Basic (non-paranoid) security

Hi, everybody,
I've done a modest research on the forums. There emerged certain keywords, like iptables, chkrootkit,  rkhunter, tripwire, and snort. The question is: am I reasonably safe just running the Arch "as is"? If not quite, are there "fire and forget" security solutions?
I'm just an ordinary Internet user: firefox, ktorrent;
I don't live in the root account;
I don't build packages in the root account;
That's pretty much it. I don't care to know more about security measures than I absolutely have to.

According to the chicha idea I'd say... Why don't you turn off your computer put it inside a steel box, weld it and send it to a friendly military base? That's security!
You are safe if you do not use your computer!
Joking a part, if you do not have an hardware firewall or a NAT using iptables is a good idea imo.
But yes, if you avoid living in root you are reasonable safe as is.
About building packages in root is (always imo) overrated as risk. I saw some ugly made PKGBUILD that make unusable packages is some situation (e.g they rely on user umask value), but I never seen a PKGBUILD (from both aur or abs) were builiding damages the system.
Surely, even if not risky... why doing it?
A little script I used to configure iptables.
#!/bin/sh
# firewall.sh
if [ "`/usr/bin/id -u`" != 0 ]
then
echo "`basename $0`": you need to be root to do that.
exit 1
fi
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --flush # Flush all rules, but keep policies
iptables --delete-chain
### Basic firewall rules ###
iptables --policy FORWARD DROP
iptables --policy INPUT DROP
iptables --append INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables --append INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
### icmp services ###
#iptables --append INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type echo-request -j ACCEPT
#iptables --append INPUT -p icmp --icmp-type echo-reply -j ACCEPT
### Open ports ###
#Bittorrent, ten downloads at time
#iptables --append INPUT -p tcp --dport 6881:6890 -j ACCEPT
#Utorrent
#iptables --append INPUT -p tcp --dport 41688 -j ACCEPT
#aDonkey network
#iptables --append INPUT -p tcp --dport 4662 -j ACCEPT
#iptables --append INPUT -p udp --dport 4672 -j ACCEPT
#ssh server
iptables --append INPUT -p tcp --dport 22 -j ACCEPT
#skype
#iptables --append INPUT -p tcp --dport 59945 -j ACCEPT
#http server
#iptables --append INPUT -p tcp --dport 80 -j ACCEPT
#https server
#iptables --append INPUT -p tcp --dport https -j ACCEPT
### Limits the logging to 40 entries per minute ###
iptables --append INPUT -j LOG -m limit --limit 40/minute
### Everything other is dropped ###
iptables --append INPUT -j DROP
### Finally saves the settings for the next reboot.
iptables-save > /etc/iptables/iptables.rules
echo "`basename $0`": Done.
Last edited by ezzetabi (2008-05-15 09:22:39)

Similar Messages

  • [svn] 1053: Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference .

    Revision: 1053
    Author: [email protected]
    Date: 2008-04-01 11:35:28 -0700 (Tue, 01 Apr 2008)
    Log Message:
    Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference. The custom authentication sample uses the new ChannelSet.login and ChannelSet.logout methods.
    Modified Paths:
    blazeds/branches/3.0.x/apps/team/WEB-INF/flex/remoting-config.xml
    blazeds/branches/3.0.x/apps/team/WEB-INF/flex/services-config.xml
    Added Paths:
    blazeds/branches/3.0.x/apps/team/features/security-constraints/
    blazeds/branches/3.0.x/apps/team/features/security-constraints/README.txt
    blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Basic.m xml
    blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Custom. mxml
    Removed Paths:
    blazeds/branches/3.0.x/apps/team/features/remoting/remoting_AMF_SecurityConstraint_Basic. mxml

    Congrats to Carmelo!
     Windows Phone and Windows Store Apps Technical Guru - February 2015  
    Carmelo La Monica
    Windows Phone 8: control Nokia Maps (Part 3)
    JH: "Part 3 of the series how to work with the Nokia maps control. As the previous articles this one contains a lot of code snippets and some pictures. Good work!"
    Ed Price: "A great topic, a fantastic breakdown of sections with clear descriptions, and a nice mix of code formatting and helpful images! Another stellar article from Carmelo! Great job including the link back at the end to the portal
    article!"
    Ed Price, Azure & Power BI Customer Program Manager (Blog,
    Small Basic,
    Wiki Ninjas,
    Wiki)
    Answer an interesting question?
    Create a wiki article about it!

  • So....basically none of the creative mobile apps are Android. Great.

    So....basically none of the creative mobile apps are Android. Great.

    https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform for bugs or feature requests

  • I Non /I -secure weblog?

    Hello,
    I've set up a weblog, but for some time I was having many problems with it - as in, I could only access it locally, it would take forever to load, and it wouldn't save my settings. I did some digging and found that everything would work if I accessed it via my secure site (I host two versions of my site, one secure, one not - the secure version was created just so I could securely access webmail), and change all the links in the config files to go to the secure links instead.
    It seems like once I turned on the secure site, it "grabbed" my weblog to the exclusion of the non-secure site.
    Is there any way to get this to work on the non-secure site? Everything works right now, but people have to accept my self-signed Security Certificate, and I wonder if that might discourage visitors.
    Thanks!
    iMac 1.0 Ghz G4 17 Flat Panel   Mac OS X (10.4.7)  

    Deleted self-signed certificate, created a new one. Seems to have done the trick.

  • Advice for Basic Non-Professional Home Recording Studio

    I am new to Mac (2 months) but am interested in setting up a VERY basic recording studio at home using Garageband to record primarily voice only, plus maybe a single instrument (non-digital Dulcimer) in the future. Main purpose is to record a single acappella voice to create 4 part harmony by individually recording harmony tracks one at a time. Final output will be to use the song files in Slideshows and iDVD movie projects. Also will plan on burning music CDs of the songs for family members and non-commercial use.
    So... no need for a major budget or high level professional equipment. I have used my Intel iMac's internal mic for recording test songs as I learn my way around garageband. Internal mic works pretty well but I am wanting a little more control of ambient sounds and possibly some voice boost. I have been reading the forums fairly extensively and have some equipment in mind already but would appreciate experienced input and suggestions from the forum members.
    My current equipment ideas are:
    Shure M57 Cardioid Dynamic Mic - $89 Amazon
    Shure A2WS Windscreen -$10 Amazon
    On-Stage Stands Tripod Mic Stand with Boom -$23.55 Amazon
    XLR to XLR Microphone Cable - $8 Amazon
    M-Audio DMP3 Dual Mic Pre and Direct Box $160 zZounds (if I just need a mic preamp)
    M-Audio Fast Track US44010 USB with Session Software - $89 Amazon (if I need an audio interface)
    Since I am certainly not a recording expert and have never setup anything like this before, I could use honest input regarding what my studio needs are for the planned purpose as stated above.
    If I have read forum articles correctly, using an external dynamic mic such as the Shure M57 will require that I get either a preamp or audio interface that can bring the mic signal up to a compatible level with the Line input jack on my iMac?
    Is there any advantage to getting an audio interface instead of just a preamp for the recording purposes I have planned?
    If I do decide to add the Dulcimer instrument, since it is non-digital I would just need a second mic to add its input into the iMac using either the second XLR input on the M-Audio preamp or the audio interface?
    Am I overlooking any obvious equipment, cables, hookups I will need for the simple voice recording planned?
    Any comment on the prices listed above and better sites to purchase equipment from?
    I know this is a lot of questions. Appreciate any comments, input or ideas that your experience can offer. Thanks!

