Re: security for a home system

To: debian-user@lists.debian.org
Subject: Re: security for a home system
From: Paul Johnson <baloo@ursine.ca>
Date: Tue, 24 Apr 2007 03:16:47 -0700
Message-id: <[🔎] 7709605.Av9jbA8gDb@ursa-major.ursine.ca>
References: <[🔎] 20070421174918.GA10236@titan> <[🔎] 17583535.T4bb60hhUu@ursa-major.ursine.ca> <[🔎] 20070423133018.GA9626@titan>

Douglas Allan Tutty wrote in Article <[🔎] 20070423133018.GA9626@titan> posted to
gmane.linux.debian.user:

> On Mon, Apr 23, 2007 at 01:23:00AM -0700, Paul Johnson wrote:
>> Douglas Allan Tutty wrote in Article <[🔎] 20070421174918.GA10236@titan>
>> posted to gmane.linux.debian.user:
>> 
>> > If I have two boxes, with two users, linked by ethernet and one box is
>> > on dial-up to the ISP, with nothing listening on external ports except
>> > the ntp daemon, what is a reasonable stance on security?
>> 
>> Probably, yes.
> ??

It never hurts to have a border router between your network and the
Internet, with only the ports you intend to use forwarded to the
appropriate server.

>> > Given that anyone who breaks into the house will have physical access
>> > to the consoles anyway, do I need a whiz-bang long root password,
>> > strong passwords on the regular uses, and all the other hypervigalance?
>> 
>> Yes.  It's not necessarily what's on the machine, but how it's resources
>> can
>> be abused.  Most spam is sent from compromised systems of various types.
>> 
> 
> But how does a strong password protect against a physical attack on the
> computer?  If I find there's been a break into my home, I'll assume that
> they got into the computer.

It doesn't.  Still, if someone manages to find a way into your system, you
should make it hard for them to escalate privileges.

>> > If ssh isn't even listening on external interfaces, does it matter if I
>> > allow root to ssh (useful for rsyncing backups between the boxes)?
>> 
>> I would recommend against allowing root ssh just in case.  It's not that
>> hard to sudo anyway.
> 
> But then how do I rsync the backups?  For example, if I make it so that
> group adm can read everything, and I'm in group adm, should I just rsync
> it with my user name?  OTOH, doesn't having group adm able to read the
> backups cause a decrease in security?  If someone then gets adm access,
> they can read everything in the backups.

rsync and ssh aren't the same, so I'm a little confused where you're coming
from here.

-- 
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca

Reply to:

Follow-Ups:
- Re: security for a home system
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>

References:
- security for a home system
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>
- Re: security for a home system
  - From: Paul Johnson <baloo@ursine.ca>
- Re: security for a home system
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>

Prev by Date: Re: GPL v3?
Next by Date: Re: reiserfs to ext3
Previous by thread: Re: security for a home system
Next by thread: Re: security for a home system
Index(es):
- Date
- Thread