Re: security for a home system
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Douglas Allan Tutty wrote:
> Reflecting on recent posts re allowing root login (related, but I didn't
> want to steal the thread), I'm wondering about a home network and what
> to bother with. There's a touch of devil's advocate in this but the
> concept that physical access == root access causes one to wonder.
>
> If I have two boxes, with two users, linked by ethernet and one box is
> on dial-up to the ISP, with nothing listening on external ports except
> the ntp daemon, what is a reasonable stance on security?
>
> Given that anyone who breaks into the house will have physical access to
> the consoles anyway, do I need a whiz-bang long root password, strong
> passwords on the regular uses, and all the other hypervigalance?
>
Well, if you consider that, you also might want to consider making sure
the systems cannot boot from a CD, USB or anything else than the HD
where Debian is installed and make sure that the BIOS has a password
protect to prevent someone from changing this. Because if someone with
a liveCD comes along, all the strong passwords you want won't save your
data. Now encrypting it all might save you, but do you really need to
go that far? I guess this is what you mean by hyper vigilance.
> If ssh isn't even listening on external interfaces, does it matter if I
> allow root to ssh (useful for rsyncing backups between the boxes)?
>
> Why bother to rsync instead of just nfs mounting the backup repository?
>
If you are positive there are no ways into the computer through your
internet connections, then nfs is fine. For a closed system, there is
no problem.
> If I need to run a backup, other than it being 'proper', why not just
> login as root instead of myself and su?
>
> Note that I am _not_ suggesting that I just do everything as root; then
> I loose the protection from myself.
That is what I do, but I make sure that the internet is down when I do
that, so there is no chance of someone coming in, or anything going out
while I am backing up, just a safety precaution. One can never be too
careful.
Joe
- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGKmKTiXBCVWpc5J4RAqGeAJ4je8kgRHN3JTXSKD/pLpEjNZbNRQCdGOv6
DfLbf+3GinLjp9d7rJcpfH0=
=DScv
-----END PGP SIGNATURE-----
Reply to: