WiFi broadband access security?

Paul Gear paul at libertysys.com.au
Mon Apr 25 10:53:18 UTC 2011


On 24/04/11 22:02, Chris Robinson wrote:
> ...
> I have just ordered Kogan's Agora 12" laptop preloaded as it will be
> with 11.04.  It will be going on holiday with me to USA in August.

If you don't want the US TSA getting their grubby mitts on your laptop,
you will need to have it encrypted and powered off when you go through
their facilities.

http://www.schneier.com/blog/archives/2009/07/laptop_security.html
http://www.schneier.com/blog/archives/2008/03/tsas_ideal_lapt.html
http://www.schneier.com/essay-217.html

Disclaimer: i have no idea whether this makes it more likely for you to
get refused entry to the country.  Personally, i wouldn't take a laptop
with data i care about to another country without considerable
investigation into my rights and responsibilities in taking the laptop
through customs.  I would save myself the effort and just buy a small,
cheap laptop explicitly for the purpose.  Or more likely, buy one when i
get there, because it's cheaper.

> Considering the extensive WiFi access over there I am seeking some
> advice on what protection I will need?
>
> -------------------------------------------------------------------
> I've just been playing with Firestarter for it's DHCP server
> capability, but it also seems to be a very good firewall.

Obviously, firewalls are important.  Most publicly-accessible systems
are attacked by random malware on a daily/hourly/minutely basis.  I like
Shoreline Firewall (http://shorewall.net/).  It is an iptables frontend
that makes it easy for people who know what they are doing to get a
workable configuration.  It is ridiculously well-documented.  It may not
be a good match for you, depending on your skills.

> I think I'd also disable SSH while on insecure networks, and make sure
> that there's no other ports open.  Apart from SSH this is the default
> for Ubuntu/Linux.

I usually change the default port on ssh, and prohibit password-based
login.  The variables you want to change in /etc/ssh/sshd_config are:

    * Port ### (where ### is an unused port number less than 1024 - look
      for spares in the 700-900 range in /etc/services)
    * PermitRootLogin without-password
    * PasswordAuthentication no
    * UsePAM no

>
> Oh, and pick a really good password.

BTW, the definition of "really good password" is probably 20 characters
or greater.  Don't worry about complexity; don't worry about special
systems, just go for length:
http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html

> I revised my own security arrangements when I discovered from auth.log
> that "people" had been trying to log in via ssh as root.

The ssh changes i suggested mitigate this.  Note, however, that they
require you to have a public key created and usable (Google for
ssh-keygen to find out more).

Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-au/attachments/20110425/d1c93fc1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: paul.vcf
Type: text/x-vcard
Size: 213 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-au/attachments/20110425/d1c93fc1/attachment.vcf>


More information about the ubuntu-au mailing list