Security for the desktop user
in [UK Linux]
|
From: Nix on 16 Apr 2008 17:39 On 16 Apr 2008, tinnews(a)isbd.co.uk outgrape: > D.M. Procida <real-not-anti-spam-address(a)apple-juice.co.uk> wrote: >> <tinnews(a)isbd.co.uk> wrote: >> >> > > What would you suggest as sensible security measures for desktop Linux >> > > users, who won't be running such things as PHP websites or an array of >> > > vulnerable services? >> > > >> > Security against what? >> >> Bad People, mainly. >> > Well secure the system physically against "bad people" for a start! This is a *university*. What are they going to do, station armed guards around it with instructions to shoot approaching faculty, admin staff, and students? (That should cover most categories.) -- `The rest is a tale of post and counter-post.' --- Ian Rawlings describes USENET
From: Nix on 16 Apr 2008 17:37 On 16 Apr 2008, Bernard Peek verbalised: > It's not uncommon for sites that adopted the Internet early to have > painted themselves into a corner. Decisions that were reasonable in > 1980 may now be irrevocable. They may want to change now but the > problem is too big to be manageable. It might be fixable as part of a > technology refresh but a site-wide refresh in one hit seems > unlikely. Perhaps if they switch to IPv6 they will do it. Um, when they switch to IPv6 they will definitely *not* move to private IP addresses, because such abominations do not exist in IPv6, by design. NAT is evil. Oppose it. (Firewalls are, of course, not evil: more a necessity. But every system on the Internet should be *addressable* by every other.) -- `The rest is a tale of post and counter-post.' --- Ian Rawlings describes USENET
From: Ian on 16 Apr 2008 18:05 On 16 Apr, 22:37, Nix <nix-razor-...(a)esperi.org.uk> wrote: > Um, when they switch to IPv6 they will definitely *not* move to private > IP addresses, because such abominations do not exist in IPv6, by design. As a matter of interest, how will I get IPv6 addresses for all the things around my home network? Ian
From: Owen Rees on 16 Apr 2008 18:33 On Wed, 16 Apr 2008 14:36:12 +0100, real-not-anti-spam-address(a)apple-juice.co.uk (D.M. Procida) wrote in <1ifhv06.ww3fw510t9a97N%real-not-anti-spam-address(a)apple-juice.co.uk>: >Actually, although the workstations here (at Cardiff University) are on >public IP addresses, I don't know what else might be between them and >the rest of the world. There is presumably some sort of firewall. You might contact other people at Cardiff University who are running Linux and ask what they do to satisfy whatever rules are in place. A search for "Cardiff University Linux" turned up various possibly useful links - e.g. <http://www.cardiff.ac.uk/arcca/services/events/index.html> In addition to satisfying the rules, and even if the system you are concerned about is behind a firewall it is still a good idea to take the precautions that have been suggested. On a network of any size, one of the other machines inside the firewall may be compromised and used to launch attacks. Indeed, modern malware often arrives by email or a web page so it can get past a firewall and that is an important reason for requiring anti-malware protection on all potentially vulnerable systems, even if they cannot be accessed directly from the Internet. -- Owen Rees [one of] my preferred email address[es] and more stuff can be found at <http://www.users.waitrose.com/~owenrees/index.html>
From: Folderol on 16 Apr 2008 18:36
On Wed, 16 Apr 2008 12:48:09 +0100 real-not-anti-spam-address(a)apple-juice.co.uk (D.M. Procida) wrote: > Andy Burns <usenet.april2008(a)adslpipe.co.uk> wrote: > > > > What would you suggest as sensible security measures for desktop Linux > > > users, who won't be running such things as PHP websites or an array of > > > vulnerable services? > > > > 1) Position a NAT router between the linux box and the internet > > Sorry, I should have said that this would be directly Internet-facing on > a public IP address. > > > 2) Keep current with your distro's security updates > > Indeed. > > This is mainly to satisfy an institutional box-ticker, whose box demands > that "up-to-date anti-virus software" be installed. > > Daniele Install rkhunter and let you box ticker see it run. It looks very impressive to the uninitiated :) .... come to that, it looks pretty impressive to me! -- Will J G |