    Well I just ordered the Samson C01U Recording / Podcasting Pack from Amazon for $145. Includes the mic, clip, 10ft USB mic cable, MD5 Desktop mic stand, SP01 Shockmount, Cakewalk's Sonar LE software and a nice aluminum protective carrying case. For the price I figure I can't go too far wrong and seems like a good entry level setup into basic home recording. Thanks for the info on this USB mic. I will probably download the Samson free software since I have read that can solve some issues with the gain.
    Hopefully I can report back in a week or so and give an update on how its working on my iMac.
    Thanks for your help!

  • Call an Non-SharePoint Secured RESTful API from a Workflow in a SharePoint Online Tenant

    I have a scenario where I need to be able to make calls to a secured web service from a SharePoint 2013 workflow that will be deployed in a SharePoint Online (Office 365) environment. It is a REST web service that is secured in a 2-legged OAuth-like manner
    (the service expects a hash of the data being sent that can then be validated on the service's end of the communication). The problem is, I can't figure out how I can hash the data, since I can't run any server-side code in the SharePoint Online environment.
    The way I figured this should work is 1) user creates an item in a List on the SharePoint Site, which kicks off the workflow process. 2) the workflow process takes the user data and hashes it using a client secret assigned by the web service. 3) the
    workflow creates a web request to the web service, passing the data and the hashed values. 4) the web service processes the input and returns. 5) the workflow continues to the next step.
    I can't figure out how to implement step 2 in that process. I thought I could do a custom workflow activity that would accomplish it, but since it would pretty much have to be a code-based activity (i.e., not declarative), it can't be deployed in SharePoint
    Online, according to the domentation I've found. I could potentially add a third layer in the process and have an auto-hosted app that I could call to do the hashing of the data, but that seems to defeat the purpose somewhat from a security perspective.
    Has anyone else run into this kind of scenario? Doing this in an on-premesis environment would be easy, but that's not really an option.
    Thanks!

    You should implement this by passing the values to a public (forms based auth) web method (secure over SSL) that does the hash for you and returns the value to your workflow so that it can pass it on to the other service.
    Chris Givens CEO, Architecting Connected Systems
    Blog Twitter

  • ADF Mobile - Security. Serving custom, non-j2ee security policies.

    We are trying to achieve session management across our ADF Mobile app.
    We were hoping to use the ADF Mobile inbuilt security framework.
    However our Mobile App is simply a UI interface to a large Enterprise App which already has a custom security framework(entirely database based) in place.
    The enterprise app exposes RESTful interfaces(JAX-RS-Jersey) for functionality which the mobile app consumes.
    This question has broadly 2 parts to it.
    1. Does ADF Mobile inbuilt security work ONLY with J2ee container managed security realm service?
    2. Can ADF Mobile inbuilt security be made to work with a custom application security framework?
    Following are the challenges we face in dealing with the 2nd question,
    2a. We need to extricate the Username and Password from the request as sent by the ADF Mobile default login page
    2b. Based on the authenticated state(using custom security framework) assign Roles to the user and set the response.
    2c. In the Mobile app use the custom roles to drive UI.
    2d. One of the statements in the documentation says that irrespective of successful or failed login the Springboard will be visible. Can this be prevented?
    2e. Can we maintain session while achieving the last 4?
    Using the following JAX-RS annotations it has been impossible to retrieve any user credentials at our webservice end.
    @Context SecurityContext, @Context HttpServletRequest, @CookieParams,  @HeaderParam

    Hi,
    here's how you do it
    - application roles are defined in jazn-data.xml
    - Write a custom JAAS LoginModule that authenticates against the database
    - Create WLS authentication provider for your JAAS LoginModule and configure it in WLS
    - LoginModule returns principal for user and the user group memberships
    - User logs in via login.jspx
    - WLS authenticates user
    - Security context is updated with user and user roles
    Frank

  • UserName for non ADF secured app

    I am struggling to find the appropriate binding to access the logged in user for an 11G worklist application that is not secured by ADF so that I can pass it to a newly introduced service. I've tried several different values and most are unpopulated. ADF documentation leads me to believe the following should work but it is blank as well:
    #{data.adfContext.enterpriseName}
    I'm currently employing a workaround assessing the worklist systemAttributes.assignees but that doesn't seem to be dynamic through Claim/Release for group activity.
    The data input for 'Logged in as' is what I'm really after.
    Thanks in advance.

