> Good advice, thanks. > No problem, I have been in this situation myself many times in the past, so I share your pain.
> I've been tempted to set up SELinux over the years. With Debian it's > just 'bolt-on', as oppsed to Fedora where it's built in. I am not going > to use Fedora because they are going to M$' proprietary boot system, so > I am staying with Debian for the foreseeable future. > This is news to me! When is Fedora planning to do that - is it with F18? I have been using Fedora since RH6 days and all my machines are Fedora-based. > If this was a penetration of my machine, I am shocked and astounded, > with the attention I put in security. > No system is ever 100% secure, no matter what you do. That is why you need proper monitoring tools and have as much control of what is going on as possible. You need proper eyes and ears. As for SELinux - about 3-4 years ago I was like you - very pessimistic & reluctant, mostly because of the complexity of the setup and the massive learning curve it required (it was a huge leap for me). Now, I have all of my machines running customised/tailored SELinux policies where everything is pretty much locked up. On the net side - every single interface, node, IP address/range is assigned a separate security domain and every single packet that passes through/arrives at any of my machines is allocated a secmark (SECMARK target) - that way, if a rogue app is using (or attempting to use) any sort of a connection/packet, then the SELinux hooks will catch it and I will know about it. > I am in the process right now of converting all my machines over to XFCE > (the new default WM for Debian 7), and so am ditching Konqueror, > KOrganizer, and KMail after 14 years of using them exclusively. KDE4 > has just been busted for too long, and there has been absolutely no > progress, and it is behind the times. That is enough. > I have a similar dilemma myself - on all but 2 of my desktop Linux machines I have a customised gnome 2.99 (unofficial!) running on F13 base, but I adapted most of the packages from the latest releases (I even have packages that are not yet released by Fedora yet, at least not officially). The reason being is that I absolutely can't stand gnome 3 and all that crap it comes out with - whoever bright spark invented that monstrosity should be shot on site! I have been planning to move to the newest Fedora and XFCE, but it is a massive undertaking and I need to dedicate at least a month to do it - something I can't afford at present. > HTTPS Finder - select the https site, whenever possible. > https://addons.mozilla.org/en-US/firefox/addon/https-finder/ > What I'd also do is to wipe out the root certificates store - the one supplied by default with most web browsers/email clients. I'd manually add only those certificates I trust! > Session Manager, to restore old sessions. > http://www.makeuseof.com/tag/firefoxs-session-manager/ > AdBlock Edge - Does not update automatically or phones home > https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/ > Element Hiding Helper - for those pesky text ads > https://addons.mozilla.org/en-US/firefox/addon/elemhidehelper/ > Privoxy is much better than any of these. It is massive undertaking to configure it at first, but once it is done, you hardly touch it and it does the job brilliantly. > The only ways he could have possibly penetrated my machine are: > - Java or Javascript in Konqueror > - Vuln in Flash or PDF > About these 2 above you should be worried about. That and a rogue plugins/extensions installed. > The port 3333 attempts came in repeated waves Sunday and Monday, but > have stopped now. It's enough though to make me very concerned. I must > wipe the affected system, and be concerned about the others. And > seriously consider SELinux. I need to learn it sooner or later. > Learning SELinux is no easy task, though once you've done it the reward you get is well worth it. As I pointed out above, I've (re-)written more or less everything from the "standard" policy supplied with Fedora as it was 1. too broad (it had massive security holes); and 2. did not suit my specific needs. Policy writing to me now is like writing a bash script or a C program - a dodle! > I tried Tor for a while, but it is terribly slow, at least here in the > Pacific Northwest. I wanted to set myself up as a Node, but I have vuln > questions that I tried and tried to get answered but was ignored. It is > just too slow for normal use, not even considering the lightning action > I get now with Squid. > That was about 2 years ago - Tor now is very fast and comparable to a normal connections, but mileage do vary. > I have Squid set up on my HTPC, listening to localhost only. Then on my > other machines I set up a reverse SSH tunnel to the HTPC, to make the > daemon show up on them as localhost:3128. So when my laptop browser > (for example) asks for a webpage, it reaches into its own bellybutton > and comes out with the proxy service on the remote machine, through the > SSH tunnel. All browser accesses for the LAN are made through > 192.168.11.4, which is spoofing its address in headers as 192.168.1.2. > (which has nothing to to with my LAN, for reasons of my own) > > I tried setting it up as the system proxy on each, but many things broke > and I don't have time to bit-twiddle. Just have browser proxies set up > manually. > You can set up the proxies via a separate file or a url - this is how I've done it. I also use proxy authentication so that not everyone is allowed to access it. The proxy authentication is with client certificates as well (no user IDs/password input is allowed), so there is usually no input on the client side at all - it is all pre-configured. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
