On Tue, 2015-02-03 at 11:57 +1100, Kahlil Hodgson wrote:> One important group is new > users with limited experience and knowledge about security. This is > an important group to protect.> It is important for all of us to encourage (and discuss) > good security practices, as well as discourage (and refute) poor > practices. Ultimately, this make our community a safer place.Perhaps a topic for the Centos Wiki entitled Basic Security on Your New Machine ?> The root password is close to, if not actually, our last line of > defense (SELinux helps us here by the way).Surely the whole idea is to prevent nasty things getting in. Disable FTP. Change SSH ports. Restrict access to sensitive parts from known IPs. Run Logwatch or similar (and amend the reports using /etc/logwatch ...). Read the logs. Allocate file and directory permissions to users lacking any log-on ability. There is a lot that can be done.> Using a one character > password is problematic if you are connected to the internet, for > example, if you are _testing_ the OS and want to run updates after the > install.But if one is doing things on a isolated machine unconnected to anything why the password aggro ? Best never to speculate when attempting to justify a hash and arrogant policy of DO WHAT RHEL DEMANDS. I prefer a clear warning and then let the user make an informed choice. After their first hacking they will not make a similar mistake again.> This is problematic since, by default, new installs typically > allows SSH access and root logins over SSH.Then block it as part of the installation process and let the user open what they think they need. Not use if you are correct about SSH. Root usually (if I remember correctly) needs to be permitted.> Yes, firewalls help, but > they need to be configured correctly, and there are subtle tricks that > sophisticated attackers can exploit to subvert poorly configured > firewalls.Again another opportunity for a good Centos Wiki article. A basic firewall setup. Then a series of examples: to achieve this, do that. Obviously good and clear explanations are needed to enable impeccable understanding of the firewall logic. Yes help the new users. Perhaps even a Centos NewUsers list devoid of all the more technical things. It could cater for single machine users.> If you really want to do this, I'd suggest running your > test system in some kind of DMZ to prevent any exploit cascading into > the rest of your network.Not really sure what a (USA military) DMZ looks like. Security has always been my highest priority. "When in doubt, lock 'em out" is my motto.> It may just be easier to pick a "good" but > easy to type root password that you use for all your test machines. > Also, its a good idea to make sure you always turn off your test > machines when not in use, and to disable them once you are finished > testing (so they can't be accidentally turned on in the future).Unnecessary in my working environment. I write and test virtually even day, 7 days a week. No machine, test or production, has unrestricted access to/from the Internet. Unused ports are blocked. Unused applications are removed or disabled. SSH is allowed from only 3 IPs. Instant IP blocking for suspicious activity has been a basic component for the last 3 or 4 years, or longer. It was the first security enhancement I programmed. To save electricity equipment is turned-off when not in use. -- Regards, Paul. England, EU. Je suis Charlie.
On 3 February 2015 at 12:58, Always Learning <centos at u64.u22.net> wrote:>> If you really want to do this, I'd suggest running your >> test system in some kind of DMZ to prevent any exploit cascading into >> the rest of your network. > > Not really sure what a (USA military) DMZ looks like. Security has > always been my highest priority. "When in doubt, lock 'em out" is my > motto.A DMZ in this context is a network that has been isolated from the rest of your local network. You can access it from your local network, it can access the rest of the world, but it can't access your network. The idea is that, if a machine in the DMZ is compromised, it can only access other machines in the DMZ. Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd Suite 1416 401 Docklands Drive Docklands VIC 3008 Australia "All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925
On 2/2/2015 6:16 PM, Kahlil Hodgson wrote:> A DMZ in this context is a network that has been isolated from the > rest of your local network. You can access it from your local > network, it can access the rest of the world, but it can't access your > network. The idea is that, if a machine in the DMZ is compromised, it > can only access other machines in the DMZ.its *very* annoying that the soho internet gateway/router market uses the term "DMZ" for the target of default port forwarding rules, nearly the exact OPPOSITE of what a proper DMZ is. -- john r pierce 37N 122W somewhere on the middle of the left coast
On Tue, 2015-02-03 at 13:16 +1100, Kahlil Hodgson wrote:> A DMZ in this context is a network that has been isolated from the > rest of your local network. You can access it from your local > network, it can access the rest of the world, but it can't access your > network. The idea is that, if a machine in the DMZ is compromised, it > can only access other machines in the DMZ.Thanks. Now I know. That sort of operation can be done via the router and by selecting a wifi option on the same router (Asus RT-AC68U). Wifi is off by default. -- Regards, Paul. England, EU. Je suis Charlie.
On 2015-02-03, Always Learning <centos at u64.u22.net> wrote:> > Perhaps a topic for the Centos Wiki entitled Basic Security on Your New > Machine ?As long as someone qualified is writing and reviewing this wiki page. --keith -- kkeller at wombat.san-francisco.ca.us
On Mon, 2015-02-02 at 19:03 -0800, Keith Keller wrote:> On 2015-02-03, Always Learning <centos at u64.u22.net> wrote: > > > > Perhaps a topic for the Centos Wiki entitled Basic Security on Your New > > Machine ? > > As long as someone qualified is writing and reviewing this wiki page.Disagree. One does not have to posses some mythical qualifications, or any qualification at all, to write a sensible guide. What is required is knowledge, experience, clarity of thought and expression and a desire and ability to pass-on one's knowledge to others in a very understandable manner. Peer review is obviously beneficial. Placing obstacles in the way perhaps explains why this topic may not have been sufficient covered by the Centos wiki. Just look at what the "Qualified" have produced so far on this topic ! Why does one need to be "qualified" by a third party before one can write a good, concise and very informative guide ? I think it better if the peer reviewer/reviewers is/are distinct from the author(s). Reviewing one's own work is often prone to inadvertently overlooking one's own mistakes. It can be a collaborative effort. -- Regards, Paul. England, EU. Je suis Charlie.
On Mon, Feb 2, 2015 at 7:03 PM, Keith Keller <kkeller at wombat.san-francisco.ca.us> wrote:> On 2015-02-03, Always Learning <centos at u64.u22.net> wrote: >> >> Perhaps a topic for the Centos Wiki entitled Basic Security on Your New >> Machine ? > > As long as someone qualified is writing and reviewing this wiki page. > > --keithI thought the Open Source base belief on that was that a single specific expert is insufficient. Everyone here knows iterative documenting on the CentOS wiki can be done via http://lists.centos.org/mailman/listinfo/centos-docs Right?