    Hi,
    in ADF you use #{securityContext.userName}. If the user is not web authenticated, then this however will not return the username. You need to know how worklist is authenticating users and if this is nit with server authentication, where this information is stored in
    Frank

  • Excel documents attempting to use non-existing Secure Store target application for unattended account

    Hey,
    I have been brought in to take a look at a few errors experienced on a SharePoint 2013 farm that will be used for BI functionality. One of the errors is the following:
    This happens when I attempt to refresh a Excel document that is using an unattended account. The application that it attempts to access (named in the error) does not exist in the Secure Store Service. I have checked the Excel Service Global Settings
    and the Target Application ID of the Unattended Service Account does not match what is given in the error (but matches a target application id that exists).
    Is there anywhere that you can override the global settings of the excel service? Is there something else that might be wrong?
    Any help is appreciated.
    Regards
    Knut

    Hi Knut,
    Thank you for your sharing! It will be beneficial to others in this forum who meet the same issue in the future.
    Best Regards,
    Wendy
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Wendy Li
    TechNet Community Support

  • Support for non-proprietary secure encrypt&sign format?

    Hi,
    I want to embed data in my application which I have encrypted and signed using strong cryptography, so that the application can verify the data (assuming the application itself doesn't get changed).
    Currently I construct three byte[] arrays:
    1.) DESede encrypted data
    2.) RSA encrypted DESede key
    3.) Signature of unencrypted data using the
    Signature signature = Signature.getInstance("SHA1withRSA")
    signature.initSign(rsaPrivateKey)
    signature.update(unencryptedData)
    I turn each of these three byte[]s into Strings using Base64Coder and then concatenate them ":" separated.
    While this works (I can decrypt and verify the data), the format in which I represent the encrypted and signed data (Base64 encoding and ":" separation) is not any widely used standard and also doesn't contain any metadata about the encryption algorithm used, as would e.g. a gnupg encrypted block.
    So I was wondering, why is there no static method in the JCE that just says
    String or byte[] encrypted = SomeClass.encryptAndSign(data, "RSAwithDESede")
    or something like that, which then encrypts and signs the data according to some standard format? E.g. such that I could then decrypt and verify the data with PGP/GnuPG/OpenSSL/... ?
    Is there any library that does this, and which preferrably provides a simple facade to the complexity of JCE?
    Any help is appreciated - thanks in advance!
    Tobias

    Other standards have addressed this problem. See XML Encryption (http://www.w3.org/Encryption/2001/) and XML Signature (http://www.w3.org/Signature/).
    XML Signature is now a standard component of J2SE 6.0 (http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html)

  • Basic Doubt about security

    Dear All,
    I am trying to implement following functionality. Can you suggest how i should go about implementing this in actual code.
    I have an J2EE application consisting of swing client and server components deployed on J2EE complient server. Now whenever a client tries to log in to system the username and password info is transmitted to server for authentication. Here i need to introduce a functionality by which password and may be user name is encrypted to before it is sent to app server and then app serve at it's end will decrypt before authenticating the user.
    Now theoritically i am planning to do following : using public/private key encryption. Client will encrypt the required string using public key and send it to server. Server will now decrypt using the private key which is available at it's end. The client and the app server aer on physical different machines. Does this make sense ? And is it correct ?
    Now my questions :
    Is my mechenism correct ?
    How to generate public/private keys ? is it using keytool but what are steps?
    How should transfer of these key take place ?
    If keys are generated using API rather then keytool how to transmit these keys to server?
    If keys are generated using keytool still how to distribute these keys and use the same in the program while doing encyrption/decryption ?
    Kindly reply soon. This is urgent. Thank you in advance
    Sachin

    I would suggest making an SSL connection to the server which verifies the password (and if it is not too computationally intensive, then for data as well). Java 1.4 has SSL functionality built-in (you just need to do some key management on the server end -- if you get a certificate from a provider that is preloaded).

