Re: security for a home system
Douglas Allan Tutty wrote in Article <[🔎] 20070423133018.GA9626@titan> posted to
gmane.linux.debian.user:
> On Mon, Apr 23, 2007 at 01:23:00AM -0700, Paul Johnson wrote:
>> Douglas Allan Tutty wrote in Article <[🔎] 20070421174918.GA10236@titan>
>> posted to gmane.linux.debian.user:
>>
>> > If I have two boxes, with two users, linked by ethernet and one box is
>> > on dial-up to the ISP, with nothing listening on external ports except
>> > the ntp daemon, what is a reasonable stance on security?
>>
>> Probably, yes.
> ??
It never hurts to have a border router between your network and the
Internet, with only the ports you intend to use forwarded to the
appropriate server.
>> > Given that anyone who breaks into the house will have physical access
>> > to the consoles anyway, do I need a whiz-bang long root password,
>> > strong passwords on the regular uses, and all the other hypervigalance?
>>
>> Yes. It's not necessarily what's on the machine, but how it's resources
>> can
>> be abused. Most spam is sent from compromised systems of various types.
>>
>
> But how does a strong password protect against a physical attack on the
> computer? If I find there's been a break into my home, I'll assume that
> they got into the computer.
It doesn't. Still, if someone manages to find a way into your system, you
should make it hard for them to escalate privileges.
>> > If ssh isn't even listening on external interfaces, does it matter if I
>> > allow root to ssh (useful for rsyncing backups between the boxes)?
>>
>> I would recommend against allowing root ssh just in case. It's not that
>> hard to sudo anyway.
>
> But then how do I rsync the backups? For example, if I make it so that
> group adm can read everything, and I'm in group adm, should I just rsync
> it with my user name? OTOH, doesn't having group adm able to read the
> backups cause a decrease in security? If someone then gets adm access,
> they can read everything in the backups.
rsync and ssh aren't the same, so I'm a little confused where you're coming
from here.
--
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca
Reply to: