Data Preservation
- Check your backups periodically. Can you read the files ?
Backups
- Have you added anything recently that is not being backed up ?
New computer or phone or disk drive ?
Online Security
Go through your password manager and see if you're re-using passwords across multiple accounts, or should add 2FA to any accounts. Maybe 2FA is newly supported on some account that didn't have it before.
If you have a PIN on your phone account, to prevent SIM-swapping, call your provider again and try to make a change, and see if they actually do ask for the PIN.
Check that auto-updating is working for your operating system, browsers, anti-virus, VPN. Are you using just about the newest version of each ? Check that updates have not changed privacy settings back to defaults.
If your Android phone is old and not getting updated any more, consider buying a new phone, or flashing a custom ROM (not easy; see Android Custom ROMs section of my Android page).
Is your ISP updating your router's firmware ? You may have to write down the current version and check every 6 months or so.
For each of your simpler devices (TV, IP camera, printer), do some internet searches for "exploit/vulnerability/hack/problem MANUFACTURERNAME model NNN".
Virus / Malware
When was the last time you ran an anti-virus scan ?
See my Anti-Malware page
Accounts
- Keep account security info up-to-date. Has your phone number or email address
or postal address changed ? Update your accounts, so if there's some
challenge or alert you can deal with it.
- Check the activity in your credit card and bank accounts every week or two.
- Log in to each important account (financial, email, cloud) at least once a year.
If a bank or stock account gets labeled as "abandoned",
the contents may be liquidated and held by the state (called "escheat") until you claim them.
- Check your credit record annually
(free; AnnualCreditReport.com),
or use a credit-monitoring service.
- Do a Google search on your email address and see what appears.
- Use an "email address involved in breach ?" monitoring service.
Have i been pwned?'s "Notify me"
Firefox Monitor (up to 15 addresses for free)
HackNotice
SpyCloud (1 address free)
DeHashed (access to details costs $2.50 for 1 week).
Identity Leak Checker
Martin Brinkmann's "Check all KeePass passwords against the Have I Been Pwned database locally"
But: Janek Bevendorff's "The Pwned buzz and why you really don't need this database"
- Use an "any email address on my domain involved in breach ?" monitoring service.
Have i been pwned? (free)
SpyCloud
- Check the profile information stored in each of your online accounts. Remove "dead" credit-card info and
phone numbers, make sure recovery information is current.
- Check and maybe delete the accumulated personal information stored in each of your major accounts:
Facebook's "Off-Facebook Activity"
Google activity (more)
YouTube (generally done through Google)
Apple (Apple's "Data and Privacy")
Amazon (Amazon's "Manage Your Content and Devices", Alexa privacy settings)
Microsoft Privacy Dashboard History page (Windows 10 activity history)
eBay (login, go to My eBay, and then the Activity and Account tabs)
Any email provider not covered already, such as Yahoo.
See more in the Privacy Controls section of my Computer Security and Privacy page. - I think you should not delete all the posts and comments you made on social sites such
as Facebook, reddit, Twitter, etc. You would be damaging the work of people who answered your
questions or started a conversation with someone else under your post. You shouldn't be posting
private info in the first place. Don't delete or damage info useful to others who have the same questions.
If you wish, delete your account and create a new account.
- Non-technical: annually, inventory everything in your wallet/purse/phone. Dispose of anything you
don't need, and plan for what to do if wallet/purse/phone is stolen or lost.
- Non-technical: have you just lost track of any accounts ?
Mike Winters' "How to Find Your Lost 401(k)"
Check your status in a bank-account-monitoring service:
ChexSystems' "Consumer Disclosure"
LexisNexis' "Accurint Individual Access Program"
[I requested my LexisNexis report. 42 pages, much of it repetitive. It showed 2/3 of the addresses I've lived at, and one address that was wrong. A boat that I had owned, but none of the cars I owned. None of my bank accounts or my credit card. Nothing about school or employment history.]
[Sent an opt-out request to LexisNexis, and got a response (paraphrased): "Your request is approved and in process. Note that your info will remain in the following services: restricted public records products available to commercial and govt entities that meet credential requirements and are used to detect and prevent fraud, enforce transactions, perform due diligence and other critical business and govt functions; products regulated by the Fair Credit Reporting Act, third-party data available through real-time gateways; news; legal documents."]
Network and Device Security
Test browser and your computer's network configuration
- Know what your local network looks like (what devices are on it), so you can notice any changes.
What is your public IP address, with and without VPN ?
ipinfo.io
- Use testing sites such as:
- Large multi-test sites:
Device Info
BrowserLeaks.com
IPleak.com (and click "IP leak Report" button at bottom)
IPleak.net
- Test for information revealed:
Intel Techniques logger
permission.site (click buttons, get green if allowed)
Tenta's "Browser Privacy Test"
Mr. Whoer
Cloudflare header list
- Test connectivity:
Cloudflare's "Browsing Experience Security Check" (ESNI/ECH)
Test your IPv6 connectivity
- Test for unique information revealed (fingerprint):
WebBrowserTools' "Detect Canvas Fingerprint"
External Protocol Flooding Vulnerability
- Test for IP address leak:
WhatLeaks
Safer.com
Do I Leak ?
Perfect Privacy's "Check IP"
Surfshark's WebRTC leak test
TorrentPrivacy
- Test for IP address DNS leak:
DNS leak test
Browserleaks DNS leak test
Anonymster's "VPN Free DNS Leak Test & DNS Leak Protection"
After verifying that right DNS is being used, also verify route to that DNS:
pcWRT's "Why DNS leak tests might fool you"
On Linux, finding DNS setting may not be easy. Try "cat /etc/resolv.conf", "resolvectl status".
- Test for first-party cookies isolated:
[ Same-origin policy: Sites A and B set cookies, they shouldn't see each other's cookies.]
["First-Party Isolation (FPI) isolates everything (including third-party cookies) to first-party site"]
Frederik Braun / mozfreddyb test
- Test for third-party cookies allowed:
[Site A has code from site F, code from F can set a cookie.]
BrowserLeaks.com / Social Media Login Detection
GRC's "Web Browser Cookie Forensics"
Whatismybrowser.com's "Are Third-Party Cookies enabled?"
- Test for third-party cookies isolated:
[Sites A and B have code from site F, code F on site A can't see cookie set by code F on site B.]
SameSite Cookies Tester (automatic mode never works for me)
- Misc:
WebSockets test
Mike Gualtieri's "CSS Exfil Vulnerability Tester"
How to test for UDP leaks ? In Linux, you can do UDP requests via:apt install sendip ip -f inet addr | grep 192 # to get LAN IP address, to use in next cmd: sudo sendip -v -d "Hello" -p ipv4 -p udp -is 192.168.1.81 -us 5070 -ud 80 doileak.com # but I doubt that site would respond, and nothing would be listening for the response # or: echo -n "foo" | nc -v4ukl -p 5000 doileak.com 80 # but the -p 5000 causes syntax error, and # use of "kl" causes "Cannot assign requested address" # or: apt install socat echo "HELLO" | socat - UDP-DATAGRAM:doileak.com:80
But where you can send a UDP packet that will return your public IP address ? And where will the return packet go to ? - Large multi-test sites:
- Test connectivity and routes:
ping DEST traceroute -A DEST mtr -b DEST # DEST can be an IP address or a domain name, and they # are different: domain name can fail if DNS is bad.
- Have a friend, or another machine inside your network, try to crack your passwords or break into your main machine.
- Test how good your firewall is.
Fortinet's "Test Your Metal" (browser fetches bad files from server, see if firewall or AV etc stops it) - Email Privacy Tester (see if your email reader is vulnerable
to an email that contains hidden images etc)
- Tori Reid's "Create a USB Password Stealer to See How Secure Your Info Really Is"
- Pay a company to test your privacy and security.
- Probably not a good idea: Try phishing your family and friends, to see who bites, and then educate them ?
InfoSec Institute's "Top 9 Free Phishing Simulators"
Gophish - Better idea: you try my quiz about phishing emails to home users, then encourage family and friends to try it:
Go to Phishing Test page 1 of 6
See "Security Testing" section of my "Linux Controls" page
How to tell if you've been hacked
In general, look for changes or suspicious activity (past and present) in your devices, your network, your online accounts, and your offline accounts. A lot of work. And it's more likely to be some software bug or network hiccup than to be a hacker.
Have you received any strange messages about password resets or new accounts created ? Are you unable to do a password reset, or to get emails or SMSs from some site ? Also think back: have you done anything risky or unusual recently ?
Look first for simple mistakes. Is the password-reset email ending up in the Spam folder ? Did you misspell your email address or give the wrong phone number to a site ?
Check email accounts carefully. Are you able to log in ? Has anyone added blocking or filtering or forwarding rules, or a new alias, or a new folder ? What is in the Sent, Spam, Trash folders ? Do you have 2FA enabled ? Do you use the same password anywhere else ?
Look at login/access histories on your machines and accounts. Some sites have a "logout all devices that are logged in right now" button.
Check the lists of apps installed on your computer or phone. Check the lists of third-party apps with access to your online (Facebook, email) accounts. Check the lists of add-ons in your browsers. Any that you weren't aware of ?
Sometimes, the damage will be obvious: most files deleted, or files encrypted and names changed to something like "filename.lock" and you get a ransomware note.
WikiHow's "How to Know if You've Been Hacked"
Adam Levin's "How To Tell If You've Been Hacked (And What To Do About It)"
Pixel Privacy's "How to Tell If You Have Been Hacked"
Cale Hunt's "How to tell if your PC has been hacked"
Roger A. Grimes's "15 signs you've been hacked"
TechIncidents' "Penetration Testing Cheat Sheet For Windows Machine - Intrusion Detection"
SANS Institute's "SCORE Security Checklist" (PDF)
meirwah's "awesome-incident-response"
How-To Geek's "How to See What Web Sites Your Computer is Secretly Connecting To"
General tools for analyzing what's happening in Windows:
Microsoft's "Windows Sysinternals"
Sandro Villinger's "5 ways to see what's going on in your Windows server system right now"
Mark Russinovich's "TCPView"
For Linux, see "Monitor what's happening in your system" section of my "Using Linux" page
Micah Lee's "It's Impossible to Prove Your Laptop Hasn't Been Hacked. I Spent Two Years Finding Out."
If ransomware, ID Ransomware
What to do if you've been hacked
What was hacked and how was it hacked ? This is key. If hacked through password re-use, that tells you one set of things to do (password manager, change passwords, enable 2FA on key accounts). If it was a SIM-swap (phone number stolen), that says do another set of things (check other accounts with that number, maybe change number, put PIN on the support account at your phone-provider). Through malware on your device, that says do another set of things (scans, install anti-virus, check that software is updated, maybe re-install whole system, stop downloading dodgy stuff).
If the damage to your system is clear and not really targeted, maybe just cleaning (with malware remover and AV) and scanning is good enough. If damage is extensive, probably factory-reset and re-install the whole system. If you were targeted by someone sophisticated or determined, maybe sell the system and buy a complete new one.
Leo Notenboom's "Email Hacked? 7 Things You Need to Do NOW"
Leo Notenboom's "Facebook Hacked? What You Need to Do NOW"
If ransomware, isolate the machine and do backups before trying any decryptors; some supposed decryptors are malicious.
Port scanning and router testing:
First, deliberately create a suspicious situation:
To deliberately create an open port on your computer (to see if your testing catches it), on Linux run "netcat -4 -k -l -v PORTNUM" (IPv4 TCP) or "netcat -6 -k -l -u -v PORTNUM" (IPv6 UDP) or similar. Use port number 22 (SSH) or 80 (HTTP) if it should be closed in your system; that open port should be caught by any tester.
