[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security for a home system



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Douglas Allan Tutty wrote:
> Reflecting on recent posts re allowing root login (related, but I didn't
> want to steal the thread), I'm wondering about a home network and what
> to bother with.  There's a touch of devil's advocate in this but the
> concept that physical access == root access causes one to wonder.
> 
> If I have two boxes, with two users, linked by ethernet and one box is
> on dial-up to the ISP, with nothing listening on external ports except
> the ntp daemon, what is a reasonable stance on security?  
> 
> Given that anyone who breaks into the house will have physical access to
> the consoles anyway, do I need a whiz-bang long root password, strong
> passwords on the regular uses, and all the other hypervigalance?
> 

Well, if you consider that, you also might want to consider making sure
the systems cannot boot from a CD, USB or anything else than the HD
where Debian is installed and make sure that the BIOS has a password
protect to prevent someone from changing this.  Because if someone with
a liveCD comes along, all the strong passwords you want won't save your
data.  Now encrypting it all might save you, but do you really need to
go that far?  I guess this is what you mean by hyper vigilance.

> If ssh isn't even listening on external interfaces, does it matter if I
> allow root to ssh (useful for rsyncing backups between the boxes)?
> 
> Why bother to rsync instead of just nfs mounting the backup repository?
> 

If you are positive there are no ways into the computer through your
internet connections, then nfs is fine.  For a closed system, there is
no problem.

> If I need to run a backup, other than it being 'proper', why not just
> login as root instead of myself and su?
> 
> Note that I am _not_ suggesting that I just do everything as root; then
> I loose the protection from myself.

That is what I do, but I make sure that the internet is down when I do
that, so there is no chance of someone coming in, or anything going out
while I am backing up, just a safety precaution.  One can never be too
careful.

Joe

- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGKmKTiXBCVWpc5J4RAqGeAJ4je8kgRHN3JTXSKD/pLpEjNZbNRQCdGOv6
DfLbf+3GinLjp9d7rJcpfH0=
=DScv
-----END PGP SIGNATURE-----



Reply to: