Security for the desktop user
in [UK Linux]
|
From: tinnews on 16 Apr 2008 08:19 D.M. Procida <real-not-anti-spam-address(a)apple-juice.co.uk> wrote: > <tinnews(a)isbd.co.uk> wrote: > > > > What would you suggest as sensible security measures for desktop Linux > > > users, who won't be running such things as PHP websites or an array of > > > vulnerable services? > > > > > Security against what? > > Bad People, mainly. > Well secure the system physically against "bad people" for a start! Then most of the other advice given makes sense. -- Chris Green
From: Nigel Wade on 16 Apr 2008 08:22 D.M. Procida wrote: > Andy Burns <usenet.april2008(a)adslpipe.co.uk> wrote: > >> > What would you suggest as sensible security measures for desktop Linux >> > users, who won't be running such things as PHP websites or an array of >> > vulnerable services? >> >> 1) Position a NAT router between the linux box and the internet > > Sorry, I should have said that this would be directly Internet-facing on > a public IP address. > >> 2) Keep current with your distro's security updates > > Indeed. > > This is mainly to satisfy an institutional box-ticker, whose box demands > that "up-to-date anti-virus software" be installed. > In that case your first approach should be to point out to them that the system runs Linux, and there are no viable viruses in the wild for Linux. If the bean counter doesn't have sufficient clue for this to satisfy them, then install ClamAV and pat them gently on the head and say "there now, is that ok?" Additionally, real security measures you ought to take include configuring the firewall (iptables) and disabling all unnecessary services. Restrict access to necessary services to only those who actually require them. This especially includes network facing services such as ssh, which ought to be restricted to internal IP only unless you have to allow external access. What type of system are you configuring? Is it a desktop system which will be for single login at the console, or is it a central server for multiple simultaneous users over the network? -- Nigel Wade
From: Andy Burns on 16 Apr 2008 08:39 On 16/04/2008 13:19, tinnews(a)isbd.co.uk wrote: > D.M. Procida <real-not-anti-spam-address(a)apple-juice.co.uk> wrote: >> <tinnews(a)isbd.co.uk> wrote: >> >>>> What would you suggest as sensible security measures for desktop Linux >>>> users, who won't be running such things as PHP websites or an array of >>>> vulnerable services? >>>> >>> Security against what? >> Bad People, mainly. >> > Well secure the system physically against "bad people" for a start! Yes, that makes it sound more like a server-room environment than a desktop user
From: Van Helsing on 16 Apr 2008 08:41 Nigel Wade wrote: >> >> This is mainly to satisfy an institutional box-ticker, whose box demands >> that "up-to-date anti-virus software" be installed. >> > > In that case your first approach should be to point out to them that the system > runs Linux, and there are no viable viruses in the wild for Linux. > > If the bean counter doesn't have sufficient clue for this to satisfy them, then > install ClamAV and pat them gently on the head and say "there now, is that ok?" Whilst I'd agree with you on the subject of viable viruses for Linux its important not to forget that Linux can act as a carrier in mixed OS environments. A downloaded file that may be perfectly harmless to a Linux host could contain a virus that infects a Windows host if copied across. If a mixed OS environment its definitely worth considering running an AV scanner on Linux if only to prevent it being the infection vector to its lesser brethren. VH
From: Bernard Peek on 16 Apr 2008 09:26
D.M. Procida wrote: > C. <colin.mckinnon(a)gmail.com> wrote: > >>> Sorry, I should have said that this would be directly Internet-facing on >>> a public IP address. >>> >> From your previous description, it doesn't need to be and from your >> requirements it shouldn't be - Andy's advice is spot on. For the sake >> of �30-�40 you get a lot of security by buying a decent router and >> configuring it properly. > > I'm afraid I don't have that kind of say over this institution's IT > policies. If you suggest that an internet-facing machine should have regular penetration testing (and tell them how much it could cost) you may get them to change their mind. > >>> This is mainly to satisfy an institutional box-ticker, whose box demands >>> that "up-to-date anti-virus software" be installed. >>> >> That implies that your box -ticker thinks its OK to attach MS-Windows >> machines directly to the internet if they have "up-to-date anti-virus >> software". I'd recommend a pitched battle with name-calling, back- >> stabbing and lots of fish-slapping. That sounds like a job for a consultant. :-) "I'm free!" > > It's not really my battle. When I started the job I refused to use > Windows and insisted they buy me an iMac, but the Linux question is on > someone else's behalf. You appear to have a pathological situation which the PTB aren't handling too well. My first instinct would be to run away very fast. But now isn't the best time to look for work. -- bap(a)shrdlu.com |