Security Drawbacks
Hi,
I was wondering if there would be any security drawbacks to run a linux server with KDE or GNOME? Is there a way to prevent such drawbacks apart from not installing KDE or GNOME? Thanks |
kde and gnome both run alot of otherwise unneeded services..........and without those services they woulndt operate correctly.......so I would suggest learning how to use the command line.......vi especially........and learn your filesystem structure..........
It seems there are always updates and security fixes for KDE ........as well as Gnome....... I wouldnt want to run a server while they where running.........hope this helps........ |
KDE Security
Thank you for your reply. I do know the basic commands of the Linux shell however coming from a Windows environment, there is always an urge to use the GUI. I was under the impression that Suse ran with a GUI and that it would be safe to run KDE in a server environment.
Is it situation of use the command line for security or "to get hacked" use the GUI? |
Running X, actually does start a service that can be manipulated to forward traffic remotely or allow incoming connections. As a general rule though, the more software you install, the greater the opportunity that you'll have software which is exploitable. That applies not only to server daemons, but to everything that you have installed on your system. While having something innocuous as an mp3 player might not seem like a security threat, it can provide an opportunity for some who has broken in to gain root level access through local privilege elevation.
Most people installing a true server will either choose a "server" option or do a custom installation (how I would recommend doing it if you know what the majority of the packages are). If you are just putting up a box to tool around on in you garage, that's a little different and you can put whatever you want on it. If you are putting up a real production server, having X (and other un-needed packages) is a bad idea. |
KDE Security
I appreciate what you mean Capt_Caveman, however is there no way I can run a secure server with KDE? I mean I would most certainly remove or uninstall unrequired services such as games, MP3 Player, etc. Given that it will take me extremely long to master all commands which I know I can, I need to start somewhere don't I and the quickest way I can see myself starting Linux is to start from the GUI.
|
If you need the GUI to actually run the box, then that's better than having a more secure GUI-less box that you can't run at all, right?
One option is to install all the GUI stuff you need, get the thing running properly and then uninstall the GUI as much as you can manage. I used to do that when I was first learning linux. I'd actually install it like that and configure everything in the GUI and then take all the GUI software off and then remove all the peripherals (monitor/keyboard/mouse) and make it a completely headless node that I could ssh into in order to admin stuff. Once you get it up and running properly, you really shouldn't have to do too much to maintain it. Just things like check all the logs, install updates, put on new content. After awhile you'll be a commandline wizard and won't have to use it at all :) However you should definitely still try to limit the amount of extra software you're installing though. Most distros install alot of garbage that you normally don't need in a server environment and have a bad habit of being poorly written (security-wise) and usually end up as entries on the Linux - Security Report. |
Often, a server is rackmounted somewhere else and is administered using webmin.
Also, you could use 3 as the init default, and only run X-Windows when you are at the server, logging out when done. That would limit the time that the gui environment is running. You didn't say what kind of service you are running on the server. A gateway computer is usually installed with the bare minimum of services running. It does one thing only and particular attention is paid to denying all other services and keeping it up to date with security updates. |
KDE Issues
Thank you guys for your advice. To Capt_Caveman, how do I know what to remove? To jschiwal, I wish to run a Mail and Web Server. I did think about running Webmin however was planning to set everything up using KDE.
|
just to add to the subject......If I were to use a GUI for a server, I would try blackbox/fluxbox, or windowmaker to do it........they arent as pretty as kde and gnome but require less services to operate.
|
The most important thing is to remember to change your xinit scripts to start with -nolisten tcp. That will prevent other hosts from exporting applications from your server to their display.
|
There is a book called "Firewalls and Internet Security" that you may want to read to learn about network security. It covers running servers in a jail, which setuid-root programs you probably don't need, using netstat -a to 'field strip a host'
If you type the command: Code:
find / -perm -4000 -user root -print | wc -l |
All times are GMT -5. The time now is 06:45 PM. |