SoylentNews

50 Ways to Avoid Getting Hacked in 2017

posted by on Monday January 09 2017, @10:05AM   
from the belt-and-[suspenders|braces] dept.

-- OriginalOwner_ writes:

Red Hat employee Daniel J. Walsh writes via OpenSource.com

When I was young, Paul Simon released his hit song, 50 Ways to Leave Your Lover. Inspired by this song, I've collected 50 ways sysadmins and laypeople can avoid getting hacked:

"Make a new plan, Stan"
[...]
6. Run applications in the SELinux Sandbox whenever possible--it was a container before containers were cool. Also follow the development of Flatpack, which soon should be developing sandboxing capabilities.

7. Don't install or use Flash. Firefox no longer supports it, and hopefully most web servers are moving away from it.
[...]
"Just get yourself free"
[...]
19. [...] I don't do online banking on my phone--only on my Linux computer.
[...]
"Hop on the bus, Gus"

21. Run Linux on your systems. When I first hooked my father up with a computer system, I barely got home before his system was infested with viruses. I returned and installed Linux on his system and he has been running it ever since.
[...]
"And get yourself free"
[...]
50. Set up a special guest network for all those Christmas IoT devices your kids receive. I love my Amazon Echo and automated lights and power switches ("Alexa, turn on the Christmas Lights"), but each one of these is a Linux operating system [whose manufacturer's configuration] has questionable security.

Do you take exception with anything he suggests. (Being a Red Hat guy, he is enthusiastic about systemd.) Can you think of something he missed?

---

Original Submission

• systemd systemd (Score: 0) by Anonymous Coward on Monday January 09 2017, @10:51AM

  by Anonymous Coward on Monday January 09 2017, @10:51AM (#451405)

  9. Take advantage of systemd tools to help secure your services.

  Of course the example they gave (private tmpfs) uses kernel functionality (mount namespace) that exists independent of systemd (I think sshfs uses that feature, too). How complicated is it to set up a private tmpfs on non-systemd systems? (Honest question, I don't have any experience in that area.)

• Re:systemd (Score: 0) by Anonymous Coward on Monday January 09 2017, @02:56PM

  by Anonymous Coward on Monday January 09 2017, @02:56PM (#451463)

  How complicated is it to set up a private tmpfs on non-systemd systems?

  Very nice example here [stackexchange.com]

  Parent

• Re:systemd Re:systemd (Score: 2) by Subsentient on Monday January 09 2017, @04:54PM

  by Subsentient (1111) on Monday January 09 2017, @04:54PM (#451502) Homepage Journal

  mount -t tmpfs tmpfs /my/mount/point

  --
  "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti

  Parent

  • Re:systemd (Score: 2) by maxwell demon on Monday January 09 2017, @09:07PM

    by maxwell demon (1608) on Monday January 09 2017, @09:07PM (#451628) Journal

    That's not a private tmpfs. And posted about two hours after an AC posted a link to the correct solution.

    --
    The Tao of math: The numbers you can count are not the real numbers.

    Parent

• Firejail to the rescue (Score: 0) by Anonymous Coward on Tuesday January 10 2017, @03:01AM

  by Anonymous Coward on Tuesday January 10 2017, @03:01AM (#451843)

  Firejail can do that... and a lot more. Private tmp, private etc, private dev, private bin, private home, full tmpfs overlay that discards upon exit, blacklist some files only... read the man page. Or visit https://firejail.wordpress.com/ [wordpress.com]

  Add xpra or xephyr and you can get even things that were "impossible" (because only a handful apps cared about Security X11 extension) and "required" the creation of a bunch of NIH software.

  Parent