Locking Down a System

[sfeinst]

I do not yet have a laptop (I'm in th eplanning stages), but I was wondering, since I plan on using the laptop over unsecured wireless (ie public hot spots) often, what are some ways people have locked down their system to prevent unauthorized acccess?

My home machine relies more on the firewall on the wired router, but I'm guessing there is either no firewall on the hotspots or if there, it would not be difficult for a hacker to take it down.  So I'm guessing having a software firewall would be the first step.

So I'm looking for how to lockdown my laptop to make it safe (besides not using it all all) assuming I will have PCLOS as my OS.

Thanks
Steve

[travisN000]

There is a very basic and easy to configure firewall in the PCLinuxOS control center, but if you want something with more options, there are other software firewalls in the software repositries that can be installed via the synaptic package manager.

If you are concerned about things like packet sniffing, etc you might want to look into setting up a VPN / secure proxy to route your internet traffic over.  I've often considered doing something like this with the PCLOS based file server / router / firewall that I use for my home network, but just haven't had the time to do it.  I do occasionally use X over SSH via a PCLOS box at home to accomplish a secure internet connection in public places (Web browsing with Konqueror on my home PCLOS server from a remote location over SSH ..it can even be done from a windows box using xming & putty)

If you are interested in this type of solution let me know; it is pretty easy to set up.

[sfeinst]

There is a very basic and easy to configure firewall in the PCLinuxOS control center, but if you want something with more options, there are other software firewalls in the software repositries that can be installed via the synaptic package manager.

If you are concerned about things like packet sniffing, etc you might want to look into setting up a VPN / secure proxy to route your internet traffic over.  I've often considered doing something like this with the PCLOS based file server / router / firewall that I use for my home network, but just haven't had the time to do it.  I do occasionally use X over SSH via a PCLOS box at home to accomplish a secure internet connection in public places (Web browsing with Konqueror on my home PCLOS server from a remote location over SSH ..it can even be done from a windows box using xming & putty)

If you are interested in this type of solution let me know; it is pretty easy to set up.

I was concerned about whether or not firewall software was enough (for example I know in Windows you turn off file and printer sharing besides using a firewall).  I know Linux is more secure, but by default, I did not know what PCLOS left accessible.  But it sounds like firewall should be good enough.

For your other item, if I understand it correctly, you are suggesting having my desktop system be a VPN server and I would connect to it over internet from my laptop (which would be all encrypted) and then my desktop would access the internet as normal.  Doing this would make surfing no different than if I was at home.  Is that correct?

[travisN000]

The firewall in PCLinuxOS is not turned on by default in all PCLOS releases, so you will want to verify its status when the time comes.

As far as the VPN / proxy goes, you would be using the apps on your laptop, but routing the traffic over a secure tunnel to you home computer / server.  

Using X over SSH is easier, as everything you need is already installed in all versions of PCLinuxOS. It also creates a secure encrypted tunnel, but instead of using the apps on your laptop, you lauch the apps on your home computer, but display them on your laptop thought the secure tunnel.

Both methods makes sure that the traffic is encryped as it passes over the wireless connection and through all network monitoring / filtering at the hotspot, all the to your house; the security is the same as if you were surfing from home.  

The encryped tunnel does add some network bandwidth overhead, so it is not quite as fast as not using it, but if you have decent connection speed it does work well.  If I'm doing things like online banking from locations outside my house, I use the X over SSH method, as the entire session is running on my home computer and is more secure (even from loss / theft); for general surfing I will sometimes use whatever connection is available without encryption..  it just depends on what you are comfortable with.


EDIT: just a note: SSH is probably the most targeted service by hackers because people will often have it running and use passwords that are not strong.  There are a number of ways to add additional layers of security to SSH, so if you decide to pursue this method this is something you will want to address...  I only have one user that is allowed to access my home server via ssh and that user has a very strong password.  SSH keys and programs like fail2ban can also add more layers of security...

[sfeinst]

Using X over SSH is easier, as everything you need is already installed in all versions of PCLinuxOS. It also creates a secure encrypted tunnel, but instead of using the apps on your laptop, you lauch the apps on your home computer, but display them on your laptop thought the secure tunnel.

I hadn't thought of using SSH.  I like this idea as it also means I have full access to all files (and in the case of browsing - one set of bookmarks) without having to copy them to the laptop.  In this case, the laptop is really just a dumb terminal and all security can be centrally handled on the main desktop.

One question, have there been any hacks/cracks to get on to a laptop from wireless or has adding the firewall been enough to prevent this.  As you may have guessed, I don't have a lot of confidence in wireless (including home wireless with wpa2 encryption).  Wired is just so much safer.  Just over-cautious

Steve

[travisN000]

I am not an expert, but my understanding is that the firewll should block most attacks, as long as it is set up to do so.  If you want to test the network security of your system, try using the port scanner / firewall tester at the shields-up website.

The reason I say most attacks, is there are always new ways appearing to hack a system..  in just the last couple of days there was a post here about how a security company was going to do a presentation on how hackers can use a common laser pointer and a sound card to record keystrokes from a distance.. 

..a firewall would not prevent  or stop this type of attack.  I would guess that most successful hijack / hack attempts involve some sort of "social engineering"...  that is the hacker gets you to do something to let them in, not by direct attacks.  The best firewall then becomes the one between your ears!

[ThirdOfSix]

One of the things to consider is to get a laptop with lots of memory.

Then you can run Linux from a live CD and load to RAM.

You don't want to run the live CD from the optical drive under battery power.

Now, you can use browsers or whatever and know that when you shut down, any nasties that you came in contact with will be gone.

I know that there will be times when this is not a viable approach but even so, anything that you do to limit the exposure of your machine to the predators on line will reduce your chances of a nasty surprise.

It is just one tool to use in your overall protection procedures.

[YouCanToo]

There is a very basic and easy to configure firewall in the PCLinuxOS control center, but if you want something with more options, there are other software firewalls in the software repositries that can be installed via the synaptic package manager.

If you are concerned about things like packet sniffing, etc you might want to look into setting up a VPN / secure proxy to route your internet traffic over.  I've often considered doing something like this with the PCLOS based file server / router / firewall that I use for my home network, but just haven't had the time to do it.  I do occasionally use X over SSH via a PCLOS box at home to accomplish a secure internet connection in public places (Web browsing with Konqueror on my home PCLOS server from a remote location over SSH ..it can even be done from a windows box using xming & putty)

If you are interested in this type of solution let me know; it is pretty easy to set up.

I was concerned about whether or not firewall software was enough (for example I know in Windows you turn off file and printer sharing besides using a firewall). 

Neither file sharing or printer sharing is turned on by default

I know Linux is more secure, but by default, I did not know what PCLOS left accessible.  But it sounds like firewall should be good enough.

For your other item, if I understand it correctly, you are suggesting having my desktop system be a VPN server and I would connect to it over internet from my laptop (which would be all encrypted) and then my desktop would access the internet as normal.  Doing this would make surfing no different than if I was at home.  Is that correct?