  • Captivate Playbar or my own (basic non urgent question)

    Hi
    If anyone has time to answer this question I would be grateful.
    What are the advantages or disadvantages of using Captivate (Cap5) own playbar instead of me using my own forward, back buttons etc.
    What do you professionals do?

    Depends on the need...
    Sometimes we just pick a default/standard playback bar and include it.
    Sometimes we lightly modify an existing one.
    On occasion, we have to make our own custom one (but one still based on a default bar...thankfully Adobe provides the source FLAs for them).
    We almost never bypass the playback bar altogether and put our own standard navigation on the slides.
    For one, there's really no advantage to that over the overall functionality CP's playback bar offers.
    Also, coding those buttons can be difficult.
    Plus you have to put the buttons on every slide. Or you can try 'show for rest of project' but that doesn't seem to work well (fairly, we've not tried that since CP 2 or 3). I don't think you can put nav buttons on the Master Slide in CP5 and above...?
    We do, of course, create custom buttons on individual slides as needed - various interactions and such - but for overall navigation, far easier to either use a standard playback bar ("skin"), or modify one through the skin editor, or create your own custom one entirely if you know Flash well enough.
    HTH
    Erik

  • Non-sso security in weblogic10.3

    Hi,
    I have an application which configured nonsso by jazn in OC4J. I want to migrated the same to weblogic10.3.
    How to do the nonsso configuration by jazn in weblogic10.3. My application is not having ADF and LDAP.
    your help will be appriciated.
    Regards,
    Raveen

    Hi,
    It always better to compile your code when there is major version change. Lot had changed between weblogic 7 and 10 and including JAVA API standards. Below the detail explanation for JAVA API which explains clearly why you are seeing this error.
    "Thrown when an application tries to call an abstract method. Normally, this error is caught by the compiler; this error can only occur at run time if the definition of some class has incompatibly changed since the currently executing method was last compiled."
    Thanks.
    Vijay Bheemineni.

  • Code for basic registration to secure page

    hello there I know that this already exists, I just need to
    find the snippet or formated codes and where they are located.
    thanks

    you can use javascript function to do that. see the sample code.
    <htmlb:button id            = "MyprintButton"
                  text          = "Print"
                  tooltip       = "Click here to print"
                  onClientClick = "javascript:window.print()"
                  design        = "small"
                  width         = "50" />
    Raja T

  • Why are all posts non secured?

    I can't read any of the posts as none are secured content. Which makes logging in somewhat pointless, ditto the padlock and the https.  

    I access the site using HTTPS and while it uses an older cypher it works fine for me and I have full visibility of the site.

Maybe you are looking for

  • Presentation variable in iframe/narrative view/Go URL

    I am able to see the peresentaion variable declared in Dashboard Prompt in narrative view. But when I put in iframe with narrative in Go URL then i am not able to filter the report based on presentation variable Values..." The page throws error 'saw.

  • Flashing image indesirable

    Hello: I have made a small movie with fade images taken from a folder. The problem what I have is that every time I change the image (jpg) from folder, a flash appear before fade image. Can you help me to solve this, please? thank you very much. you

  • Updated mac mini with latest patch today

    I just updated my mac mini with the latest patch 9/22/2012. After the update the system went into reboot then starts up again then fails and power-down. The screen changed a couple of time from dim to bright. The rolling gear is visible during the sc

  • Need informations about options in mavericks

    This is simple. When i plug a usb key in my macbook pro i see it on the desktop and in the finder. But i want to add multiple files it's a little bit longer. Is there a way to do this : Right click go to share Have in this part of the menu : USB Than

  • Dynamic Actions - Date Specificatoins - Retirement date

    Hi Experts, can any one help me in Dynamic actoins i want to caliculate Retiremetn date automatically infotype 0041 - Date specificatoin one item called Retirement date to call this date type through feature DATAR i have updated the date type but to