[ /security ]


Let's just jump right into it, shall we?

sudo apt-get install nmap # nmap is a port scanner (network map)   
ip addr # prints your ip addresses  
ping 192.168.0.[YourAddress] -c 10 # try to ping an address 10 times

The results will indicate the quality of your connection.
sudo nmap -p0-65535 # you have 65536 ports to scan (2^16), this might take a while...
you'll need to do things a little differently for IPV6

ping6 fc??:????:: -c 10 # your connection to yourself ought to be pretty good ;)  
sudo nmap -6 -p0-65535 fc??:????:: # nmap can scan any address you want to try. Whether or not you can reach an address is a different matter.

Usually you're behind some kind of NAT (Network Address Translator) like a home router. This is why everybody can have addresses in the range of 192.168.0.??? without overlapping. It's the same reason we can all say ME and refer to ourselves. The router probably has all its ports closed. this means most computers can afford to have them open, and still be safe. We generally assume that we don't have to worry about the security of our own network, but if you use public wifi then you are visible to anyone else on that network.
IPV4's address space consists of 4 numbers between 0 and 255, so 256^4. That's 4294967296 possible addresses. We use NAT because we started to run out of space. IPV6 is a MASSIVE address space protocol designed to account for all the addresses we could possibly need for the foreseeable future.
64 digits of hexadecimal. Ponder that. How many?
Since there's so many, we can come out from behind our NAT, but if we were relying on it for security, we may have services exposed, like network filesharing.
On linux, if you've ever ssh'd (secure shell'd (remote login)) into your computer, you might have an sshd (daemon (independant process)) running. If someone can guess your password, they can get in (NOT GOOD).
for one, you want to have a good password. consider changing it as often as you can remember it.

Even better, you can set it such that only those with the appropriate certificate can connect

a@A:~> ssh-keygen -t rsa    
Generating public/private rsa key pair.   
Enter file in which to save the key (/home/a/.ssh/id_rsa):  
Created directory '/home/a/.ssh'.   
Enter passphrase (empty for no passphrase):   
Enter same passphrase again:  
Your identification has been saved in /home/a/.ssh/id_rsa.  
Your public key has been saved in /home/a/.ssh/id_rsa.pub.  
The key fingerprint is:   
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Now use ssh to create a directory ~/.ssh as user b on B. (The directory may already exist, which is fine):

a@A:~> ssh b@B mkdir -p .ssh    
b@B's password:

Finally append a's new public key to b@B:.ssh/authorized_keys and enter b's password one last time:

a@A:~> cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'  
b@B's password:

From now on you can log into B as b from A as a without password:
a@A:~> ssh b@BHostname


or better still (if you have no need of signing in remotely) you can disable your sshd, or set it to only listen on IPV4
22 is the default port for ssh. using a non-standard port doesn't do much to protect you, but it's an option
you probably want to disable your rpcbind server
apt-get --purge remove nfs-kernel-server nfs-common portmap rpcbind Setting /etc/ssh/sshd_config to have these lines will make you pretty safe.

#Port 22222   
#AddressFamily any    
ListenAddress #listen on IPV4, if you're behind a router with closed ports, and your network is secure, then you should be safe.  
PasswordAuthentication no # if you set your config like this, you will not be able to sign in with a password. Only computers with a valid RSA key will be able to connect.   
# ListenAddress :: #this would otherwise cause your sshd to listen on all ipv6 addresses   
# yet another option is to launch a second cjdroute process using a different config, and to bind only to that address.   
# cjdns is pretty handy for setting up your own private WAN # expect a post on that soon ;)
sudo gedit /etc/ssh/ssh_config
Once you have the file open scroll all the way to the bottom and enter the following line on the last row.
ServerAliveInterval 60

sudo nano /etc/ssh/sshd_config
ClientAliveInterval 60
Now scroll to the bottom of the file, in Nano or whatever editor you picked for this task, and add the following line:

 ListenAddress  #This should be your eth0 IP.
 /etc/init.d/ssh restart