Thanks Oliver.
I didn't know about shorewall, so it's good that you recommended it.
I should have mentioned that I already use a router, built in to my
ADSL modem, so as far as incoming connections go I have to explicitly
set up those ports on my ADSL modem/router (so I will have to forward
ports 80 etc. to my Debian machine).
I suppose shorewall will be useful for monitoring/blocking outgoing
connections.
I'm not a security expect by any means, so I guess my concern is that
by having Testing or Unstable installed, with lots of software not
normally used on a server, and by having Apache and other services open
to the net, that someone with malicious intent on the net could exploit
a hole somewhere that I'm not aware of.
Thanks,
Yasir
On Tue, 2006-01-31 at 20:03 +1100, Yasir Assam wrote:
...
I know that for production servers only the Stable distribution is
recommended and as little software as possible should be installed. But
as a workstation, I'd like to install Unstable and a lot more software
on it than I would on a pure server (e.g. Gnome/KDE, GIMP and loads of
other stuff that I like to play around with).
What should I do? Is it possible to run Unstable in a secure fashion? I
know the security team focuses on releasing security updates to Stable
first, but doesn't Unstable get the updates soon after?
unstable is most likely to get the updates first, if the same version is
being used, because the security team will then need to check the
changes. If it is a different version the security updates may be
irrelevant and you will depend on having problems promptly fixed by the
package maintainers.
As a compromise, you could install testing, which will be some way
behind unstable, but somewhat less likely to contain serious problems.
For security of your internet connection, install a firewall such as
shorewall (Debian package) and configure it very restrictively.
Oliver Elphick
|