OSNews

Much as I like wireless, I prefer the speed and security that cables provide. Wireless doesn't live up to its advertised data rates and suffers from interference from wireless phones, microwaves, and other wireless routers. I also prefer to avoid people hacking my router, using my bandwidth or conducting illicit activities on my service. To make cabled networking easy, I installed laptop-net which detects whether a network cable is plugged in and turns networking on or off and grabs an address via DHCP as required.

While portability is convenient, it's also a risk. If your system has a power-on password in its BIOS, you should activate it and set it to something you'll remember but which is not easy to guess. My T20 requires the power-on password when I first boot the machine or whenever I lift the lid to resume from sleep. Never use dictionary words for passwords and consider using letters from a sentence and including numbers and capitals. For instance, "I really think that passwords are stupid for me" could translate into "Irttpas4m" which is more effective than your cat's name. You may also be able to set passwords to prevent others from changing your BIOS settings and to lock the hard drive. Remember that if someone can change your BIOS to boot off your CDROM, floppy or USB port, they can run Knoppix, become root, and access your system. Note that systems with hardware passwords may become permanently unusable if you forget the passwords.

Ensure that your Linux passwords are just as secure and lock down access to your root account. The root account can access or delete anything and typically you don't want root to be able to login. Instead, you want a regular user to login with their own password and, if permitted, become root by using su and entering the root password, or using sudo to access a safe subset of root's commands. You can prevent root login by editing or removing /etc/securetty and, if you use a graphical greeter like gdm, editing its configuration file at /etc/gdm/gdm.conf to disable root login.

NOTE: Do NOT disable all root logins before you have ensured that a regular user account can use su to gain root privileges. Gentoo, for instance, requires a user to be added to the wheel account before that user can become root.

You should now secure your networking. To allow secure connections to and from your notebook, install ssh. Run ssh-keygen -t rsa for each user and edit /etc/ssh/sshd_config to prevent root login to your system. Everyone will have to login as a regular user then use su or sudo to get superuser status. Remove non-secure networking programs like telnet from your system as well as servers for telnet, ftp, etc.

Close the doors on your system by editing /etc/hosts.deny to say ALL:ALL. Next, create exceptions in /etc/hosts.allow such as sshd: 192.168.1.100 which would allow the machine at that IP address to ssh into your system. Add the specific service names and network addresses you require such as the numbers on your LAN.

Change configurations on services you run locally that you don't want accessible over the network. For instance, portmap is used by fam to keep graphical file managers like Gnome's nautilus updated but it uses services that can be abused. You can edit /etc/default/portmap and a similar file for the CUPS printer service at /etc/cups/cupsd.conf to listen only to your system at 127.0.0.1.

Install firestarter, a firewall with a simple graphic interface. Firestarter defaults to allowing all outbound traffic and blocking all inbound traffic. You can allow inbound requests on the events tab as they happen or set policies by hand. Firestarter runs in the background so you should only use the memory-hungry interface when you want to monitor it. Note that if you have re-routed system logs to tty8 above, you will not be able to use the events tab of Firestarter. You can always re-enable logs temporarily and toggle the system logger daemon with /etc/init.d/./klogd restart.

Test your system to see what networking ports are left open. Install nmap and run it against 127.0.0.1. My system shows rpcbind (for portmap and fam), ipp (which is the printer service), ssh (the secure shell service) and dictd (the dictionary service that powers my Gnome dictionary applet). You can disable services you don't need as discussed above and you can check port numbers at http://www.iana.org/assignments/port-numbers. Unknown port numbers sometimes relate to weather or other applets in your desktop environment. You can check by disabling them and running nmap again.

You can test more thoroughly by installing nessus and the nessusd dameon and conducting an audit of your system, particularly if you are comfortable enough with crashing your system that you disable the "safe checks" scan option. You may need to edit /etc/hosts.allow to include nessusd: 127.0.0.1. You will need to run nessus-adduser to create an account and then nessusd which is a server that will attack the system you specify. Finally, you run nessus to configure an attack and review its results to tighten your security. You should only target your own system for testing purposes such as 127.0.0.1 if you want your notebook to attack itself.

Some notebooks come with extra buttons on their keyboards. The thinkpad button package (tpb) allows Thinkpads to use these extra buttons. Tpb interfaces with the nvram kernel module which you need to add to /etc/modules. If you install xosd, operating the extra buttons (for instance, volume up and down) will display the result on a Thinkpad screen. You can configure tpb in /etc/tpbrc. To find out what colors and fonts you can use in xosd, run the xcolors and xfontsel programs. I prefer the SpringGreen color and the clean font. You will need to add each user to the nvram group and add a script to start tpb. I added an executable script to Debian's default runlevel /etc/rc2.d which calls /usr/bin/tpb. Adding tpb to your desktop environment startup results in a new instance of tpb loading with each login.

Now that you have an efficient notebook, you can buy an external battery and work at a picnic table by a river all day. Just adjust your /etc/laptop-mode/laptop-mode.conf to run power saving while something's connected to the AC port.

I've upgraded to a Thinkpad T23 (refurbished) with the same set-up and my wife now uses the T20.