Security?
Imagine, you were the boss of some shop with a couple of employees. Would you like it to have an employee hanging around where you don't know why he was engaged, what would be his specific tasks and what he were actually doing?
That's about the same with a machine you are running, and a couple of daemons engaged to work on that machine.
I would say not nearly the same with my machines. I am very security oriented beyond the browser extensions I use. Here are some things I do that aren't all included in my Tutorial but free to be known, used with it and what I consider good practice:
/etc/rc.conf
syslogd_flags="-c -ss"
sendmail_enable="NO"
tcp_drop_synfin="YES"
sshd_enable="NO"
telnet_enable="NO"
cupsd_enable="NO"
samba_enable="NO"
inetd_enable="NO"
rlogin_enable="NO"
portmap_enable="NO"
winbindd_enable="NO"
lpd_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
webcamd_enable="NO"
My ruleset is set to block and has been posted before. Here it is again:
etc/pf.conf
### Macro name for external interface
ext_if = "bge0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp
### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
From the terminal:
jitte@jigoku:/ $ who
jitte ttyv0 Jan 28 23:24
jitte pts/0 Jan 28 23:25 ( : 0 )
jitte@jigoku:/ $
(I fixed that last line from a smiley emoji it made here.)
I run
security/rkhunter to check for rootkits and file changes but stopped bothering with things like
security/aide long ago.
security/bcrypt and USB sticks what I place my trust in for password security. There may be more but haven't had enough coffee to think of.
There are no Instant Messenger apps of any kind on my machine. I do everything from my usr account and
su
to become root, which some see as bad practice but all I have ever used and am comfortable working as. When I work as root it is only work done needed as root and then I log out back into my usr account.
No browsers are open during that time and I may pull the Ethernet wire from the laptop if I enter the password and work. No wi-fi or bluetooth allowed in my house unless I invoke Kali to see with eyes of the Goddess.
If there are Daemons in my boxen talking to somebody they're only chatting with the Daemons in my mind through my fingertips as I type. I know some apps phone home but I brush aside the Dragons warned of that dwell in the depths of about:config. I'm boring anyway and not very interesting, for the most part.
If you have concerns that this and selectively allowing JS to run online don't cover and I'm missing something please do tell. I'd rather hear it from you than surprise by exploit from my Finnish Fans afar that tell bedtime stories of the Demon to frighten children.
Boo!