You could log into the administration page of your router and temporarily enable something bad, such as PnP. Just don't forget to turn it off again later.
Testing network (mainly router) from WAN side:
Usually you run a browser on your machine, access one of these web sites, and then the site server tries to get into your home network using your IP address.
Turn off your VPN to use these.
- GRC's "ShieldsUP!"
- IPFingerPrints' "Network Port Checker & Scanner Tool"
- Hacker Target's "Online Firewall Test for Work or Home"
- Fortinet's "Test Your Metal" (browser fetches bad files from server, see if firewall or AV etc stops it)
- Router Security's "Test Your Router" (lots of links to sites and services)
- Is My Port Open?
- SpeedGuide
- SpeedGuide UPnP
- Is your router's administration UI accessible from the public internet ?
It shouldn't be; only a LAN address such as 192.168.0.1/login
should work (VPN probably has to be off).
But when I used Doileak.com to get my network's public IP address, then accessed MYPUBLICIPADDRESS/login, I got my router's login page.
To make sure my router wasn't fooling me, I asked a couple of friends to access MYPUBLICIPADDRESS/login from their networks. Both of them got "unreachable". So I think my router WAS fooling me.
Also, you could set up a machine somewhere on the public internet to test your network (mainly, router) from the WAN side.
From StackExchange's "Best way to test my home network from the outside":
I run scans on my home IP from a Linode account [virtual Linux box on a cloud service]. Any VPS that doesn't filter your outbound traffic should work (just make sure it doesn't violate your TOS).
First run a full scan against your home IP address. Expect to find only the ports you know you have explicitly opened open. Expect everything else to be "filtered".
Then verify that it is your home router that is performing the filtering and not your ISP. To do this, open a port on your router and rerun the scan. Expect that the port you have opened is detected as open by your scanner. If you find that you still see this port as filtered, then your ISP may be blocking that port. If so, this isn't necessarily a problem, but it means that the previous test didn't test your router, it tested the network connection to your router. Don't forget to disable the port when you're done.
If you want to test your router in isolation, and your router isn't built in to the modem, then you can test it as follows:
- Disconnect the router from your modem. (Where "modem" is whatever device connects from your LAN to your ISP's network.)
- Connect a second computer to the WAN port on the router. Configure this computer with a static IP address that
is independent of the LAN addresses used by your router.
- You may need to turn on a DHCP server on the second computer so that the router's WAN interface gets an IP address as usual.
- Perform the scans described above from the second computer.
Testing router from inside (LAN side):
You run a browser or other app on your machine, and try to access ports on the LAN side of your router, from across the LAN.
Assuming router's LAN IP address is 192.168.0.1:
These should give 404 or nothing or "unable to connect" or login page:
192.168.0.1/HNAP1
192.168.0.1/cgi-in/config.exp
192.168.0.1/cgi-bin/export_debug_msg.exp
192.168.0.1/cgi/ cgi_status.js
192.168.0.1/ BRS_netgear_success.html
192.168.0.1/ /cgi-bin/;echo$IFS'Vulnerable'
192.168.0.1:32764 (backdoor on some routers)
192.168.0.1:19541
192.168.0.1:8080
192.168.0.1:8443
192.168.0.1:7547 (TR-069 or CPE WAN Management Protocol (CWMP))
192.168.0.1:23 (Telnet)
192.168.0.1:2323 (Telnet)
192.168.0.1:80 (HTTP)
192.168.0.1:443 (HTTP)
192.168.0.1:443 (HTTPS)
If you have nmap:
nmap -F 192.168.0.1 # increase verbosity level, aggressive scan, no ping / skip discovery, # open ports, show reason it's open, probe for service version info, # use default script, do all ports, address 192.168.0.1 nmap -v -A -Pn --open --reason -sV -sC -p 1-65535 192.168.0.1 # increase verbosity level, no ping / skip discovery, # open ports, UDP scan, max delay 50ms between probes, # no retries, do all ports, address 192.168.0.1 sudo nmap -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -p 1-65535 192.168.0.1If TCP port 139 (netbios-ssn) is open outbound, that is to allow "NetBIOS services on MS hosts". Probably best to turn it off, unless you're sure you need it.
If TCP port 445 (microsoft-ds) is open outbound, that is to allow "direct TCP/IP MS Networking access without the need for a NetBIOS layer". Probably best to turn it off, unless you're sure you need it.
Port 1900 is PnP; that should not be open.
Android app: "UPnP Tool" by TJ App.
If TCP port 5060 (SIP) is open outbound, probably that is to allow VoIP or video-conferencing, such as Zoom. Probably okay in the outbound direction ?
For other open ports, do internet searches to find out what they're used for.
Depending on open ports, you could try:
ftp -v 192.168.0.1 ssh -v admin@192.168.0.1 ssh -v root@192.168.0.1 ssh -v Root@192.168.0.1 telnet 192.168.0.1If test from LAN side gives suspicious results, go to previous section and investigate from WAN side.
Testing IPv6 from LAN side
Your PC's IPv6 localhost address: [::1]
Same address written fully: [0000:0000:0000:0000:0000:0000:0000:0001]
Real IPv6 address on public internet: [2600::] (Sprint)
There is no standard IPv6 LAN address for the router, equivalent to 192.168.0.1 in IPv4. IPv6 addresses on your LAN are used on the WAN too, so your router's IPv6 address has to be assigned by your ISP.
IPv6 addresses starting with FC00 or FD00 are LAN-only.
Depending on your /etc/hosts file, IPv6 names may include: ip6-localhost, ip6-loopback, ip6-allnodes, ip6-allrouters, or similar starting with "ipv6-" instead of "ip6-". Try "ping6" or "ping -6" to them.
If you have nmap:
# not sure these are right, I have IPv6 disabled so I can't test them ! # IPv6, increase verbosity level, aggressive scan, no ping / skip discovery, # open ports, show reason it's open, no DNS resolution, probe for service version info, # use default script, do all ports, address ::1 nmap -6 -v -A -Pn --open --reason -n -sV -sC -p 1-65535 ::1 # IPv6, increase verbosity level, no ping / skip discovery, # open ports, UDP scan, max delay 50ms between probes, # no retries, no DNS resolution, do all ports, address ::1 sudo nmap -6 -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -n -p 1-65535 ::1
Android apps to test network (clients and router) from LAN side:
You run one of these apps on your smartphone, and use it to scan your LAN for vulnerable machines or open ports.
- Fing
- Network Analyzer
- Network Scanner from First Row
- PingTools Network Utilities
- Priya James's "Converting Your Android Smartphone into Penetration Testing Device" (root the phone and use NMAP, Bettercap, Setoolkit)
- Vamsi Krishna's "5 of the Best Hacking Apps on Android"
- dSploit (InfoSec Institute's "Transforming your Android Phone into a Network Pentesting Device") (free trial)
PC applications to test network (clients and router) from LAN side:
You run one of these apps on your PC, and use it to scan your LAN for vulnerable machines or open ports.
- OpenVAS
(article1,
article2)
But I tried to install OpenVAS 9 on my normal Mint desktop and failed; see OpenVAS section of Bug-Bounty page. - Nmap (but definitely start with the Zenmap GUI front-end for it).
Hacker Target's "Nmap Tutorial"
Unixmen's "Scan Your Home Network With Nmap"
You could do a scan with nmap every month or two, save the results, use ndiff to compare them to see if anything has changed. - netdiscover (Linux).
Let "sudo netdiscover" run for a good long time; sometimes it finds things outside 192.168.n.n.
Try with and without VPN running. - arping
PC applications to beat on a single device (client or router):
You run one of these apps on your PC, and give it the LAN IP address of a single machine you want to attack.
