Do you secure your Desktop/Workstation?
Assuming said Desktop/Workstation has WAN access.
Minimal Securing (around the lines of):
I leave my box running pretty much 24/7, (Barring powercuts. ;)) I wouldn't do that if I wasn't confident that is was secure.
The box is behind a hardware firewall and NAT, it has it's own firewall running (which only lets in SSH), and SELinux also running on 'Enforcing'.
I could do better to secure it by shutting down some of the services I don't use frequently (or at all).
Whenever I leave it, I lock the screen, and my password is a string of random characters. (As is the root password. No, it's not the same characters). Yes I remember mine, I just have to learn the root password for the few times I use it.
I have enabled shadow passwords and keep fairly up to date.
The BIOS and GRUB do not have passwords, however.
I feel I'm better protected than the average user, however I do think I could do more to better protect myself.
Now, big question. Have I missed the point here?
No mention of encryption? Every user-writable area on my computer is encrypted (that is, other than distro files and most config files.) I keep the keys on a USB drive that rarely leaves my sight. That way if the computer is stolen or if I decide to lock off an area no one can access that information. I have both my swap and /tmp encrypted using new random keys every time the system starts up.
By default, xsaver seems like a poor way to secure your workstation. You can ctrl+alt+backspace out of it and have a perfectly good shell at your disposal. For that reason, I set 'alias startx="exec setsid startx"' so 1) a ctrl+alt+backspace returns to a login prompt, 2) so do ctrl+alt+F[1-6].
I generally MAC filter my wireless and if I'm leaving my computer for more than a few minutes I'll turn the wireless card off. If the desktop is on and I'm not actually using the internet I'll turn the modem off.
PS I guess most of my "securing" efforts go into my end of the computer instead of the WAN end.
Mine is something like this (minimal securing)
-> Well thought partitioning scheme + "proper" fstab options
-> shadow + md5 password (enabled by default in many popular distributions)
-> Subscribed to security mailing lists where available
-> Automatic Applying security updates every day
-> Integrity checks every 3h
-> SUID/SGID cleaning every 3h
-> Rootkit checking every 3h
-> Logging (syslog.conf + log analysis software)
-> Passwords changed every month
-> Check of opened ports to the outside. Nothing should be available to the outside.
-> Encrypt all my data (dm-crypt)
-> Remove unneeded software
It's a trade off between laziness and paranoia..
On my laptop, the root partition and RAM are encrypted using LUKS. But the rest is standard stuff, probably like most default GNU/Linux installations.
Sorry, I forgot to mention encryption - encrypted files (partitions/directories); mail & general communications should be included in "minimal". Anonymizing your system on the internet in general could be included I guess (i.e. tor+privoxy and the like, I believe the Gentoo Wiki has a somewhat lengthy article on anonymizing systems).
|All times are GMT -5. The time now is 10:30 AM.|