Ask HN: I finally ditched Windows for Ubuntu - How do I keep things secure?

This is a pretty good question - mostly because the heart of good security, good airline safety and good surgery is a checklist.<p>And I don't think I have a checklist thats uptodate, even the one in my head.<p>ShowHN: using HN as my personal todo list cos I actually look at my threads list daily...<p><a href="https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks" rel="nofollow">https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...</a><p><a href="https://help.ubuntu.com/community/Security" rel="nofollow">https://help.ubuntu.com/community/Security</a><p><a href="https://news.ycombinator.com/item?id=4018426" rel="nofollow">https://news.ycombinator.com/item?id=4018426</a><p><a href="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html" rel="nofollow">http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/fi...</a><p><a href="http://www.freebsd.org/doc/handbook/security.html" rel="nofollow">http://www.freebsd.org/doc/handbook/security.html</a><p>That site on secondary GPGkeys I keep failing to find

Linux is, unfortunately just as vulnerable to cross-site scripting and other browser-based attacks. The browser is also the biggest vector for Windows, and Linux has no better immunity, unfortunately.<p>I would recommend using NoScript or eqiv. plugin for your browser.<p>In my opinion, Windows' biggest security flaw, is teaching users to install software via the browser. But for non-open-source software ecosystems, it's quite difficult to create a white-list of safe programs.<p>My second recommendation is to, as much as possible, only use software from your repository.<p>In regards to the other recommendations about firewalls, while definitely not bad advice, if you are behind a NAT router, and on a small, trusted LAN, I wouldn't worry too much about it personally.

<a href="https://help.ubuntu.com/community/Security" rel="nofollow">https://help.ubuntu.com/community/Security</a>

Start with (as root)<p><pre><code> apt-get install openssh-server apt-get install fail2ban ufw allow OpenSSH ufw enable </code></pre> I use the following suffix to the /etc/ssh/sshd_config file:<p><pre><code> … 72 # 73 # local tweaks 74 # 75 Protocol 2 76 PermitRootLogin no 77 Banner /etc/ssh/banner 78 UseDNS yes 79 MaxStartups 1 80 LoginGraceTime 15 81 PubkeyAuthentication yes 82 PasswordAuthentication no 83 ChallengeResponseAuthentication no 84 X11Forwarding yes 85 AllowTcpForwarding yes 86 DebianBanner no 87 Match Address 192.168.0.0/24,127.0.0.1,192.168.1.0/24 88 PasswordAuthentication yes </code></pre> Line 82 should be commented out until you have generated an SSH key pair and placed the public key in ~/.ssh/authorized_keys, as it prevents logins using just a password. Lines 87-88 remove this restriction for local nets. Line 77 references a banner that you can provide which is presented upon SSH connection.<p>fail2ban with its default configuration will essentially just block objectionable SSH traffic. If you decide to extend it, create a /etc/fail2ban/jail.local file to supplement the default /etc/fail2ban/jail.conf file (the former augments the latter).<p>As others have mentioned, there are a number of resources available. Do not make all suggestions blindly: some are of questionable efficacy and complexity.<p>ufw will allow precise tuning of iptables. Watch /var/log/ufw.log for entries indicating traffic being dropped, either appropriately or not. Once more services are added (and secured), introduce related rules into ufw one by one. If your system is exposed to the general Internet, be particularly careful with such services' configurations.<p>The above minimal ufw commands will prevent many commonly used network services on the local network, such as CIFS. Some packages install custom ufw application definitions which can be listed with the ufw app list command (e.g., Postfix, Apache). Such applications usually open the services to all, as opposed to the just the local network.

I am not sophisticated enough to critically assess these documents, but here are two sources:<p>For a basic overview of Linux security: Red Hat Enterprise Linux 6 Security Guide<p><a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/" rel="nofollow">https://access.redhat.com/site/documentation/en-US/Red_Hat_E...</a><p>Here is a blog post by someone who is protecting his laptop, for each security measure he says what and why:<p><a href="https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks" rel="nofollow">https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop...</a><p>HN Discussion:<p><a href="https://news.ycombinator.com/item?id=4018426" rel="nofollow">https://news.ycombinator.com/item?id=4018426</a>

My 02 cents, you need to worry about security, but it's more like wearing seatbelts on a sunny day. The odds you'll need them are remote, as long as you exercise care and diligence.<p>When you're running an MS system, I guess the analogy would be you're driving in a demolition derby. It's not 'if' you'll get hit but when ...<p>- Turn services off you don't need or use.<p>- Delete services you will never use.<p>- Firewall with iptables.<p>- Setup SSH to disallow login for root. Or turn SSH off if you won't login into it from another host. You can always _start_ SSH again if you need it.

Iptables to block most ports. In general you don't have anything to worry about. Malware makers simply aren't targeting linux.

I found this article to be of some help: <a href="http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/" rel="nofollow">http://www.andrewault.net/2010/05/17/securing-an-ubuntu-serv...</a><p>To start, you will just need to set up IPTables and Fail2Ban.