- threat9's "routersploit" (Linux or OSX)
Null Byte's "Seize Control of a Router with RouterSploit "
Kevin Mark's "RouterSploit Framework"
I installed RouterSploit on Linux Mint 19.1 in 2/2019:sudo apt update sudo apt install python3-pip sudo apt install python3-setuptools cd ~ git clone https://github.com/threat9/routersploit cd routersploit sudo python3 -m pip install -r requirements.txt cd ~/routersploit python3 rsf.py # see "rsf >" prompt show all use scanners/autopwn # get "rsf (Autopwn) >" prompt show options # I'm on a machine on the LAN, testing router from LAN side set target 19.168.0.1 set threads 1 run # takes a surprisingly long time to check each vuln # it's taking 15 to 60 seconds per vuln # it starts with a few generic SSL/TLS vulns # it's checking vulns for all router brands # most "not vulnerable"; a few "Could not be verified" # testing doesn't slow down normal traffic through router # it also checked some vulns for webcams # took more than 1 hour to check vulns # then it started checking for default credentials # checking about 12 items took about 5 minutes # no vulns or default creds found # if it finds a vulnerability, choose that exploit use exploits/routers/whatever show options set target 19.168.0.1 check # if you want to exploit run
- Router Scan (Windows)
- Flan Scan
Runs nmap and then looks up known vulnerabilities for your services.
"The only way to install Flan Scan is by using a Docker container or in Kubernetes."
Nadin El-Yabroudi's "Introducing Flan Scan: Cloudflare's Lightweight Network Vulnerability Scanner"
SecurityTrails' "Flan Scan - The New Vulnerability Scanner from Cloudflare" - SPARTA.
Mostly for testing a web-app server; most features wasted if you're not running at least a web-server.
SPARTA
WonderHowTo's "Discover & Attack Services on Web Apps or Networks with Sparta" - Legion.
A fork of Sparta.
Linux-only.
Mostly for testing a web-app server; most features wasted if you're not running at least a web-server.
Legion
GoVanguard / legion - Osmedeus.
Mostly for testing a web-app server; most features wasted if you're not running at least a web-server.
j3ssie / Osmedeus
Browser to test a single device:
Testing webcam / security camera from inside (LAN side)
Assuming camera's LAN IP address is 192.168.0.100:
192.168.0.100 /err.htm
192.168.0.100:10554
192.168.0.100:81
192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100
If test from LAN side gives suspicious results, investigate from WAN side.
Testing networked printer from inside (LAN side)
Assuming printer's LAN IP address is 192.168.0.100:
192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100
Probably ports 9100, 631, 515 will be open on the LAN side; this is normal. But they shouldn't be exposed on the WAN side.
If test from LAN side gives suspicious results, investigate from WAN side.
Lee Munson's "Penetration testing for the home computer user"
TechIncidents' "Penetration Testing Checklist with Android, windows, Apple & Blackberry Phones"
Online Tech Tips' "How to Scan Your Network for Devices and Open Ports"
SpiceWork's thread "How can I pen test my own network?" (more about business networks)
Router Security's "Test Your Router" (also cameras, printers, etc)
Paul Wagenseil's "Your Router's Security Stinks: Here's How to Fix It"
Online Privacy
Test
- From Rob Pegoraro's "How to make your offline self harder to find online":
Open an incognito window in your browser (so Google or any other search engine shows what a stranger would see) and search for your name and street address, name and phone number, name and birthday, and name and last four digits of your Social Security number.
Note that, individually, each data point may not look like a huge privacy risk - but combining them can unlock various other databases. - See how much of your info is publicly exposed:
PublicRecordsNow
Radaris
The Paranoid's Bible: An anti-dox effort
- Have a friend try to find your address, your email address, your Facebook info, etc online.
Gasmask (Linux only)
If you use reddit: SnoopSnoo (but hangs on FF, and last update 2015)
- Pay a company to test your privacy and security.
Minimize the number of things you use:
Do you really need to use:
- Each add-on you have installed in your browser ?
- Each app you have installed on your phone ?
- Each app you have installed on your computer ?
