Re: Security concerns on stable/unstable
Bruno Diniz de Paula said:
> Hi,
>
> I have a doubt concerning security issues on stable and unstable branchs
> of Debian. First question, are the security updates also applied to the
> unstable packages? If so, is it "secure" to have a 24x7 Debian box running
> unstable?
official security updates are ONLY available for stable and potato(at the
moment). unstable gets updates like normal, they include security updates
but are not specifically advertised as so. It's up to the user to manage the
security.
> The point is that I want it to be both a
> HTTP/NFS/NIS/DB server (I presume stable with security updates is better
> in this case) and a desktop box (in this case, I prefer unstable, as I can
> get the latest versions of my packages for everyday use). So, can I have
> my box running unstable in this scenario? Just reminding that I am not
> concerned about robustness, just security against attacks, for instance.
Even without updates you can run a very secure system with a good
configuration such as locked down login procedures(e.g. only allow SSH
key logins), shut down or firewall all non-critical services that are
listening on ports and that will eliminate ~98-99% of security problems
even before updates. Assuming the only ports available may be SSH and HTTP,
eliminate all listening ports would be best. Or firewall them so only
1 or 2 trusted hosts can connect to them.
I personally run stable everywhere, desktops, laptops, servers. I have no
need for newer stuff in unstable, infact my desktop is running a version
of afterstep from potato(re-compiled to run on woody). If you want high
security then you probably do not want NFS or NIS. At least not in their
native forms(I've read it's possible to tunnel NFS/TCP over SSH though
I haven't tried it).
nate
Reply to: