LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   Do you secure your Desktop/Workstation? (http://www.linuxquestions.org/questions/general-10/do-you-secure-your-desktop-workstation-600607/)

reverse 11-18-2007 11:18 AM

Do you secure your Desktop/Workstation?
 
Assuming said Desktop/Workstation has WAN access.

Minimal Securing (around the lines of):

Code:

-> BIOS + Boot Loader password
-> Well thought partitioning scheme + "proper" fstab options
-> shadow + md5 password (enabled by default in many popular distributions)
-> Subscribed to security mailing lists where available
-> Apply security updates often
-> Configure, where needed and appliable (auth related):
  * /etc/issue
  * /etc/securetty
  * /etc/login.defs
  * /etc/security/*
  * /etc/pam.d/*
-> Network related:
  * firewall
  * arp poisoning
  * /etc/sysctl.conf
  * /etc/hosts.*
-> Kernel patches
-> Integrity checks
-> Intrusion detection system
-> Limits (/etc/security/limits.conf // quotas)
-> SUID/SGID cleaning
-> Rootkit checking
-> Logging (syslog.conf + log analysis software)

(and others, but nothing "special" (i.e. custom kernel modules and such))

hacker supreme 11-18-2007 11:49 AM

I leave my box running pretty much 24/7, (Barring powercuts. ;)) I wouldn't do that if I wasn't confident that is was secure.

The box is behind a hardware firewall and NAT, it has it's own firewall running (which only lets in SSH), and SELinux also running on 'Enforcing'.
I could do better to secure it by shutting down some of the services I don't use frequently (or at all).
Whenever I leave it, I lock the screen, and my password is a string of random characters. (As is the root password. No, it's not the same characters). Yes I remember mine, I just have to learn the root password for the few times I use it.
I have enabled shadow passwords and keep fairly up to date.
The BIOS and GRUB do not have passwords, however.

I feel I'm better protected than the average user, however I do think I could do more to better protect myself.

Now, big question. Have I missed the point here?

ta0kira 11-18-2007 06:10 PM

No mention of encryption? Every user-writable area on my computer is encrypted (that is, other than distro files and most config files.) I keep the keys on a USB drive that rarely leaves my sight. That way if the computer is stolen or if I decide to lock off an area no one can access that information. I have both my swap and /tmp encrypted using new random keys every time the system starts up.

By default, xsaver seems like a poor way to secure your workstation. You can ctrl+alt+backspace out of it and have a perfectly good shell at your disposal. For that reason, I set 'alias startx="exec setsid startx"' so 1) a ctrl+alt+backspace returns to a login prompt, 2) so do ctrl+alt+F[1-6].

I generally MAC filter my wireless and if I'm leaving my computer for more than a few minutes I'll turn the wireless card off. If the desktop is on and I'm not actually using the internet I'll turn the modem off.
ta0kira

PS I guess most of my "securing" efforts go into my end of the computer instead of the WAN end.

nx5000 11-19-2007 05:00 AM

Interesting thread!
Mine is something like this (minimal securing)

-> Well thought partitioning scheme + "proper" fstab options
-> shadow + md5 password (enabled by default in many popular distributions)
-> Subscribed to security mailing lists where available
-> Automatic Applying security updates every day
-> Integrity checks every 3h
-> SUID/SGID cleaning every 3h
-> Rootkit checking every 3h
-> Logging (syslog.conf + log analysis software)
-> Passwords changed every month
-> Check of opened ports to the outside. Nothing should be available to the outside.
-> Encrypt all my data (dm-crypt)
-> Remove unneeded software

It's a trade off between laziness and paranoia..

JunctaJuvant 11-19-2007 05:36 AM

On my laptop, the root partition and RAM are encrypted using LUKS. But the rest is standard stuff, probably like most default GNU/Linux installations.

reverse 11-19-2007 06:26 AM

Sorry, I forgot to mention encryption - encrypted files (partitions/directories); mail & general communications should be included in "minimal". Anonymizing your system on the internet in general could be included I guess (i.e. tor+privoxy and the like, I believe the Gentoo Wiki has a somewhat lengthy article on anonymizing systems).


All times are GMT -5. The time now is 09:46 PM.