-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
Am 19.09.2015 um 14:19 schrieb Carlos E. R.: ...
Use WPA2 with a strong password...
I changed the SSID-name, use WPA2 and have a good (now new) password, I believe.
Ok...
Have all internal machines with a firewall.
Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.
Well, all the machines that are connected to the ISP provided router. Outside is Internet, inside is your home, local network.
In openSUSE, use the external interface setting,
that's what I have
or if you use the internal setting, tell YaST to also protect from internal.
and I have no idea what it means to protect from internal...
Oh, it's just a setting in SuSEfirewall2 config that is named that way: ## Type: list(yes,no,notrack,) # # Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT # # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. # # The value "notrack" acts similar to "no" but additionally # connection tracking is switched off for interfaces in the zone. # This is useful to gain better performance on high speed # interfaces. # # defaults to "no" if not set # # see also FW_REJECT_INT # FW_PROTECT_FROM_INT="no" /etc/sysconfig/SuSEfirewall2 lines 219-240/1169 24% Let me expand. If you have a computer on a company or college network, you could define the interface as "internal", which would facilitate other users in the company to connect to your machine, for sharing files, for instance. You would be protected from the dangerous outside world by the company firewalls. You could do the same on home. However, if you don't trust all the people on that company network, you would set "protect from internal", that would immediately close all ports; if you want to share files, you would have to specifically open the needed ports. Basically, it is about the same as defining the network interface as "external".
Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched.
What nuisance? The routers firewall isn't even on, simply because I don't know what those settings mean...
Well, you don't need to know the settings; just enable the firewall in the router. You only need to configure it when you want someone outside to be able to connect to a computer on your home. Like, for instance, to set up an internet phone. I mean that it is a nuisance to try to share files between two computers if the firewalls inside home are up. But it is safer, too, specially if the firewall on your router is down.
Keep your machines updated. This protects you from most "hacks". Use common sense when clicking links or opening emails, specially in Windows.
Of course. The only Windows I have is in a virtual box with blocked network/internet.
Good! I forgot about phishing and social engineering: say that somebody sends to you an email asking you to read some report on a photographer meeting at La Hague, or offering a contract. You would be intrigued and have a look. Well, that's a possible dangerous situation. Specially in Windows, because they tell people to open, say, an invoice in a PDF, but the file is not a PDF, but an executable, which immediately owns the Windows computer because the typical setup is to run Windows as administrator. If they send you an email with a text that seems realistic and intriguing, specially if they already know about you, it is possible that you get hooked. It is dangerous, more than virii.
Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how.
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,
Ok, but you use it for connecting inside home; not to connect from a coffee shop, right?
I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...
Well... If you configure for static addresses instead, you can then filter in the firewall to allow those addresses. Some home routers can be configured to assign a certain IP to a certain machine, via DHCP. So the computer is still on automatic network configuration, but it always gets the same address. On http://adslzone.net/ you can find information about the routers typically used in Spain, with howtos for doing typical things.
What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....
Ahhh, it's all so complicated :-)
Well, getting into your PC is not trivial. Following your web actions is easier, /if/ your router publishes all network traffic of everybody on the wireless interface, which they typically don't. If you are connected by cable, it is easier to "sniff" (that's the name of the action). - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlX98p4ACgkQja8UbcUWM1xkGQD/bTBTWwG8EiM8FVTOA0MkknHe l+KUXTzqVlST6qU3w/MA/RQQa8SfHdIlSyRWyZ9uzjbfeq9BhZeLC9heZXRzcEZm =dP09 -----END PGP SIGNATURE-----