LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

View Poll Results: Do you secure your Desktop/Workstation?
Yes - extremely minmal securing 1 6.67%
Yes - minimal securing 6 40.00%
Yes - as well as I can 7 46.67%
No - don't care to 0 0%
No - don't need to / Linux is secure by default 0 0%
No - other 1 6.67%
Voters: 15. You may not vote on this poll

Reply
 
Search this Thread
Old 11-18-2007, 11:18 AM   #1
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Rep: Reputation: 30
Do you secure your Desktop/Workstation?


Assuming said Desktop/Workstation has WAN access.

Minimal Securing (around the lines of):

Code:
-> BIOS + Boot Loader password
-> Well thought partitioning scheme + "proper" fstab options
-> shadow + md5 password (enabled by default in many popular distributions)
-> Subscribed to security mailing lists where available
-> Apply security updates often
-> Configure, where needed and appliable (auth related):
   * /etc/issue
   * /etc/securetty
   * /etc/login.defs
   * /etc/security/*
   * /etc/pam.d/*
-> Network related:
   * firewall
   * arp poisoning
   * /etc/sysctl.conf
   * /etc/hosts.*
-> Kernel patches
-> Integrity checks
-> Intrusion detection system
-> Limits (/etc/security/limits.conf // quotas)
-> SUID/SGID cleaning
-> Rootkit checking
-> Logging (syslog.conf + log analysis software)
(and others, but nothing "special" (i.e. custom kernel modules and such))

Last edited by reverse; 11-18-2007 at 11:29 AM.
 
Old 11-18-2007, 11:49 AM   #2
hacker supreme
Member
 
Registered: Oct 2006
Location: As far away from my username as possible
Distribution: Gentoo
Posts: 259
Blog Entries: 1

Rep: Reputation: 30
I leave my box running pretty much 24/7, (Barring powercuts. ) I wouldn't do that if I wasn't confident that is was secure.

The box is behind a hardware firewall and NAT, it has it's own firewall running (which only lets in SSH), and SELinux also running on 'Enforcing'.
I could do better to secure it by shutting down some of the services I don't use frequently (or at all).
Whenever I leave it, I lock the screen, and my password is a string of random characters. (As is the root password. No, it's not the same characters). Yes I remember mine, I just have to learn the root password for the few times I use it.
I have enabled shadow passwords and keep fairly up to date.
The BIOS and GRUB do not have passwords, however.

I feel I'm better protected than the average user, however I do think I could do more to better protect myself.

Now, big question. Have I missed the point here?
 
Old 11-18-2007, 06:10 PM   #3
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
No mention of encryption? Every user-writable area on my computer is encrypted (that is, other than distro files and most config files.) I keep the keys on a USB drive that rarely leaves my sight. That way if the computer is stolen or if I decide to lock off an area no one can access that information. I have both my swap and /tmp encrypted using new random keys every time the system starts up.

By default, xsaver seems like a poor way to secure your workstation. You can ctrl+alt+backspace out of it and have a perfectly good shell at your disposal. For that reason, I set 'alias startx="exec setsid startx"' so 1) a ctrl+alt+backspace returns to a login prompt, 2) so do ctrl+alt+F[1-6].

I generally MAC filter my wireless and if I'm leaving my computer for more than a few minutes I'll turn the wireless card off. If the desktop is on and I'm not actually using the internet I'll turn the modem off.
ta0kira

PS I guess most of my "securing" efforts go into my end of the computer instead of the WAN end.

Last edited by ta0kira; 11-18-2007 at 06:19 PM.
 
Old 11-19-2007, 05:00 AM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
Interesting thread!
Mine is something like this (minimal securing)

-> Well thought partitioning scheme + "proper" fstab options
-> shadow + md5 password (enabled by default in many popular distributions)
-> Subscribed to security mailing lists where available
-> Automatic Applying security updates every day
-> Integrity checks every 3h
-> SUID/SGID cleaning every 3h
-> Rootkit checking every 3h
-> Logging (syslog.conf + log analysis software)
-> Passwords changed every month
-> Check of opened ports to the outside. Nothing should be available to the outside.
-> Encrypt all my data (dm-crypt)
-> Remove unneeded software

It's a trade off between laziness and paranoia..
 
Old 11-19-2007, 05:36 AM   #5
JunctaJuvant
Member
 
Registered: May 2003
Location: Wageningen, the Netherlands
Distribution: OS X
Posts: 488

Rep: Reputation: 31
On my laptop, the root partition and RAM are encrypted using LUKS. But the rest is standard stuff, probably like most default GNU/Linux installations.
 
Old 11-19-2007, 06:26 AM   #6
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Original Poster
Rep: Reputation: 30
Sorry, I forgot to mention encryption - encrypted files (partitions/directories); mail & general communications should be included in "minimal". Anonymizing your system on the internet in general could be included I guess (i.e. tor+privoxy and the like, I believe the Gentoo Wiki has a somewhat lengthy article on anonymizing systems).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CLI or GUI? [Desktop/Workstation] introuble General 12 10-29-2006 09:55 PM
LXer: When Is a Linux Workstation Really a Desktop? LXer Syndicated Linux News 0 02-24-2006 07:16 AM
Partitioning for a Development Workstation / Desktop introuble Linux - General 2 06-15-2005 03:25 PM
standby or suspend a desktop workstation meonkeys Fedora 2 06-05-2005 12:10 PM
desktop or workstation shanenin Linux - Software 3 09-16-2003 12:37 PM


All times are GMT -5. The time now is 12:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration