Mailinglist Archive: opensuse (911 mails)

< Previous Next >
Re: Re: [opensuse] Have I been hacked or "visited"? seccheck and rkhunter outputs
  • From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
  • Date: Thu, 24 Dec 2015 15:21:04 -0500
  • Message-id: <CAGpXXZKnCj3L1u0FUv=PYO5A-enbYaQ=QCAFQH77bPEdU_XFtw@mail.gmail.com>
On Thu, Dec 24, 2015 at 2:48 PM, <stakanov@xxxxxxxxxx> wrote:


-----Urspr√ľngliche Nachricht-----
Von: Greg Freemyer
Gesendet: Do. 24.12.2015 19:45
An: opensuse ,
Betreff: Re: [opensuse] Have I been hacked or visited? seccheck and rkhunter
outputs

On Thu, Dec 24, 2015 at 8:56 AM, Patrick Shanahan wrote:
* stakanov@xxxxxxxxxx [12-24-15 07:18]:
[...]
Somebody who does not want to use "remote" at all. What can he do to
un-install every remote package. The problem is that if you un-install
openssh a lot of applications of kde seemed to complain.
[...]

So don't "uninstall", just don't open the firewall ports.

No open ports, no external access. Now only physical access is a problem.


For completeness:

A modern malware attack often uses a reverse tunnel.

ie. malware gets on the machine via a phishing attack or an infected website.

Once on your machine it establishes outbound connections to a command
and control site that tells it what to do.

No inbound connections are needed so a traditional firewall blocking
incoming posts has no effect.

I would guess the majority of infections today happily ignore inbound
firewalls.

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx



-----Urspr√ľngliche Nachricht Ende-----

thank you Greg.
Given that I am visiting certain websites in a predictable pattern, what
would be the best way to come to safer browsing. I got rid of "unbound"
javascript using noscript in a very selective matter, I eliminated the use of
flashplayer.
Firefox seems to be less "safe" because the lack of a sandbox. But also
chromium has security holes in a astonishing rhythm. I tried time ago to
confine FF with apparmor but that was a no go, for some reason the program
seems to have changing requirements quite often.
What could I do to harden my system. Would in your opinion SE linux be a
possibility? Or is this snake oil? Or impossible to handle for a mortal?
Just to know how to get to a better level of security.
My enhancement request as a feature would be a easy to setup method for
activating dnssec. At least I would have a slightly higher possibility to
understand when I am deviated to a mirrored site. Currently in my homestead I
am warned by my tor browser (tor browser package) that my connection is
filtered and that he has to use a obfs connect to be able to work. Which I
can confirm, some websites that work here at my parents in Germany would not
even load in Belgium. So they use a transparent dns-proxy (as I do use
already free dns servers). VPN to anonimizing services either cannot be
established at all or is interrupted continuously, dying with time-out.
All this is unpleasant.
I would also be curious to understand why we do not use https and ftps
connects for our repos. Is there a specific reason? Sure, you say that the
pgp signature is enough, but I argue that knowing when you do connect and the
knowledge of packages charged may lead to very personalized strategies. So,
since there are all these activities on https everywhere, how come we do not
use out of the box dnssec and https (maybe even tlsa).

P.S. I tried to eliminate the .mozilla to see if this would fix the mp3
playing issues, but found that one of the libraries where set property to
root. Is that normal? It somewhat astonished me because it is user-stuff.

It certainly looks like are shooting for good security and probably
succeeding. I'll let someone else answer most of the questions.

RE: How to setup safe browsing?

If you want to get extreme, use a dedicated VM for browsing websites
that don't have your personal/financial info.

Maybe once a week restore it to the last known clean snapshot, apply
the latest security patches, and update the snapshot before you start
browsing.

That way, even if you do get an infection it is trapped in a VM with
no valuable data and it will be removed the next time you restore to a
clean snapshot.

With something like VirtualBox that is pretty easy to manage.

By the way, that is similar to how security pros test out malware,
etc. Just throw it into a known clean sandbox and see what it does.
In this case you won't have all the software probes they have, but you
should still be fairly confident the malware can't get out of the VM
and into your main box.

Then use one or more dedicated VMs to access websites with your
financial / personal records. Follow the same restore/update/snapshot
process with it just on the off chance you still manage to get some
malware in there.

fyi: The only people I know that follow the above guideline are
security pros, but it is not that hard to do and I i've rarely seen a
VM security hole that lets malicious code inside the VM get into the
host.

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References