• Never turn off SELinux on your workstation. Your browser is actually running inside its own constrained SELinux domain, which means that even if attackers manage to escape the browser’s sandbox, they will have a hard time escaping the SELinux jail in order to gain a foothold on your system and install a keylogger.
• Use NoScript for Firefox or ScriptSafe for chrome/chromium. Only allow javascript and plugins on the sites you trust.
• Keep your workstation patched. Always apply critical security errata as soon as it is available.
• Require two-factor authentication on your workstation for sudo, or only do it by switching to a text console (Ctrl-Alt-F2) and logging in as root.
• When you need to use ssh, always execute it as /usr/bin/ssh. Don’t trust your $PATH.
• Do the same when you use “sudo” on your server. Always type “/usr/bin/sudo -i”.
• Require two-factor authentication when obtaining elevated privileges on all your infrastructure.
• Routinely review account activity logs on your servers. Software such as logwatch or epylog will help you detect anomalous logins.

#tsznft

add comment recommend bookmark subscribe