- Each app you have allowed to access your Facebook account ?
- Each app you have allowed to access your email account ?
- Each social media site you use ?
Painful things: Maybe every few years, change your email address, phone, phone number, credit card number ? Maybe do a factory-reset of your phone, or a fresh OS install on your computer ? Change to a different internet service provider (ISP) ?
Review my Computer Security and Privacy page and see if you can make some improvements in various areas.
Do a periodic check and cleanup
- Run anti-virus scan, and Malwarebytes scan, and various IP leak tests.
- Run cleanup tool such as
BleachBit
or
CCleaner.
Do NOT clean or optimize the Windows registry. This is a big gamble, you don't know what will happen. - Delete old, unneeded content out of your email accounts (don't forget Sent, Spam, and Trash folders),
phone Contacts list, text messages, email Address Book, Calendar, etc.
- What is stored in your cloud accounts ? Google Drive, Google Photos, Microsoft OneDrive,
Apple iCloud, Amazon Cloud Drive, Dropbox, Box, more ?
- What is stored in your social media accounts, especially in the photo albums ?
Facebook, Instagram, Pinterest, more ?
- Check for "clone" social media accounts: ones with your name and photo, but
created by copying your real account, to fool your friends. Report them as fakes.
- What is stored in your online retail accounts, especially in the "delivery addresses" lists ?
Amazon, eBay, more ?
- Look through all of your accounts (maybe in your password manager) and delete any you don't need any more.
- Simple Email Reputation
- Look through the apps on your computer and phone and delete any you don't need any more.
- Look through the third-party apps connected to your Facebook account and delete any you don't need.
- Update any seldom-used software that doesn't auto-update (maybe Flash, Skype, Java).
- Access all of your backup devices and accounts, to make sure they still work.
- Reboot things that never get rebooted, to let any updates happen, and to make sure
you still have all the login info, and to document the procedures. Servers, router.
- Note: It's normal for the Linux logs (output of "sudo dmesg" and "sudo journalctl") to have
tons of error and warning messages in them. Learn how much of this is normal
for your system, and try to see if anything new appears.
- On Linux, check where your software is coming from:
"grep -v '#' /etc/apt/sources.list" - On Linux: "fwupdmgr security --force"
It would be nice to have an app that did a very quick scan of your system, reported any sensitive apps or conditions, and suggested that you check their settings to make sure they're secure and updated. Maybe report:
- Remote-control apps (Teamviewer, VNC, X2Go, AnyDesk, NoMachine, et al).
- Apps that backup/syncing to somewhere else (Dropbox et al).
- Apps/services that handle incoming traffic (web server et al).
- Network file-shares.
In Linux:
EGREPLIST='vnc|^vino|x2go|remmina|tftp-server|telnet-server|rsh-server|xinetd|^rclone|^rsync|dropbox|megasync|^sshd|^xrdp|odrive|nextcloud|^xpra|vinagre|krfb|nomachine|teamviewer|anydesk|guacamole-server|guacd|gnome-user-share|mate-user-share|vsftpd|^samba/|^apache2/|^httpd/|^nginx|^lighttpd/|openssh-*server' apt list | egrep -i ${EGREPLIST} | grep installed dnf list --installed | egrep -i ${EGREPLIST} # If you find a "suspicious" apt/deb package: apt show PKGNAME dnf info PKGNAME ls -l /var/lib/dpkg/info/PKGNAME.list # see when installed dnf history | grep PKGNAME # see when installed grep PKGNAME /var/log/yum.log* # see when installed sudo grep PKGNAME /var/log/zypp/history # see when installed snap list | egrep -i ${EGREPLIST} # If you find a "suspicious" snap image: snap info IMGNAME flatpak list | egrep -i ${EGREPLIST} sudo docker image ls | egrep -i ${EGREPLIST} sudo ps -eo comm | egrep -i ${EGREPLIST} | grep -v grep # Some specific apps: xpra list xpra info lsmod | grep -i '^nfs'
This page updated: May 2021