create a
/etc/fail2ban/jail.local file to supplement the default
/etc/fail2ban/jail.conf file (the former augments the latter).

As others have mentioned, there are a number of resources available. Do not
make all suggestions blindly: some are of questionable efficacy and
complexity.

ufw will allow precise tuning of iptables. Watch /var/log/ufw.log for entries
indicating traffic being dropped, either appropriately or not. Once more
services are added (and secured), introduce related rules into ufw one by one.
If your system is exposed to the general Internet, be particularly careful
with such services' configurations.

The above minimal ufw commands will prevent many commonly used network
services on the local network, such as CIFS. Some packages install custom ufw
application definitions which can be listed with the ufw app list command
(e.g., Postfix, Apache). Such applications usually open the services to all,
as opposed to the just the local network.

------
notaddicted
I am not sophisticated enough to critically assess these documents, but here
are two sources:

For a basic overview of Linux security: Red Hat Enterprise Linux 6 Security
Guide

[https://access.redhat.com/site/documentation/en-
US/Red_Hat_E...](https://access.redhat.com/site/documentation/en-
US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/)

Here is a blog post by someone who is protecting his laptop, for each security
measure he says what and why:

[https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...](https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks)

HN Discussion:

<https://news.ycombinator.com/item?id=4018426>

------
bdunbar
My 02 cents, you need to worry about security, but it's more like wearing
seatbelts on a sunny day. The odds you'll need them are remote, as long as you
exercise care and diligence.

When you're running an MS system, I guess the analogy would be you're driving
in a demolition derby. It's not 'if' you'll get hit but when ...

\- Turn services off you don't need or use.

\- Delete services you will never use.

\- Firewall with iptables.

\- Setup SSH to disallow login for root. Or turn SSH off if you won't login
into it from another host. You can always _start_ SSH again if you need it.

------
t0
Iptables to block most ports. In general you don't have anything to worry
about. Malware makers simply aren't targeting linux.

~~~
Glyptodon
Ubuntu also has an 'easy' tool called UFW (uncomplicated firewall?) to
configure basic firewall rules and such. It's probably a lot easier to use
than Iptables if you just want to make some basic rules.

Unless you're hosting an SSH server or something I don't think there's much to
do out of the box for desktop Ubuntu.

------
sherril8
I found this article to be of some help:
[http://www.andrewault.net/2010/05/17/securing-an-ubuntu-
serv...](http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/)

To start, you will just need to set up IPTables and Fail2Ban.

~~~
caw
That sort of stuff is really only necessary if on your home network you're
doing port passthroughs or if this machine is directly connected to the
internet with a public IP. For most users behind a router, you don't really
need fail2ban and iptables.

~~~
pasbesoin
Caveat: I haven't read the article linked in the GP, yet. (I will.) But the
comments here immediately elicit this thought:

How many users have a laptop that they are connecting to one or another
undefined (to them) form of "public" wifi? (And/or to someone else's internal
network that may be compromised.)

