Ever since I've moved into residence at University, I've been receiving attack after attack after attack on my system.
Good thing I'm running a firewall, Linux, and I'm not afraid of reading a bit.
This guide is going to point out some safe computing practices for everyone to read. Some methods will be relatively easy to implement, while others will require a new installation and then some. I myself am not a security expert, nor am I claiming to be one; I am simply trying to put my limited knowledge regarding computers online so everyone will be a little better off. (With exception to hackers and script kiddies.) This guide will primarily be focused towards users with moderate computing experience, although some information will be quite complex so the gurus out there shouldn't just over look the guide! Corporate network administrators will find that this guide is inadequate. I assume users with physical access to the system are trusted!
I openly welcome any suggestions and/or opinions held by readers of this guide. Please don't hesitate to point out any errors or omissions I have made!
You may say to yourself, " I've never had a firewall or antivirus all my life. Why bother now? " The simple response to this is : for your sake and everyone else's sake.
Although you may not notice it, someone could be stealing your personal information while you are using the system. It is quite easy to compromise a system that is not properly maintained, especially a Windows system. Besides all the obvious problems associated with identity theft and $5000 credit card bills, your computer could be host to a trojan or worm. If this is the case, your computer would be known as a "zombie". Zombie systems are used in Denial of Service attacks or DOS attacks. These attacks slow down the internet in general and create large amounts of waste traffic. We would all be better off without them. What is the easiest way to prevent these attacks? Protect your system and avoid turning into a zombie! =o
So lets get started shall we?
Here's the basic chapter run down.
1. Updates [0]
2. Firewalls [1]
3. Anti-virus [1]
4. Applications [3]
5. User-Policy [2]
6. Operating System [4]
7. Common sense [0]
8. Appendix: Crazy network stuff for people with too much free time (me) [5]
The numbers in parenthesis beside each chapter represents the amount of time/knowledge required to implement each change. [0] is very easy and quick, while [5] is extremely difficult, needs a large amount of technical knowledge, and several days worth of time.
Now that we've defined what we're going to talk about, lets start.
1. Updates
This is probably the most basic thing any computer expert or knowledgeable user will tell you. Over time, exploits to existing computer programs are discovered and exploited. These vulnerabilities can allow a attacker to do anything from crashing your system to taking over the system itself. The only way against these exploits is to update your software and repair the vulnerabilities as soon as they are discovered. In Windows, updates are automatically administered through Windows Update. However, you must be sure to activate Windows Update for it to work. The same goes for Linux flavour OSes. Ubuntu and Fedora both have notifications of available updates. Use them and always update when possible.
On a side note, this is a good reason to get a legitimate copy of Windows XP and Vista. You can't get select updates without having a valid license key. This is a major security concern. If you can't afford Windows, or want to stick it to the man, then get Linux. Ubuntu is a simple installation to use. There's a guide in the OS forum.
Updates are simple and straight-forward. Stop reading now if you don't plan on regularly updating your system. A house of straw is useless.
2. Firewalls
A firewall is a program which monitors and restricts/allows Internet traffic passing through it. There are two types: software and hardware.
Software firewalls are relatively useful, although they are easily compromised if the system they are installed on is not properly maintained. If you want to learn more about the different ways a software firewall can be breeched, read this article from SecurityFocus.
Hardware firewalls are less easily breeched, although they can also be useless if the systems they are protecting are compromised. They are usually implemented through a router or network gateway.
Firewall policies are the most important aspect of a firewall. There are two types of policies: outbound and inbound. Outbound policies are ones that deal with traffic leaving your internal network or computer and are going towards the Internet. Inbound policies are the opposite, they deal with incoming traffic. Firewalls differentiate between traffic based on what port they travel on, and where they come from/are going to. Incoming policies should generally be restrict all, unless you have a service which needs to detect incoming connections (i.e. you're running a server). Outbound policies should generally allow all traffic though. If not, you'll risk breaking something. Although, if you are very tight on security, it may be beneficial to restrict all outbound traffic except the traffic you know should be there. It may take more trouble, but it is somewhat more secure. Firewalls are more of a preventative measure, they work well if your system is uncompromised.
For Windows, several software firewalls out there are ZoneAlarm, Norton Internet Security, etc. I am not too familiar with Windows firewalls, but a simple Google should turn up results.
In Linux, there are a few firewalls, but they all do the same thing. IPtables are implemented by default into the Linux kernel. These are very robust and I find them quite secure. You can get a graphical user interface (GUI) front-end to manipulate the IPtables. One such GUI front-end is Firestarter.
3. Antivirus
Antivirus is more of a cure than a prevention. They are only useful once you have obtained a virus or worm. One can only hope one detects the virus before they run it. You should keep this updated as well, and always be wary of what you run.
These are general knowledge, and information is readily available on the internet. If you run Linux, there isn't really a need for virus scan. Viruses don't exist on Linux, although worms do.
4. Applications
In order for your system to be compromised, there must be some way for a hacker to get onto your system. This can be accomplished in several ways. You can either open a virus or a malicious program, which would result in a breech, OR, a misconfigured application and lack of a firewall could allow a hacker to remotely connect to your system. The first possibility is usually taken care of with software updates and antivirus. It is mostly common sense. The second possibility is a bit more complicated.
In order to access your system, a hacker must have open access to a port (no/misconfigured firewall) and there must be a service listening on that port (misconfigured application/service). For this reason, it is best to shut down any unnecessary applications and services. Especially if they access the internet.
In windows, typing "netstat" at command line (run -> type "cmd") will display any services or applications that have network connections. If you play around with the options of netstat, you will also see any applications that are listening on ports. It is good practice to close any that are unnecessary.
In Linux, depending on your build, you can find network services by typing "netstat" in console. In Ubuntu, the option to display network services is "netstat -vat". As with Windows, it is good practice to close any unnecessary services.
5. User-Policy
The default policy in Windows XP is to create a user account with administrative privileges. This is a bad idea. A user with administrative privileges is able to make system wide changes. If this user accidentally runs a malicious program, the entire system could be infected. Instead, a better policy is to create two user accounts. One with limited user privileges and one with administrative privileges. When using the system for everyday purposes, use the limited user account, and when installing a file or making system wide changes, switch to the Administrative account. This is default policy in Linux or any other Unix variant.
In Windows, switching users can be done through the 'Run As' command. Use Shift + Right click on the icon to access the Run As command.
In Linux, the Run As command is known as "Sudo".
Note that in Windows Vista, the default policy is much more like that of Linux's.
6. Operating Systems
Linux is a more secure OS than Windows.
Now before all you Microsoft fans out there go crazy, and yell "burn him at the stake!", hear me out.
There are several reasons why I hold this opinion:
1. Linux's architecture is open source. Any bugs are quickly found and fixed. If you don't think it's been fixed fast enough, you can probably fix it yourself.
2. Linux is a Unix variant. They descended from servers, which, by nature, are more secure because of their corporate background. This is reflected in the Administrative User policy demonstrated in the previous section.
3. Linux is not as widely adopted as Windows. While this may seem like a pro for Windows, it is a double edged sword. Since, a lot more people use Windows, exploiting Windows vulnerabilities are also much more fruitful (you can infect more systems). As a result, the incentives to exploit Windows systems are much greater. As my proof, there has been a study performed by various security researchers around the world. Windows networks and Linux networks were setup and the amount of time needed to compromise each network was measured. The Windows network lifespans were measured in hours, while Linux lifespans were measured in months. (I'll add my source at another date).
7. Common Sense
This one's simple. Don't open what you don't trust. If you have no choice, scan with multiple virus scanners. The Jotti virus scanner works well. Choose strong passwords (capital and lowercase letters and numbers. NO DICITIONARY WORDS!), and make sure you don't choose the same password for everything. If necessary, use a password manager. If you're at home, use a pad of paper, and lock it safely in a drawer.
Appendix
8. The Crazy Stuff
Ok, here we go.
Assuming you've taken all the steps above, protected your system and now what? Well now you've got to monitor your system for any compromises! Yeah, we've all got antivirus and firewalls, but what if the hacker uses a new exploit, gets onto your system and loads a virus that the definitions don't include yet? Well, then you're in alot of trouble.
First, there is no way to completely clean a compromised system. If the hacker gets root access in Linux, or administrative access in XP (relatively easy), then pull out the backups, and rebuild.
But that leads us back to our original question. How do you know you've been compromised in the first place? You could check your system logs.
Checking system logs regularly is always a good idea. However, the first thing a hacker wants is stealth. He/she will most likely modify the system logs to remove all traces of their attack. In Linux, replacing the standard syslogd with syslog-ng adds an extra level of security. You will be aware of any changes made to the log.
Another way is to monitor your network activity.
If you have random ports opening up everywhere, then something's wrong. However, what if the hacker connects to your system, and decides to put all his traffic though port 80 or IRC? The firewall won't help you there. Then in that case, you should run a honeypot.
The following method assumes you are on a network, either home or corporate.
You can install a program on your network to accept connections and monitor the traffic being transmitted to them. These programs are known as honeypots. There's information regarding these over in Wiki. Long story short, these programs are designed to mimic a system and its vulnerabilities. They fool a hacker into thinking that it is a real system. When the hacker tries to compromise the system, their IP and actions are recorded.
There are two types of honeypots, high interaction and low interaction. High interaction honeypots are physical networks of systems all with the honeypot client installed. They are generally deployed by companies with large resources. It is therefore, irrelevant to this guide. However, note that the study performed which documented the advantages of Linux over Windows in terms of security used many networks of high interaction honeypots.
Low interaction honeypots are designed as patches to existing operating systems. They will mimic well known vulnerabilities in a hope to fool a hacker into connecting to it. Because the IP is known to be a honeypot by the owner, any traffic to or from the honeypot is going to be malicious.
In Linux, several low interaction honeypots exist. Honeyd and Nepenthes are some that come to mind. Although you can run these honeypots on an existing, regularly used system, it is not advisable. Honeypots open up ports, and although they should be able to safely capture information regarding an attack, it is not guaranteed. Therefore, the data on the honeypot should be expendable.
If you can't find an old machine to deploy a honeypot on, there are other ways.
One is through VMware. The process of loading a Debian based flavour of Linux and then compiling the Nepenthes honeypot is relatively easy. This virtual machine can then run and collect information regarding the health of your network.
If you're on a Windows system, then you're out of luck. Unless you can compile the Nepenthes source yourself, it won't work.
Low interaction honeypots only protect against automated malware and viruses. Any competant hacker will be able to detect the nepenthes process running with a simple 'ps' command because the module is not hidden.
If you're worried that a hacker has attacked your system though a non-automated process, then you should look into high-interaction honeypots. However, this is extremely difficult, and it's just easier to rebuild your system every now and then. Also, have a set of tools ready on a CD or any other read-only media to be able to check all your processes and the such. Even with all these precautions, you have a very slim chance of catching the attack if it has occurred a long time ago.
Well, anyways most of these practices are unnecessary for the average user and are most likely much too time consuming for the regular everyday user. However, if you guys need something to do over the summer break and you can't find a job, this is a good place to start =D.
8.a Links
Well, here's some extra reading material in case you guys want to learn about all the security stuff. Plus I really skimped on some of the details in the Crazy Stuff appendix.
SecurityFocus
Linux Security Guide (Kind of old, still referring to kernel 2.2)
Hall of SHAME! (Programs that cannot run in limited user mode. SHAME!)
List of ports and their functions
Information Systems Security Association (Lots of info on taking courses to become certified, etc.)
Good thing I'm running a firewall, Linux, and I'm not afraid of reading a bit.
This guide is going to point out some safe computing practices for everyone to read. Some methods will be relatively easy to implement, while others will require a new installation and then some. I myself am not a security expert, nor am I claiming to be one; I am simply trying to put my limited knowledge regarding computers online so everyone will be a little better off. (With exception to hackers and script kiddies.) This guide will primarily be focused towards users with moderate computing experience, although some information will be quite complex so the gurus out there shouldn't just over look the guide! Corporate network administrators will find that this guide is inadequate. I assume users with physical access to the system are trusted!
I openly welcome any suggestions and/or opinions held by readers of this guide. Please don't hesitate to point out any errors or omissions I have made!
You may say to yourself, " I've never had a firewall or antivirus all my life. Why bother now? " The simple response to this is : for your sake and everyone else's sake.
Although you may not notice it, someone could be stealing your personal information while you are using the system. It is quite easy to compromise a system that is not properly maintained, especially a Windows system. Besides all the obvious problems associated with identity theft and $5000 credit card bills, your computer could be host to a trojan or worm. If this is the case, your computer would be known as a "zombie". Zombie systems are used in Denial of Service attacks or DOS attacks. These attacks slow down the internet in general and create large amounts of waste traffic. We would all be better off without them. What is the easiest way to prevent these attacks? Protect your system and avoid turning into a zombie! =o
So lets get started shall we?
Here's the basic chapter run down.
1. Updates [0]
2. Firewalls [1]
3. Anti-virus [1]
4. Applications [3]
5. User-Policy [2]
6. Operating System [4]
7. Common sense [0]
8. Appendix: Crazy network stuff for people with too much free time (me) [5]
The numbers in parenthesis beside each chapter represents the amount of time/knowledge required to implement each change. [0] is very easy and quick, while [5] is extremely difficult, needs a large amount of technical knowledge, and several days worth of time.
Now that we've defined what we're going to talk about, lets start.
1. Updates
This is probably the most basic thing any computer expert or knowledgeable user will tell you. Over time, exploits to existing computer programs are discovered and exploited. These vulnerabilities can allow a attacker to do anything from crashing your system to taking over the system itself. The only way against these exploits is to update your software and repair the vulnerabilities as soon as they are discovered. In Windows, updates are automatically administered through Windows Update. However, you must be sure to activate Windows Update for it to work. The same goes for Linux flavour OSes. Ubuntu and Fedora both have notifications of available updates. Use them and always update when possible.
On a side note, this is a good reason to get a legitimate copy of Windows XP and Vista. You can't get select updates without having a valid license key. This is a major security concern. If you can't afford Windows, or want to stick it to the man, then get Linux. Ubuntu is a simple installation to use. There's a guide in the OS forum.
Updates are simple and straight-forward. Stop reading now if you don't plan on regularly updating your system. A house of straw is useless.
2. Firewalls
A firewall is a program which monitors and restricts/allows Internet traffic passing through it. There are two types: software and hardware.
Software firewalls are relatively useful, although they are easily compromised if the system they are installed on is not properly maintained. If you want to learn more about the different ways a software firewall can be breeched, read this article from SecurityFocus.
Hardware firewalls are less easily breeched, although they can also be useless if the systems they are protecting are compromised. They are usually implemented through a router or network gateway.
Firewall policies are the most important aspect of a firewall. There are two types of policies: outbound and inbound. Outbound policies are ones that deal with traffic leaving your internal network or computer and are going towards the Internet. Inbound policies are the opposite, they deal with incoming traffic. Firewalls differentiate between traffic based on what port they travel on, and where they come from/are going to. Incoming policies should generally be restrict all, unless you have a service which needs to detect incoming connections (i.e. you're running a server). Outbound policies should generally allow all traffic though. If not, you'll risk breaking something. Although, if you are very tight on security, it may be beneficial to restrict all outbound traffic except the traffic you know should be there. It may take more trouble, but it is somewhat more secure. Firewalls are more of a preventative measure, they work well if your system is uncompromised.
For Windows, several software firewalls out there are ZoneAlarm, Norton Internet Security, etc. I am not too familiar with Windows firewalls, but a simple Google should turn up results.
In Linux, there are a few firewalls, but they all do the same thing. IPtables are implemented by default into the Linux kernel. These are very robust and I find them quite secure. You can get a graphical user interface (GUI) front-end to manipulate the IPtables. One such GUI front-end is Firestarter.
3. Antivirus
Antivirus is more of a cure than a prevention. They are only useful once you have obtained a virus or worm. One can only hope one detects the virus before they run it. You should keep this updated as well, and always be wary of what you run.
These are general knowledge, and information is readily available on the internet. If you run Linux, there isn't really a need for virus scan. Viruses don't exist on Linux, although worms do.
4. Applications
In order for your system to be compromised, there must be some way for a hacker to get onto your system. This can be accomplished in several ways. You can either open a virus or a malicious program, which would result in a breech, OR, a misconfigured application and lack of a firewall could allow a hacker to remotely connect to your system. The first possibility is usually taken care of with software updates and antivirus. It is mostly common sense. The second possibility is a bit more complicated.
In order to access your system, a hacker must have open access to a port (no/misconfigured firewall) and there must be a service listening on that port (misconfigured application/service). For this reason, it is best to shut down any unnecessary applications and services. Especially if they access the internet.
In windows, typing "netstat" at command line (run -> type "cmd") will display any services or applications that have network connections. If you play around with the options of netstat, you will also see any applications that are listening on ports. It is good practice to close any that are unnecessary.
In Linux, depending on your build, you can find network services by typing "netstat" in console. In Ubuntu, the option to display network services is "netstat -vat". As with Windows, it is good practice to close any unnecessary services.
5. User-Policy
The default policy in Windows XP is to create a user account with administrative privileges. This is a bad idea. A user with administrative privileges is able to make system wide changes. If this user accidentally runs a malicious program, the entire system could be infected. Instead, a better policy is to create two user accounts. One with limited user privileges and one with administrative privileges. When using the system for everyday purposes, use the limited user account, and when installing a file or making system wide changes, switch to the Administrative account. This is default policy in Linux or any other Unix variant.
In Windows, switching users can be done through the 'Run As' command. Use Shift + Right click on the icon to access the Run As command.
In Linux, the Run As command is known as "Sudo".
Note that in Windows Vista, the default policy is much more like that of Linux's.
6. Operating Systems
Linux is a more secure OS than Windows.
Now before all you Microsoft fans out there go crazy, and yell "burn him at the stake!", hear me out.
There are several reasons why I hold this opinion:
1. Linux's architecture is open source. Any bugs are quickly found and fixed. If you don't think it's been fixed fast enough, you can probably fix it yourself.
2. Linux is a Unix variant. They descended from servers, which, by nature, are more secure because of their corporate background. This is reflected in the Administrative User policy demonstrated in the previous section.
3. Linux is not as widely adopted as Windows. While this may seem like a pro for Windows, it is a double edged sword. Since, a lot more people use Windows, exploiting Windows vulnerabilities are also much more fruitful (you can infect more systems). As a result, the incentives to exploit Windows systems are much greater. As my proof, there has been a study performed by various security researchers around the world. Windows networks and Linux networks were setup and the amount of time needed to compromise each network was measured. The Windows network lifespans were measured in hours, while Linux lifespans were measured in months. (I'll add my source at another date).
7. Common Sense
This one's simple. Don't open what you don't trust. If you have no choice, scan with multiple virus scanners. The Jotti virus scanner works well. Choose strong passwords (capital and lowercase letters and numbers. NO DICITIONARY WORDS!), and make sure you don't choose the same password for everything. If necessary, use a password manager. If you're at home, use a pad of paper, and lock it safely in a drawer.
Appendix
8. The Crazy Stuff
Ok, here we go.
Assuming you've taken all the steps above, protected your system and now what? Well now you've got to monitor your system for any compromises! Yeah, we've all got antivirus and firewalls, but what if the hacker uses a new exploit, gets onto your system and loads a virus that the definitions don't include yet? Well, then you're in alot of trouble.
First, there is no way to completely clean a compromised system. If the hacker gets root access in Linux, or administrative access in XP (relatively easy), then pull out the backups, and rebuild.
But that leads us back to our original question. How do you know you've been compromised in the first place? You could check your system logs.
Checking system logs regularly is always a good idea. However, the first thing a hacker wants is stealth. He/she will most likely modify the system logs to remove all traces of their attack. In Linux, replacing the standard syslogd with syslog-ng adds an extra level of security. You will be aware of any changes made to the log.
Another way is to monitor your network activity.
If you have random ports opening up everywhere, then something's wrong. However, what if the hacker connects to your system, and decides to put all his traffic though port 80 or IRC? The firewall won't help you there. Then in that case, you should run a honeypot.
The following method assumes you are on a network, either home or corporate.
You can install a program on your network to accept connections and monitor the traffic being transmitted to them. These programs are known as honeypots. There's information regarding these over in Wiki. Long story short, these programs are designed to mimic a system and its vulnerabilities. They fool a hacker into thinking that it is a real system. When the hacker tries to compromise the system, their IP and actions are recorded.
There are two types of honeypots, high interaction and low interaction. High interaction honeypots are physical networks of systems all with the honeypot client installed. They are generally deployed by companies with large resources. It is therefore, irrelevant to this guide. However, note that the study performed which documented the advantages of Linux over Windows in terms of security used many networks of high interaction honeypots.
Low interaction honeypots are designed as patches to existing operating systems. They will mimic well known vulnerabilities in a hope to fool a hacker into connecting to it. Because the IP is known to be a honeypot by the owner, any traffic to or from the honeypot is going to be malicious.
In Linux, several low interaction honeypots exist. Honeyd and Nepenthes are some that come to mind. Although you can run these honeypots on an existing, regularly used system, it is not advisable. Honeypots open up ports, and although they should be able to safely capture information regarding an attack, it is not guaranteed. Therefore, the data on the honeypot should be expendable.
If you can't find an old machine to deploy a honeypot on, there are other ways.
One is through VMware. The process of loading a Debian based flavour of Linux and then compiling the Nepenthes honeypot is relatively easy. This virtual machine can then run and collect information regarding the health of your network.
If you're on a Windows system, then you're out of luck. Unless you can compile the Nepenthes source yourself, it won't work.
Low interaction honeypots only protect against automated malware and viruses. Any competant hacker will be able to detect the nepenthes process running with a simple 'ps' command because the module is not hidden.
If you're worried that a hacker has attacked your system though a non-automated process, then you should look into high-interaction honeypots. However, this is extremely difficult, and it's just easier to rebuild your system every now and then. Also, have a set of tools ready on a CD or any other read-only media to be able to check all your processes and the such. Even with all these precautions, you have a very slim chance of catching the attack if it has occurred a long time ago.
Well, anyways most of these practices are unnecessary for the average user and are most likely much too time consuming for the regular everyday user. However, if you guys need something to do over the summer break and you can't find a job, this is a good place to start =D.
8.a Links
Well, here's some extra reading material in case you guys want to learn about all the security stuff. Plus I really skimped on some of the details in the Crazy Stuff appendix.
SecurityFocus
Linux Security Guide (Kind of old, still referring to kernel 2.2)
Hall of SHAME! (Programs that cannot run in limited user mode. SHAME!)
List of ports and their functions
Information Systems Security Association (Lots of info on taking courses to become certified, etc.)
Facebook
Twitter