On Mon, 2007-04-23 at 09:30 -0400, Douglas Allan Tutty wrote: > On Mon, Apr 23, 2007 at 01:23:00AM -0700, Paul Johnson wrote: > > Douglas Allan Tutty wrote in Article <[🔎] 20070421174918.GA10236@titan> posted > > to gmane.linux.debian.user: > > > > > If I have two boxes, with two users, linked by ethernet and one box is > > > on dial-up to the ISP, with nothing listening on external ports except > > > the ntp daemon, what is a reasonable stance on security? > > > > Probably, yes. > ?? > > > > > > Given that anyone who breaks into the house will have physical access to > > > the consoles anyway, do I need a whiz-bang long root password, strong > > > passwords on the regular uses, and all the other hypervigalance? > > > > Yes. It's not necessarily what's on the machine, but how it's resources can > > be abused. Most spam is sent from compromised systems of various types. > > > > But how does a strong password protect against a physical attack on the > computer? It doesn't against a skilled "attacker", but given most (if not all) B&E perps have dropped out of school... percentages are heavily skewed that a perp will just TAKE the machine and anything else of value. > If I find there's been a break into my home, I'll assume that > they got into the computer. Well, let us be real here, you being j.random.houseowner (j.random.residence.occupant). What are the chances that a breakin perp will "hack into your computer" for subversive reasons. Come on, if they break-in... most (all?) perps are of the "Breaking and Entering strip the house of valuables" type of thing. If you have Linux on any current computer, they don't care. They just fence the stuff. Very few have even heard of Linux, let alone used anything other than Windows. They can covet and keep Mac's and have been caught. Linux is to foreign, if you have auto-login enabled, well see the next paragraph. Physical Access at home, only matters if you really think the $SECRET_GOV_AGENCY is out to get you. ANY home is not secure enough. The wooden/drywall walls are easily broken. Windows can be broken, locks jiggered. You should be using encrypted everything. Shredding and burning any paper documents and many other measures (including that Tin-Foil hat from "Thinkgeek") > > > If ssh isn't even listening on external interfaces, does it matter if I > > > allow root to ssh (useful for rsyncing backups between the boxes)? > > > > I would recommend against allowing root ssh just in case. It's not that > > hard to sudo anyway. > > > > But then how do I rsync the backups? For example, if I make it so that > group adm can read everything, and I'm in group adm, should I just rsync > it with my user name? OTOH, doesn't having group adm able to read the > backups cause a decrease in security? If someone then gets adm access, > they can read everything in the backups. I just do, good enough practices at home, I don't use windows, I do use nfsv4, I do use ssh/scp/sshfs for things not covered by nfsv4. I have my servers downstairs on a custom made shelf and I don't leave any console logged in. I do have a setup that uses rsync, but have long ago discarded it, as I now have everything RAID5 or better (software or hardware) and I have an external drive I use for backups, as well as specialized Optical backups for important things for myself and my wife. The kinds of things you are worrying about are really only typical in a corporate environment and typically only ones that *DEPEND* on a working system and could have IP stored on these machines. To those ends, physical access to the "servers" by a disgruntled employee is severely reduced by a proper access control system and if they still get into the room and a proper video system will record them. > I'm not arguing against good security practices, I'm arguing against a > blanket knee-jerk response that my not add anything given a home setup. Knowing what I know, having implemented multi-site redundancy, with multi-path fail-over modes, site security, backups and power control and varying aspects of data protection, I'd just say that most home setups generally only need a "good enough" set of practices. Paranoid peoples be damned. In summary, home security is somewhat of a grey area. Sure do all the things corporations do... but when it comes down to it, a simple jiggering of a door lock and a simple screwdriver and bootable x86 media (like who has an Alpha as a workstation?) will defeat 99.99% of your countermeasures. And the percentage chance that said someone actually doing the jiggering is there to "hack your computers" is (far?) less than 0.1%. Unless you are Bill Gates, then Corporate Espionage takes a whole new approach... but then Bill would just buy the company you are working for and then fire you while you are doing the mis-deed to your own boss. -- greg, greg@gregfolkert.net Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup
Attachment:
signature.asc
Description: This is a digitally signed message part