I then found a blessing from the National Security Agency (NSA).  They had published baseline security lockdown guides for the majority of technologies that we were deploying.  I started using them to secure our systems along with a large number of recomendations from Andy and the information security team.  It was and still is my favorite part about the job.

Just as an overview, the guides go through getting rid of some bad default settings, teach you to run services with a less priviliged user, and best of all…common sense.  Securing systems is a lot of the latter.  Don’t use default passwords, don’t run as root, etc.  They go into great depth on certain subjects, an just glaze over a few others but the documents are well written and if uses appropriately WILL help you protect your systems.

This have been around for a while now so you may have already know about them but even if you have seen them before, please take a look again just as a refresh.

On the tech side, I did find a newish product ebox-platform which is a set of packages and a management GUI on top of Ubuntu.  I’m going to give it a whirl for my home server and will be using the file and print sharing functionality as well as the web server.  On their website, they list what products they use to deliver this functionality.  It’s what you would expect if you were to do it yourself but I’m interested in the management interface.  I’ll update you on this later.

Well, that’s all I have for the moment.  Stay tuned and thanks for reading.

Desktop Antivirus / AntiSpyware

At work my company has standardized on NOD32 from ESET.  I had never herd of the company until I started at my current position about a year and a half ago and now, I rarely use anything but NOD32.  They have a couple of editions but I’m only familiar with ESET NOD32 AV v2.6 and v3.0.  So far I have not had a single problem with virii or spyware (except for a few hacking/cracking tools that I use on occasion).

If I’m not using or recommending NOD32 for home / client computers I go with AVG.  AVG AntiVirus 8.0, the newest version from AVG covers pretty much everything you would need from an AntiVirus / AntiSpyware software suite.  They even have a free edition that can be found here for home computers that only need basic protection.  If your on a budget, AVG Free Edition is for you.  Again, so far, with my use of AVG Antivirus, I have not had a single problem.

Safe Internet Browsing

This is a huge deal when it comes to keeping your computer safe.  Sometimes it doesn’t involve any software at all.  Just some intelligence and PG13 level surfing (no porn or online gambling allowed!!).  However, because of my ADHD and endless appetite for information, even I run across some potentially bad websites.

To combat this I use OpenDNS.  I’ve done a blog post on them a while back.  Search at the right if you are interested but I’ll cover a few points to OpenDNS here.  First of all, OpenDNS is cool.  Second, OpenDNS is free.  Now that I got those two things out of the way, I’ll explain it a bit.  OpenDNS is a free DNS service that you point your network DNS servers, clients, etc towards and you instantly get a bit better service.  If you go to the website and create an account and then register your IP address there, you can have settings specified that would prevent people from surfing websites that fall within a specific category.  Below is what I have mine set to.

The moderate setting includes blocking of Adaware, Alochol, Dating, Drugs, Gambling, Hate/Discrimination, Weapons, Tasteless, Lingerie/Bikini, Proxy/Anonymizer, Sexuality, Nudity, Pornography, and Phishing.  The last one is especially cool because it uses the phishing database PhishTank, which is THE defacto standard in phishing databases…well at least I believe so.

Desktop and Network Firewalls

As much as I should use a desktop firewall, I don’t.  It hinders my ability to do network scans, attach to different networks, open up shares on my computer remotely, test software, etc.  But, do what I say and not what I do.  If you have no reason not to use one…then do so.  The built in Windows Firewall is fine but if you need to feel a little safer at night, I recommend ZoneAlarm.  It has both high reviewes in the major computer magazines and is recommended by the security research group Gibson Research Corp.

My home network firewall is pfSense, a free open source, fully featured firewall that I have installed on an old workstation with two network interfaces.  Visit the website for a full list of features.  Other firewall’s that I would recommend would be the Cisco PIX or ASA, m0n0wall, and any Linux distribution running iptables.  It’s not that these are the only secure options out there but rather I only have extensive experience in this small list.

SPAM Protection

This cannot be stressed enough…  Never use an email address without a **GREAT** SPAM filter.  For personal use, grab a free GMail account.  For corporate use get a Barracuda SPAM firewall, use Postini or build your own SPAM filter based on SpamAssassin.  For the DIY I recommend Maia Mailguard.  The reason for this is quite simple, spyware and virii can be transmitted quite easily through email.  If you are not protected, you are asking for trouble.

Defense in Depth

Although all of my recomendations, in my option, are good ones..not a single one of them guarantees that you will not get infected.  Things like zero day attacks, trojans, virii, spyware, adaware, malware, etc are not always easily detected and therefore may hit a large number of computers over a short period of time without the security companies knowledge.  However, with the use of all of them together, you now have the tools for a fighting chance and with any luck, you’ll be virus free.

Hopefully you’ll take my advice on one or more of the above topics and have a safer more enjoyable time on the internet.

Extras!!

Here are a few extra tools that I did not fit in.

ESET Online Scanner | TrendMicro House Call | TrendMicro HijackThis | Symantec Removal Tools

First, lets setup the environment. I use VI as my text editor on Linux and you can view my “60 second VI tutorial” on here as well. To ensure that VI will be our crontab (cron table) editor we will need to edit your “.profile” file for whatever user you are going to be logged in with (typically root).

vi /root/.profile

Add one of thefollowing lines above the second fi to match your preference.

export EDITOR=/usr/bin/vi #if you have just VI installed
export EDITOR=/usr/bin/vim.basic #if you have VIM installed

Ensure that you save it with :wq.

Now that we have that out of the way, lets start scheduling tasks.

Since backups are traditionally something that you would want to automate or schedule, I’ll use it as my main example but first I’ll break down the cron scheduling syntax.

0 2 * * * root tar czf /var/backup/www.tar.gz /var/www >> /dev/null 2>&1

With the above example and the table of what each field does, you get can put together that at 0200 or 2:00 AM every day root will be running “tar czf /var/backup/www.tar.gz /var/www >>/dev/null 2>&1″ which is telling tar to tar up /var/www into /var/backup/www.tar.gz and /dev/null 2>&1 is a way to have the command put any output into a “trash can” if you will  Alternately you can specify a log file for that output to go with “>> /var/log/cronforcommand.log 2>&1″.  The * in a schedule means to omit that portion of the schedule.

That one was pretty basic so I’ll get a little more complicated now.  Matter of fact, I’ll just skip the user and command to execute from now on and focus on the command structure for scheduling with cron

EXAMPLES:

Every Minute - * * * * *

Every 5 Minutes - 0,5,10,15,20,25,30,35,40,45,50,66 * * * *

Every 5 Minustes (Simple) - */5 * * * *

Every Hour - * */1 * * *

Every 2 hours - * */2 * * *

Every Day @2:00 AM - 0 2 * * *

Every Day @ 6:00 PM - 0 18 * * *

Every Sunday @ 3:15 AM - 15 3 * * 0

On Feburary 11 @ 10:00 PM - 0 22 11 2 *

That pretty much covers the majority of typical uses for cron. Obviously this is a very powerful tool and can do so much more but for this post, I think it’ll do.  If I messed anything up , please let me know.  Enjoy.

First, let’s make sure we have the right packages installed.

apt-get install openssh apache2 apache2.2-common php5

Now let’s enable SSL for apache2

sudo a2enmod ssl

Now lets create the server SSL key.

cd /etc/ssl/private
openssl genrsa -des3 -out dns.server.com.key 1024

Ok, now that we have the key, let’s create the CSR to be given to the CA.

openssl req -new -key dns.server.com.key -out dns.server.com.csr

It will prompt you for the passphrase and some other bits of information.  The most important one is site name.  This must match the name of your server.  Something like mail.domain.com or www.domain.com would be appropriate here.

The CSR can now be uploaded to whatever CA you choose.  I use GoDaddy because they are so cheap.

If you do not want to purchase a certificate you can create your own self signed cert with the following command.

openssl x509 -req -days 365 -in dns.server.com.csr -signkey dns.server.com.key -out dns.server.com.crt
cp /etc/ssl/private/dns.server.com.crt /etc/ssl/certs

Now that we have the cert created, let’s configure Apache to use it. Add the following 3 lines to your website configuration.  The default one is located in /etc/apache2/sites-available/default.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/dns.server.com.crt
SSLCertificateKeyFile /etc/ssl/private/dns.server.com.key

Save that config file and enable Apache to listen on 443 for HTTPS traffic.  Add the following line to /etc/apache2/ports.conf

Listen 443

Restart your Apache2 process and you should have a fully functional SSL enabled website.

/etc/init.d/apache2 force-reload && /etc/init.d/apache2/restart

vi /etc/network/interfaces - opens /etc/network/interfaces in vi

i - insert
/ - search
G - [Shift] g - go to bottom of page
dd - delete the line
d <- or d -> - d [left or right arrow] delete 1 character in that direction
10G - 10 [Shift] g - move to line 10 (obviously number can be replaced)
10dd - delete 10 lines from cursor and below (again, number can be changed)
:q - quit (no changes may have been made)
:q! - quit (do not save changes)
:wq - write quite (save and quit)
:w - write (save)

Ok, now that you have mastered the basics of vi, please refer all other needs to the link provided above.  Hope you like vi as much as I do.

NOTE:  Ubuntu (and maybe debian) have a few things that the built in vi program have that seem a little strange.  I usually install vim just to be safe.  to do this run sudo apt-get install vim-full.


I’m looking at one of the higher end HP or Dell’s running Vista Ultimate with a dual monitor setup for home.  I have dual monitors at work and it gets pretty hard to get all the work I want to get done at home when I only have a single 17″ flat panel.  Pretty low tech if you ask me.

For those of you who do donate, thank you very much.  I appreciate it.  For those of you who don’t, I won’t hold any grudges.