Security for the desktop user
in [UK Linux]
|
From: Bernard Peek on 16 Apr 2008 08:05 D.M. Procida wrote: > This is mainly to satisfy an institutional box-ticker, whose box demands > that "up-to-date anti-virus software" be installed. Does a patched Linux installation fit that description? -- bap(a)shrdlu.com
From: C. on 16 Apr 2008 08:06 On 16 Apr, 12:48, real-not-anti-spam-addr...(a)apple-juice.co.uk (D.M. Procida) wrote: > Andy Burns <usenet.april2...(a)adslpipe.co.uk> wrote: > > > What would you suggest as sensible security measures for desktop Linux > > > users, who won't be running such things as PHP websites or an array of > > > vulnerable services? > > > 1) Position a NAT router between the linux box and the internet > > Sorry, I should have said that this would be directly Internet-facing on > a public IP address. > From your previous description, it doesn't need to be and from your requirements it shouldn't be - Andy's advice is spot on. For the sake of £30-£40 you get a lot of security by buying a decent router and configuring it properly. > This is mainly to satisfy an institutional box-ticker, whose box demands > that "up-to-date anti-virus software" be installed. > That implies that your box -ticker thinks its OK to attach MS-Windows machines directly to the internet if they have "up-to-date anti-virus software". I'd recommend a pitched battle with name-calling, back- stabbing and lots of fish-slapping. C.
From: Nick Leverton on 16 Apr 2008 08:09 In article <1ifhpgt.1s9mui71c04uwjN%real-not-anti-spam-address(a)apple-juice.co.uk>, D.M. Procida <real-not-anti-spam-address(a)apple-juice.co.uk> wrote: > >> > What would you suggest as sensible security measures for desktop Linux >> > users, who won't be running such things as PHP websites or an array of >> > vulnerable services? >This is mainly to satisfy an institutional box-ticker, whose box demands >that "up-to-date anti-virus software" be installed. Install clamav and let him tick his box as much as he enjoys ... Nick -- Serendipity: http://www.leverton.org/blosxom (last update 2nd April 2008) "The Internet, a sort of ersatz counterfeit of real life" -- Janet Street-Porter, BBC2, 19th March 1996
From: D.M. Procida on 16 Apr 2008 08:11 C. <colin.mckinnon(a)gmail.com> wrote: > > Sorry, I should have said that this would be directly Internet-facing on > > a public IP address. > > > > From your previous description, it doesn't need to be and from your > requirements it shouldn't be - Andy's advice is spot on. For the sake > of �30-�40 you get a lot of security by buying a decent router and > configuring it properly. I'm afraid I don't have that kind of say over this institution's IT policies. > > This is mainly to satisfy an institutional box-ticker, whose box demands > > that "up-to-date anti-virus software" be installed. > > > > That implies that your box -ticker thinks its OK to attach MS-Windows > machines directly to the internet if they have "up-to-date anti-virus > software". I'd recommend a pitched battle with name-calling, back- > stabbing and lots of fish-slapping. It's not really my battle. When I started the job I refused to use Windows and insisted they buy me an iMac, but the Linux question is on someone else's behalf. Daniele
From: Anahata on 16 Apr 2008 08:16
D.M. Procida wrote: > > Sorry, I should have said that this would be directly Internet-facing on > a public IP address. A few obvious ones: Make sure no TCP-listening or UDP-listening service is running that needn't be. There are websites that will run a test for open ports on your host and show you the results, with advice about implications Make sure listening services that must run are running are doing so under a safe user id with privileges restricted to only what's needed, and check the docs/manpages for other security advice on those servers. Check your logs periodically Run chkrootkit periodically === Where does all this end? There are whole books on securing Linux systems. Anahata |