|
Do you secure your Desktop/Workstation?
Assuming said Desktop/Workstation has WAN access.
Minimal Securing (around the lines of): Code:
-> BIOS + Boot Loader password |
I leave my box running pretty much 24/7, (Barring powercuts. ;)) I wouldn't do that if I wasn't confident that is was secure.
The box is behind a hardware firewall and NAT, it has it's own firewall running (which only lets in SSH), and SELinux also running on 'Enforcing'. I could do better to secure it by shutting down some of the services I don't use frequently (or at all). Whenever I leave it, I lock the screen, and my password is a string of random characters. (As is the root password. No, it's not the same characters). Yes I remember mine, I just have to learn the root password for the few times I use it. I have enabled shadow passwords and keep fairly up to date. The BIOS and GRUB do not have passwords, however. I feel I'm better protected than the average user, however I do think I could do more to better protect myself. Now, big question. Have I missed the point here? |
No mention of encryption? Every user-writable area on my computer is encrypted (that is, other than distro files and most config files.) I keep the keys on a USB drive that rarely leaves my sight. That way if the computer is stolen or if I decide to lock off an area no one can access that information. I have both my swap and /tmp encrypted using new random keys every time the system starts up.
By default, xsaver seems like a poor way to secure your workstation. You can ctrl+alt+backspace out of it and have a perfectly good shell at your disposal. For that reason, I set 'alias startx="exec setsid startx"' so 1) a ctrl+alt+backspace returns to a login prompt, 2) so do ctrl+alt+F[1-6]. I generally MAC filter my wireless and if I'm leaving my computer for more than a few minutes I'll turn the wireless card off. If the desktop is on and I'm not actually using the internet I'll turn the modem off. ta0kira PS I guess most of my "securing" efforts go into my end of the computer instead of the WAN end. |
Interesting thread!
Mine is something like this (minimal securing) -> Well thought partitioning scheme + "proper" fstab options -> shadow + md5 password (enabled by default in many popular distributions) -> Subscribed to security mailing lists where available -> Automatic Applying security updates every day -> Integrity checks every 3h -> SUID/SGID cleaning every 3h -> Rootkit checking every 3h -> Logging (syslog.conf + log analysis software) -> Passwords changed every month -> Check of opened ports to the outside. Nothing should be available to the outside. -> Encrypt all my data (dm-crypt) -> Remove unneeded software It's a trade off between laziness and paranoia.. |
On my laptop, the root partition and RAM are encrypted using LUKS. But the rest is standard stuff, probably like most default GNU/Linux installations.
|
Sorry, I forgot to mention encryption - encrypted files (partitions/directories); mail & general communications should be included in "minimal". Anonymizing your system on the internet in general could be included I guess (i.e. tor+privoxy and the like, I believe the Gentoo Wiki has a somewhat lengthy article on anonymizing systems).
|
| All times are GMT -5. The time now is 03:22 PM. |